Version: 1.0.2 On this page
IoT security IoT threats Lack of security Speed at which IoT is advancing makes it harder to keep up with evolving security requirements. Being short on processing power and memory leads to lack of security solutions and encryption protocols. Vulnerable interfaces For both device interfaces and other interfaces (e.g. cloud) it interacts with E.g. lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering. Physical security risk Cannot secure them as traditional devices by e.g. the storage of routers in secure cabinets Lack of vendor support The support of a certain device may get discontinued Difficult to update firmware and OS Some require manual intervention to be upgraded, some cannot be upgraded at all Being compliant makes harder to do changes to e.g. medical devices. Interoperability issues Interoperability: "the ability to make systems and organizations work together" | Wikipedia Each solution provides its own IoT infrastructure, devices, APIs, and data formats Caused by competitive nature of IoT e.g. vendor lock-in OWASP Top 10 IoT (2018) OWASP Internet of Things Top Ten was introduced in 2004 and updated in 2018 Weak, guessable, or hardcoded passwords Use of easily brute forced, publicly available, or unchangeable credentials Including backdoor s in firmware or client software that grants unauthorized access to deployed systems Insecure network services Unneeded or insecure network services running on the device itself Bigger threat for those that are expose to the internet Allows compromise confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control... Insecure ecosystem interfaces Includes web, backend API, cloud, or mobile interfaces outside of the device Allows compromise of the device or its related components. E.g. lack of authentication/authorization, lacking or weak encryption, a lack of input and output filtering. Lack of secure update mechanism Lack of firmware validation on device Lack of secure delivery (un-encrypted in transit) Lack of anti-rollback mechanisms Lack of notifications of security changes due to updates. Use of insecure or outdated components Use of deprecated or insecure software components/libraries Insecure customization of operating system platforms Use of third-party software or hardware components from a compromised supply chain Insufficient privacy protection Use of users personal information insecurely, improperly, or without permission. Insecure data transfer and storage Lack of encryption or access control of sensitive data Can be anywhere within the ecosystem e.g. at rest, in transit, or during processing. Lack of device management Lack of security support on devices deployed in production Capabilities include e.g. asset management, update management, secure decommissioning, systems monitoring, and response. Insecure default settings Can be shipped with insecure settings or without ability to make restrictions. Lack of physical hardening Easily accessible physically IoT attacks IoT attack surface areas Device memory : CredentialsEcosystem access control : Implicit trust between componentsDevice physical interfaces : Privilege escalation, CLIDevice web interface : SQL injection, XSSDevice firmware : Sensitive data exposure, hardcoded credentialsDevice network services : Unencrypted/poorly encrypted services.Administrative interface : SQL Injection, XSSLocal data storage : Data encrypted with discovered keys, lack of integrity checks.IoT attack types Access control E.g. remote access control or gaining access to administration panels BlueBorn Attack Jamming Attack Also known as signal jamming attack Jamming the signal to prevent the communication of devices Man-in-the-middle attack E.g. by sniffing through Foren6 Passive sniffer Reconstruct a visual and textual representation of network information to support real-world Internet of Thingl HVAC attack Takes place when one hacks IoT devices in order to shut down air conditioning services. Can allow access to a corporate systems. Backdoor (not just IoT related)Exploit kits Malicious scripts used to exploit poorly patched devices. Replay attack Attackers send intercepted messages to target device to perform DoS. See also SDR-based attacks Ransomware attackType of malware that uses encryption to block user's access to his/her device. Privilege escalation Side channel attack Attackers extract info about encryption keys by observing the emission signals (side channels) from IoT devices. Web application attacks , web server attacks Cloud computing attacks Mobile application threats DoS / DDoS Can be done by converting devices into an army of botnet. Forged malicious devices Attackers replace authentic IoT devices with malicious device. Resetting to an insecure state Removal of storage media Firmware attack Network service attacks Unencrypted local data storage Confidentiality and integrity issues Malicious updates Insecure APIs Eavesdropping Sybil attack Attacker uses multiple forged identities to create strong illusion of traffic congestion. Rolling code attack Also known as hopping code attack. Used in keyless entry systems such as garage door openers and keyless car entry systems. Attacker capture signal from transmitter device, simultaneously blocking the receiver to receive the signal Attacker uses the signal to gain unauthorized access E.g. stealing car with captured signalAttacker jams and sniffs the signal to obtain the code transferred to vehicle's receiver Tools include HackRF One hardware tool. SDR-based Attacks Attackers use Software Defined Radio (SDR) to examine the communication signals in the IoT network and sends spam content or texts to the interconnected devices. Can also change the transmission and reception of signals between the devices. IncludesReplay attack The attacker obtains frequency used for data sharing between devices and captures data. Cryptanalysis Attack Attacker uses same procedure as replay attack and also reverse engineering of the protocol to capture the original signal. Reconnaissance attack Attacker obtains info about the target device from the device's specification. See also information gathering Allows looking for data in filesystem or reverse engineering it for vulnerabilities. Flow example:binwalkfirmwalker Device memory containing credentials Can be used for reading/manipulating data Allows pushing firmware updates Enables usage of devices to other devices in the network Fault injection attacks Also known as perturbation attacks Occur when a perpetrator injects any faulty or malicious program into the system to compromise the system security. Optical, Electro Magnetic Fault Injection (EMFI), Body Bias Injection (BBI) Injection using projecting lasers and electromagnetic pulses. Power/clock/reset/glitching Injections into power supply and clock network of the chip. Frequency/voltage tampering Tampering with clock frequency of the chip Temperature attacks Attackers alter the temp for the operating the chip. DNS rebinding Done by compromising browsers as traffic tunnels to exploit private services. Done through malicious script in a webpage to manipulate resolution of domain names. Can help to gain access over the target's router using a malicious JavaScript code injected on a web page.After that, an attacker can assault any device activated using the default password. Hacking Methodology Also known as IoT footprinting Includes collecting information regarding target IoT devices Information can include e.g. IP address,running protocols, vendor, type of device, hostname, ISP, device location, banner of the target IoT device. Can involve usingIoT search engines to find manufacturer or device information.Searching for hardware registrations in regulating bodiesCan help to find information regarding compliance standards, user Manuals, documentation, wireless operating frequency, and photos E.g. See also Footprinting Vulnerability scanning Scanning the network and devices to find vulnerabilities Search for weak password Software and firmware vulnerabilities Tools Attack Gain access Gain unauthorized access Privilege escalation Install backdoor Maintain attack Logging out Clearing logs Covering tracks IoT attack countermeasures Encrypt Use encrypted communication (SSL/TLS) Implement end-to-end encryption Use VPN architecture Encrypt drives Password policies Use strong password Ensure secure password recovery Update devices Patch vulnerabilities Firmware update Restrict access Prevent the devices against physical tampering Allow only trusted IP's to access device from internet Implement strong authentication mechanisms.E.g. two-Factor Authentication Use Lockout feature to disable multiple login attempts Monitor Implement IPS/IDS in the network Periodic assessment of devices Disable unused or unnecessary ports and services Disable UPnP port on routers Monitor traffic on port 48101 for infected traffic Disable telnet as it's insecure protocol Disable Guest or Demo user accounts