Device/IoT-Centric Security Threats
Internet of Things (IoT) can be defined as “the networked interconnection of everyday objects, equipped with ubiquitous intelligence[1]. The exponential growth of connected devices (from minuscule sensors to bigger machines), which, according to Intel[2] are expected to reach 200 billion by 2020, is revolutionizing current IT systems. Smart transportation, sustainable mobility, smart cities, e-health, smart vehicles, UAVs, and many more are just some examples of domains where IoT, edge computing, and smart devices are changing the environment. The existence of billions of resource-constrained devices connected to the Internet introduces fundamental risks that can threaten users’ life and personal sphere. Current environments are so pervasive and ubiquitous that users just become another component of the system.
Threats
We discuss the threats that can be mapped to the Device/IoT asset taxonomy. In general, the IoT scenario revolutionizes the concept of security, which becomes even more critical than before. Security protection must consider millions of devices that are under the control of external entities, freshness, and integrity of data that are produced by these devices, and heterogeneous environments and contexts that co-exist in the same IoT environment[3]. Trend Micro, a cybersecurity solutions provider, stated that the IoT has become a primary target for cybercriminals. SonicWall 2019 report shows that IoT malware increased 55% and encrypted threats spiked 76% compared to 2018.[4] This trend leads to an increment in the budget for security in IoT. According to Gartner,[5] the IoT security in IoT budget will reach $3.1 billion in 2021.
Concerning attack vectors in IoT, according to F-Secure Attack Landscape H1 2019, the Telnet protocol is the most used among the TCP ones while the UPnP among the UDP ones.[6]
Given the peculiarity of IoT devices, which are in many cases outdated embedded systems, F-Secure estimated half a billion IoT devices vulnerable to 10-year-old vulnerabilities.
Given the heterogeneous nature of Device, IoT/Edge, the IETF definition of threat, namely, a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm”, is generic enough to cope with all the IoT threats. IoT has a specific peculiarity that is the strong link between security leakages and safety. ITU-T in its report Y.4806 underlines this link identifying a list of threats that are capable to affect safety. OWASP identifies in 2018 the top 10 IoT security threats where the weakness of passwords, network services, and interfaces are identified as the top three threats.
The threat taxonomy is a consolidation of threats previously considered in other documents/reports[7] and is composed of the following categories.
- TG1.1 – Unintentional damage/loss of information or IT assets: This group includes all threats causing unintentional damage including safety and information leakage or sharing due to human errors.
- TG1.2 – Interception and unauthorized acquisition: This group includes threats introduced by alteration/manipulation of the communications between two parties. This TG, depending on the circumstances of the incident, could, also, be linked to TG5.
- TG1.3 – Intentional physical damage: in IoT, the physical access to the devices that are spread in a potential uncontrolled environment is more serious than in another domain.
- TG1.4 – Nefarious activity/abuse: This group includes threats coming from nefarious activities. It requires active attacks targeting the infrastructure of the victim, including the installation or use of malicious tools and software.
- TG1.5 – Legal: This group provides for threats resulting from violation of laws and/or regulations, such as the inappropriate use of Intellectual Property Rights, the misuse of personal data, the necessity to comply with judiciary decisions dictated with the rule of law.
- TG1.6 – Organisational threats: This group includes threats to the organizational sphere.
We remark that Botnet is a typical security concern involving IoT but not very often targeting IoT themselves. Botnet normally exploits IoT threats to infects the devices. In the beginning, IoT botnets were grounded on manual physical malicious activities on the devices (TG1.3) or on exploiting the access control weaknesses and default passwords (T1.1.1). Later attackers focused on protocol weaknesses (TG1.2) vulnerabilities in general (TG1.4) and diffusion via malware. The recent botnets adopt hybrid approaches to infect the devices therefore they can be associated with different threats. In the following, we associate specific botnet of threat groups considering the principal threat type used to establish the botnet. In addition, proxy threats are common where a compromised device is used as a proxy to launch attacks hiding the identity of the attacker. No infection is needed, just reuse existing functionality.
Threat Group TG1.1: Unintentional damage/loss of information or IT assets
This group includes all threats causing unintentional damage including safety and information leakage or sharing due to human errors.
Threat T1.1.1: Information leakage/sharing due to human errors
Human errors are among the most critical threats in today’s complex environment. These errors cause accidental threats, meaning that they are not intentionally posed by humans, and are due to misconfiguration, clerical errors, misapplication of valid rules and knowledge-based mistakes. In IoT, most of the errors are related to poor/absent patch management, the adoption of weak passwords or keeping the default one, wrong authorization configurations. In IoT device authentication or device, an authorization may need a non-trivial human intervention since things usually do not have a priori knowledge about their ecosystem. The well-known lack of specialized IoT cybersecurity competences (sometimes even simple basic hygiene security is needed) plays an important role in increasing the errors at this level (see Threat T1.6.1).
Assets: It refers almost to every asset groups. More in details it refers to “Data”, “Device”, “Infrastructure”, “Platform and backend”, “Decision making”.
Threat T1.1.2: Inadequate design and planning or incorrect adaptation
IoT devices rely on software that might contain severe bugs due to wrong design choices and the absence of a reliable adaptation/update strategy to fix such errors. This makes the devices vulnerable to many different types of attacks from buffer overflow to lack of authentication (well-known, easy-to-guess, hardcoded password for device configuration). This can be considered one of the most important security threats, and in many cases, it is exploited to generate botnet attacks. IoT still misses an effective adaptation planning strategy to cope with this type of threat. This threat is therefore strongly connected with TG1.3.
Assets: “Device”, “Infrastructure”, “Platform and backend”, “Management”.
Threat Group TG1.2: Interception and unauthorized acquisition
This group includes threats introduced by alteration/manipulation of the communications between two parties. This TG, depending on the circumstances of the incident, could, also, be linked to TG5.
Threat T1.2.1: Interception of information
It considers an attacker intercepting communication between two communicating links. In IoT network, not all the communication channel is sufficiently protected, for instance, if keying material, security parameters, or configuration settings are exchanged in clear or if weak or unsuitable/vulnerable cryptographic algorithms are used. Related attacks include man-in-the-middle, communication protocol, and session hijacking, or message replay. The man-in-the-middle attack relies on the fact that both the commissioning and operational phases may be vulnerable. In IoT, it is normally assumed that no third parties can eavesdrop during the execution of key materials exchange protocol (i.e., communication in clear from). IoT communication protocol hijacking takes advantage of the possibility to sniff the traffic and then uses aggressive techniques like forcing disconnection or reset. In the case of session Hijacking, the attack activities are oriented to act as a legitim host/device to steal, modify or delete transmitted data. In addition, device authentication or device authorization may be nontrivial or need human intervention (see Unintentional damage/loss of information or IT assets threat group), since devices usually do not have a priori knowledge about the rest of the ecosystem or completely automatic mechanisms to differentiate legitim and illegitimate devices (see physical threat group). An attacker with low privileges can misuse additional flaws in the implemented authentication and authorization mechanisms of a device to gain more privileged access to the device itself obtaining elevation of privilege
Another attack that fits the IoT environment is the “harvest and decrypt” attack in which an attacker can start to harvest (store) encrypted data today and decrypt it years later, once a quantum computer is available (e.g., VENONA project[8]). This is linked to the fact that many IoT devices remain operational for a decade or even longer, and during this time, digital signatures used to sign software updates might become obsolete, making the secure update of IoT devices challenging. Reply attack uses a valid data transmission maliciously by repeatedly sending it or delaying it, in order to manipulate or crash the targeted device.
Assets: “Device”, “Infrastructure”, “Security mechanisms”.
Threat T1.2.2: Unauthorised acquisition of information
IoT networks can be spoofed, altered, or replayed, to create routing loops, attract/repel network traffic, extend/ shorten source routes, to name but a few. As an example, via sybil attack an attacker can present multiple networking level identities to other devices in the network. In addition, IoT can be subject to disclosure of sensitive data, intentionally or unintentionally, to unauthorized parties. Confidential data may be captured by an attacker from individual devices, during transit, or from the backend, local storage, edge nodes (note that information acquisition via physical access is described in TG1.3). Privacy must be also considered, for instance, when the sensor is transmitting sensible data like health-related data and when device location tracking provided by the device poses a privacy risk to users. This threat shares most of the attack strategies with the Networking Domain. In the following, we describe some of them showing a clear connection with the IoT environment where nodes can be manipulated/added more easily.
Assets: “Device”, “Infrastructure”, “Platform and backend”.
Threat Group TG1.3: Intentional physical damage
In IoT, the physical access to the devices that are spread in a potential uncontrolled environment is more serious than in another domain.
Threat T1.3.1: Device modification
Having physical access to the IoT device allows a non-trusted factory to clone the physical characteristics, firmware/software and security configuration of a device. Deployed devices might also be compromised and their software reverse-engineered, allowing for cloning. Cloned devices may be sold cheaply in the market and can contain functional modifications including backdoors. Alternatively, a genuine device may be substituted with a variant or clone during transportation, commissioning or in operation. Another substitution is a firmware level substitution that is less expensive and less easy to discover that physical cloning or replacement. In some cases, this substitution occurs in the framework of patching or upgrading, and it may or may not requires physical access (we include this type of attack in this threat for simplicity even if they can be obtained without full physical access). Other attacks that refer to this threat are device replication, camouflage, malicious device/node injection, to name but a few.
Assets: “Device”, “Infrastructure”.
Threat T1.3.2: Extraction of private information
IoT devices are often physically unprotected. This allows physical access to attempt to extract private information such as keys, data from sensors (for example, healthcare status of a user), configuration parameters (for example, the Wi-Fi key), or proprietary algorithms (for example, the algorithm performing some data analytics task).
Assets: “Device”.
Threat Group TG1.4: Nefarious activity/abuse
This group includes threats coming from nefarious activities. It requires active attacks targeting the infrastructure of the victim, including the installation or use of malicious tools and software.
Threat T1.4.1: Identity fraud
Identity fraud in IoT primarily refers to both weak user/admin credentials and authentication, which is a quite diffuse threat for IoT (at the top of the OWASP top Ten), and identity spoofing, which involves authentication protocol leakages in IoT, for instance, at device bootstrapping time. Poor credential management such as weak password choices and lack of multi-factor authentication for the user and administrative interfaces of devices, gateways or back-ends, is a common vulnerability in many information systems and even exacerbated in IoT due to the limitations at device side. The password/credentials are in most of the cases guessable, weak and hardcoded at the firmware level. Identity fraud in IoT can be obtained due to the weakness of the identity provisioning protocols that can be spoofed.
Assets: “Device”, “Infrastructure”, “Platform and backend”.
Threat T1.4.2: Denial of service
Traditional (Distributed) Denial of Service is among the main threats for IoT where devices, being resource-constrained, are more susceptible to denial of services. It aims to threaten components availability by exhausting their resources, causing performance decrease, loss of data, service outages, on one side, but also a potential safety issue, on the other side. In addition, compromised devices themselves are often used to disrupt the operation of other networks or systems via a Distributed DoS (DDoS) attack (see TG physical). Here we consider DoS that targets IoT not generated by IoT devices.
Assets: “Device”, “Infrastructure”, “Security mechanisms”, “Platform and backend”.
Threat T1.4.3: Malicious code/software/activity
This class of threats usually targets all ICT stack and the aforementioned 6 domains. They aim to distribute and execute malicious code/software or execute malicious activities. These threats usually involve malware, exploit kits, worms, trojans, and exploit backdoors and trapdoors, as well as developer errors/weaknesses. Devices can be infected with such malicious programs due to vulnerabilities in software or firmware, that are much more diffuse than in other domains due to the difficulties in keeping an IoT device updated.
An IoT specific threat that is difficult to discover, is the counterfeit device since it cannot be easily distinguished from the original. These devices usually have backdoors and can be used to conduct attacks on other ICT systems in the environment in most of the cases botnet type of attacks.
Assets: “Device”, “Infrastructure”, “Security mechanisms”, “Platform and backend”.
Threat T1.4.4: Misuse of assurance tools
Assurance is the way to gain justifiable confidence that a system will consistently demonstrate one or more security properties, and operationally behave as expected, despite failures and attacks[9]. Assurance is based on the audit, certification, and compliance tools and techniques[10][11]. The manipulation of such tools and techniques can result in scenarios where the malicious behavior of attackers is masqueraded and is not discovered. Assurance information is necessary to ensure the security of the system during its entire lifecycle from its design to its operation. It is also necessary due to guarantee compliance and regulation. In IoT environment, the adoption of assurance is even more crucial due to the need to cope with the lack of security mechanisms at the peripheries.
Assets: “Data”, “Devices”, “Platform and backend”, “Infrastructure”, “Security Mechanisms”, “Management”.
Threat T1.4.5: Failures of business process
Improper business processes can damage or cause a loss of assets. IoT can be part of a complex system handling sensible data, like in case of health or industrial application. Threats to the confidentiality of sensor data (e.g., wrong delivery through untrusted gateways) and integrity of sensor data (e.g., the use of temporal local tamperable data store) can have a high impact.
Assets: “Devices”, “Platform and backend”, “Infrastructure”, “Security Mechanisms”, “Management”.
Threat T1.4.6: Code execution and injection (unsecured APIs)
IoT applications are built on web services models and in many cases, each device offers APIs that can then become a target of the attack, and be vulnerable to well-known attacks, such as the Open Web Application Security Project (OWASP) Top Ten list.[12] This threat is listed as the third most risky threat in the OWASP Top 10 IoT due to the fact that i) IoT offers administrative interfaces and ii) due to budget restrictions, IoT vendors do not dedicate much budget on its security and testing. In particular, code execution (e.g., XSS) and injection (e.g., SQL injection) are critical classes of attacks that can increase risks.
Assets: “Platform and backend”, “Security Mechanisms”, “Management”.
Threat Group TG1.5: Legal
This group provides for threats resulting from the violation of laws and/or regulations, such as the inappropriate use of Intellectual Property Rights, the misuse of personal data, the necessity to comply with judiciary decisions dictated with the rule of law.
Threat T1.5.1: Violation of laws or regulations
The management of legal aspects impacts the IoT system and can represent a threat to the system itself. As mentioned earlier the legislation landscape on IoT is quite complex, and IoT systems potentially involve devices produces under different legislations and regulations. Violations of laws or regulations, the breach of legislation, the failure to meet contractual requirements, the unauthorized use of Intellectual Property resources, the abuse of personal data, the necessity to obey judiciary decisions and court orders are examples of threats. Also, the lack of cyber-regulations in countries with a high concentration of hacker groups is having an impact on this regard. In January of 2018, Cyber Security Research Institute report into the Internet of Things sponsored by F-Secure stated that IoT represents a considerable threat to consumers, due to inadequate regulations regarding its security and use.[13] In some scenarios, the situation is even more complex due to the ubiquitous nature of IoT sensors. For instance, Google was forced to announce in early 2018 that its Nest security system included a microphone that was not disclosed to consumers.[14]
Assets: All assets.
Threat Group TG1.6: Organisational threats
This group includes threats to the organizational sphere.
Threat T1.6.1: Skill shortage
A possible shortage of skilled IoT cybersecurity experts is one of the main threats to IoT. Another aspect is the lack of security awareness at the management level.[15] This threat has a strong link to threat group TG1 “Unintentional damage/loss of information or IT assets”. The F-Secure chief, Mikko Hypponen declares in 2017 that “many IoT device vendors have little to no experience in building internet-connected devices,” and “they build IoT devices to be cheap and to work, but not to be secure.[16]”
Assets: “Roles”.
Emerging Threats in COVID-19 Era
The advent of COVID-19 enhanced:
- T1.1.2 – Inadequate design and planning or incorrect adaptation
- T1.4.5 – Failures of business process
- T1.6.1 – Skill shortage
Furthermore, COVID-19 also generated the following new Device/IoT-centric security threats:
Threat T1.1.3: Inadequate design and planning or incorrect adaptation in critical scenario – COVID19
It considers the absence or inadequacy of emergency reaction plan or adaptation strategy that involves fast adoption of new IoT devices and technologies to react to crisis. It is somehow similar to a disaster recovery plan but focused on adoption and adaptation of security countermeasure to cope with new emerging needs.
Threat T1.3.3: Lack of control on safety implications – COVID19.
The pandemic let the connection between IoT security and safety emerges more clearly. There is the severe risk that the new plethora of IoT medical devices to monitor conditions even at home constitutes a serious safety threat for people. This is connected also to the urgency of the use and deployment of such devices that is preventing any possible security-oriented planning.
Threat T1.6.2: Lack of strong cyber hygiene practices – COVID19
Good practices to improve cybersecurity skills are fundamental under any situation. With the pandemic, the personnel are exposed to stress and to adoption of new technologies that they do not have time to learn about. In IoT this is even more severe due to their nature to be ubiquitous and out of the box deployable. The minimal cyber hygiene practices are fundamental in such context.
Emerging Threats in 2021
The following is the list of Device/IoT-centric security threats that emerged in 2021.
Threat T1.4.7: Device hijacking
An attacker can hijack and take control of a connected device without changing the basic functionality of the device and thus remaining undetected. By hijacking a single device, the attacker can use it to infect the rest of the interconnected devices, such as smart meters in the grid. In the case of Industrial IoT (IIoT), by using compromised smart meters, a hijacker can launch ransomware attacks against Energy Management Systems (EMSs) and meddle with power lines.[17]Threat T1.4.8: Social engineering.
Social engineering attacks often do not take much effort to execute on IoT devices. Wearable devices collect a large amount of personal information for developing a personalized user experience. However, attackers can infiltrate such devices to obtain confidential information such as the users’ bank details and home address. With this information, attackers can unleash advanced social engineering attacks aimed at users and their family members through vulnerable IoT networks.[18]
[1] F. Xia, L. T. Yang, L. Wang e A. Vinel, «Internet of Things,» International Journal of Communication Systems 25 (September 2012), vol. 9, pp. 1101-1102, 2012.
[2] A guide to Internet of Things Infographic https://www.intel.com/content/www/us/en/internet-of-things/infographics/guide-to-iot.html
[3] C. A. Ardagna, E. Damiani, J. Schutte e P. Stephanow, «A Case for IoT Security Assurance,» in Internet of Things (ITTCC), Springer Link, 2017, pp. 175-192.
[4] SonicWall Mid-Year update report
[5] Gartner Says Worldwide IoT Security Spending Will Reach $1.5 Billion in 2018 https://www.gartner.com/en/newsroom/press-releases/2018-03-21-gartner-says-worldwide-iot-security-spending-will-reach-1-point-5-billion-in-2018
[6] ATTACK LANDSCAPE H1 2019 https://s3-eu-central-1.amazonaws.com/evermade-fsecure-assets/wp-content/uploads/2019/09/12093807/2019_attack_landscape_report.pdf
[7] Smart Grid Threat Landscape, Threat Landscape and Good Practice Guide for Internet Infrastructure, Threat Landscape and Good Practice Guide for Smart Home and Converged Media
[8] VENONA https://www.nsa.gov/news-features/declassified-documents/venona/
[9] C. A. Ardagna, R. Asal, E. Damiani e Q. Vu, «From Security to Assurance in the Cloud: A Survey,» in ACM Computing Surveys (CSUR), August, 2015.
[10] M. Anisetti, C. A. Ardagna, F. Gaudenzi e E. Damiani, «A semi-automatic and trustworthy scheme for continuous cloud service certification,» IEEE Transactions on Services Computing, 2017.
[11] M. Anisetti, C. A. Ardagna, F. Gaudenzi, E. Damiani e G. Jeon, «Cost-effective deployment of certified cloud composite services,» Journal of Parallel and Distributed Computing, vol. 135, 2019.
[12] Many common vulnerability exposures for Big Data components, such as Hadoop, are reported in specialized Websites, see for example https://cve.mitre.org and https://www.cvedetails.com
[13] VENONA https://www.nsa.gov/news-features/declassified-documents/venona/
[14] PINNING DOWN THE IOT https://fsecurepressglobal.files.wordpress.com/2018/01/f-secure_pinning-down-the-iot.pdf
[15] See https://www.justice.gov/usao-ndca/pr/sunnyvale-based-network-security-company-agrees-pay-545000-resolve-false-claims-act
[16] Should You Fear the IoT_Reaper? https://blog.f-secure.com/should-you-fear-the-iot_reaper/
[17] Industrial IoT: Threats and Countermeasures, https://www.rambus.com/iot/industrial-iot/
[18] 8 TYPES OF INTERNET OF THINGS SECURITY THREATS, https://www.bbntimes.com/technology/8-types-of-internet-of-things-security-threats
Università degli Studi di Milano
Via Celoria 18, 20133 Milano MI - Italy
+39 02 503 16333 - sesarlab@unimi.it