Cyber Security and the Internet of Things: Vulnerabilities,Threats, Intruders

and Attacks

Mohamed Abomhara and Geir M. Køien

Department of Information and Communication Technology, University of Agder, Norway Corresponding Authors: {Mohamed.abomhara; geir.koien}@uia.no

Received 14 September 2014; Accepted 17 April 2015; Publication 22 May 2015

Abstract

Internet of Things (IoT) devices are rapidly becoming ubiquitous while IoT services are becoming pervasive. Their success has not gone unnoticed and the number of threats and attacks against IoT devices and services are on the increase as well. Cyber-attacks are not new to IoT, but as IoT will be deeply interwoven in our lives and societies, it is becoming necessary to step up and take cyber defense seriously. Hence, there is a real need to secure IoT, which has consequently resulted in a need to comprehensively understand the threats and attacks on IoT infrastructure. This paper is an attempt to classify threat types, besides analyze and characterize intruders and attacks facing IoT devices and services.

Keywords: Internet of Things, Cyber-attack, Security threats.

1 Introduction

The recent rapid development of the Internet of Things (IoT) [1, 2] and its ability to offer different types of services have made it the fastest growing technology, with huge impact on social life and business environments. IoT has

Journal of Cyber Security, Vol. 4, 65–88. doi: 10.13052/jcsm2245-1439.414 c© 2015 River Publishers. All rights reserved.

66 M. Abomhara and G. M. Køien

gradually permeated all aspects of modern human life, such as education, healthcare, and business, involving the storage of sensitive information about individuals and companies, financial data transactions, product development and marketing.

The vast diffusion of connected devices in the IoT has created enormous demand for robust security in response to the growing demand of millions or perhaps billions of connected devices and services worldwide [3–5].

The number of threats is rising daily, and attacks have been on the increase in both number and complexity. Not only is the number of potential attackers along with the size of networks growing, but the tools available to potential attackers are also becoming more sophisticated, efficient and effective [6, 7]. Therefore, for IoT to achieve fullest potential, it needs protection against threats and vulnerabilities [8].

Security has been defined as a process to protect an object against physical damage, unauthorized access, theft, or loss, by maintaining high confidential- ity and integrity of information about the object and making information about that object available whenever needed [7, 9].According to Kizza [7] there is no thing as the secure state of any object, tangible or not, because no such object can ever be in a perfectly secure state and still be useful. An object is secure if the process can maintain its maximum intrinsic value under different condi- tions. Security requirements in the IoT environment are not different from any other ICT systems. Therefore, ensuring IoT security requires maintaining the highest intrinsic value of both tangible objects (devices) and intangible ones (services, information and data).

This paper seeks to contribute to a better understanding of threats and their attributes (motivation and capabilities) originating from various intruders like organizations and intelligence. The process of identifying threats to systems and system vulnerabilities is necessary for specifying a robust, complete set of security requirements and also helps determine if the security solution is secure against malicious attacks [10]. As well as users, governments and IoT developers must ultimately understand the threats and have answers to the following questions:

1. What are the assets? 2. Who are the principal entities? 3. What are the threats? 4. Who are the threat actors? 5. What capability and resource levels do threat actors have? 6. Which threats can affect what assets?

Cyber security and the Internet of Things 67

7. Is the current design protected against threats? 8. What security mechanisms could be used against threats?

The remainder of this paper is organized as follows. Section 2 pro- vides a background, definitions, and the primary security and privacy goals. Section 3 identifies some attacker motivations and capabilities, and provides an outline of various sorts of threat actors. Finally, the paper concludes with Section 4.

2 Background

The IoT [1, 2, 11] is an extension of the Internet into the physical world for interaction with physical entities from the surroundings. Entities, devices and services [12] are key concepts within the IoT domain, as depicted in Figure 1 [13]. They have different meanings and definitions among various projects. Therefore, it is necessary to have a good understand- ing of what IoT entities, devices and services are (discussed in detail in Section 2.1).

An entity in the IoT could be a human, animal, car, logistic chain item, electronic appliance or a closed or open environment [14]. Interaction among

Figure 1 IoT model: key concepts and interactions.

68 M. Abomhara and G. M. Køien

entities is made possible by hardware components called devices [12] such as mobile phones, sensors, actuators or RFID tags, which allow the entities to connect to the digital world [15].

In the current state of technology, Machine-to-Machine (M2M) is the most popular application form of IoT. M2M is now widely employed in power, transportation, retail, public service management, health, water, oil and other industries to monitor and control the user, machinery and production processes in the global industry and so on [5, 16, 17]. According to estimates M2M applications will reach 12 billion connections by 2020 and generate approximately 714 billion euros in revenues [2].

Besides all the IoT application benefits, several security threats are observed [17–19]. The connected devices or machines are extremely valuable to cyber-attackers for several reasons:

1. Most IoT devices operate unattended by humans, thus it is easy for an attacker to physically gain access to them.

2. Most IoT components communicate over wireless networks where an attacker could obtain confidential information by eavesdropping.

3. Most IoT components cannot support complex security schemes due to low power and computing resource capabilities.

In addition, cyber threats could be launched against any IoT assets and facilities, potentially causing damage or disabling system operation, endangering the general populace or causing severe economic damage to owners and users [20, 21]. Examples include attacks on home automation systems and taking control of heating systems, air conditioning, lighting and physical security systems. The information collected from sensors embedded in heating or lighting systems could inform the intruder when somebody is at home or out. Among other things, cyber-attacks could be launched against any public infrastructure like utility systems (power sys- tems or water treatment plants) [22] to stop water or electricity supply to inhabitants.

Security and privacy issues are a growing concern for users and suppliers in their shift towards the IoT [23]. It is certainly easy to imagine the amount of damage caused if any connected devices were attacked or corrupted. It is well-recognized that adopting any IoT technology within our homes, work, or business environments opens doors to new security problems. Users and suppliers must consider and be cautious with such security and privacy concerns.

Cyber security and the Internet of Things 69

2.1 Understanding IoT Devices and Services

In this section, the main IoT domain concepts that are important from a business process perspective are defined and classified, and the relationships between IoT components (IoT devices and IoT services) are described.

2.1.1 IoT device This is a hardware component that allows the entity to be a part of the digital world [12]. It is also referred to as a smart thing, which can be a home appliance, healthcare device, vehicle, building, factory and almost anything networked and fitted with sensors providing information about the physical environment (e.g., temperature, humidity, presence detectors, and pollution), actuators (e.g., light switches, displays, motor-assisted shutters, or any other action that a device can perform) and embedded computers [24, 25].

An IoT device is capable of communicating with other IoT devices and ICT systems. These devices communicate via different means including cellular (3G or LTE), WLAN, wireless or other technologies [8]. IoT device classifi- cation depends on size, i.e., small or normal; mobility, i.e., mobile or fixed; external or internal power source; whether they are connected intermittently or always-on; automated or non-automated; logical or physical objects; and lastly, whether they are IP-enabled objects or non IP objects.

The characteristics of IoT devices are their ability to actuate and/or sense, the capability of limiting power/energy, connection to the physical world, intermittent connectivity and mobility [23]. Some must be fast and reliable and provide credible security and privacy, while others might not [9]. A number of these devices have physical protection whereas others are unattended.

In fact, in IoT environments, devices should be protected against any threats that can affect their functionality. However, most IoT devices are vulnerable to external and internal attacks due to their characteristics [16]. It is challenging to implement and use a strong security mechanism due to resource constraints in terms of IoT computational capabilities, memory, and battery power [26].

2.1.2 IoT services IoT services facilitate the easy integration of IoT entities into the service- oriented architecture (SOA) world as well as service science [27]. According to Thoma [28], an IoT service is a transaction between two parties: the service provider and service consumer. It causes a prescribed function, enabling

70 M. Abomhara and G. M. Køien

interaction with the physical world by measuring the state of entities or by initiating actions that will initiate a change to the entities.

A service provides a well-defined and standardized interface, offering all necessary functionalities for interacting with entities and related processes. The services expose the functionality of a device by accessing its hosted resources [12].

2.1.3 Security in IoT devices and services Ensuring the security entails protecting both IoT devices and services from unauthorized access from within the devices and externally. Secu- rity should protect the services, hardware resources, information and data, both in transition and storage. In this section, we identified three key problems with IoT devices and services: data confidentiality, privacy and trust.

Data confidentiality represents a fundamental problem in IoT devices and services [27]. In IoT context not only user may access to data but also authorized object. This requires addressing two important aspects: first, access control and authorization mechanism and second authentication and identity management (IdM) mechanism. The IoT device needs to be able to verify that the entity (person or other device) is authorized to access the service. Authorization helps determine if upon identification, the person or device is permitted to receive a service. Access control entails controlling access to resources by granting or denying means using a wide array of criteria. Autho- rization and access control are important to establishing a secure connection between a number of devices and services. The main issue to be dealt with in this scenario is making access control rules easier to create, understand and manipulate. Another aspect that should be consider when dealing with confidentiality is authentication and identity management. In fact this issue is critical in IoT, because multiple users, object/things and devices need to authenticate each other through trustable services. The problem is to find solution for handling the identity of user, things/objects and devices in a secure manner.

Privacy is an important issue in IoT devices and service on account of the ubiquitous character of the IoT environment. Entities are connected, and data is communicated and exchanged over the internet, rendering user privacy a sensitive subject in many research works. Privacy in data collection, as well as data sharing and management, and data security matters remain open research issues to be fulfilled.

Cyber security and the Internet of Things 71

Trust plays an important role in establishing secure communication when a number of things communicate in an uncertain IoT environment. Two dimen- sions of trust should be considered in IoT: trust in the interactions between entities, and trust in the system from the users perspective [29] According to Køien [9] the trustworthiness of an IoT device depends on the device components including the hardware, such as processor, memory, sensors and actuators, software resources like hardware-based software, operating system, drivers and applications, and the power source. In order to gain user/services trust, there should be an effective mechanism of defining trust in a dynamic and collaborative IoT environment.

2.2 Security Threats, Attacks, and Vulnerabilities

Before addressing security threats, the system assets (system components) that make up the IoT must first be identified. It is important to understand the asset inventory, including all IoT components, devices and services.

An asset is an economic resource, something valuable and sensitive owned by an entity. The principal assets of any IoT system are the system hardware (include buildings, machinery, etc.) [11], software, services and data offered by the services [30].

2.2.1 Vulnerability Vulnerabilities are weaknesses in a system or its design that allow an intruder to execute commands, access unauthorized data, and/or conduct denial-of- service attacks [31, 32]. Vulnerabilities can be found in variety of areas in the IoT systems. In particular, they can be weaknesses in system hardware or software, weaknesses in policies and procedures used in the systems and weaknesses of the system users themselves [7].

IoT systems are based on two main components; system hardware and system software, and both have design flaws quite often. Hardware vulner- abilities are very difficult to identify and also difficult to fix even if the vulnerability were identified due to hardware compatibility and interoper- ability and also the effort it take to be fixed. Software vulnerabilities can be found in operating systems, application software, and control software like communication protocols and devices drives. There are a number of factors that lead to software design flaws, including human factors and software complexity. Technical vulnerabilities usually happen due to human weaknesses. Results of not understanding the requirements comprise starting

72 M. Abomhara and G. M. Køien

the project without a plan, poor communication between developers and users, a lack of resources, skills, and knowledge, and failing to manage and control the system [7].

2.2.2 Exposure Exposure is a problem or mistake in the system configuration that allows an attacker to conduct information gathering activities. One of the most challenging issues in IoT is resiliency against exposure to physical attacks. In the most of IoT applications, devices may be left unattended and likely to be placed in location easily accessible to attackers. Such exposure raises the possibility that an attacker might capture the device, extract cryptographic secrets, modify their programming, or replace them with malicious device under the control of the attacker [33].

2.2.3 Threats A threat is an action that takes advantage of security weaknesses in a system and has a negative impact on it [34]. Threats can originate from two primary sources: humans and nature [35, 36]. Natural threats, such as earthquakes, hurricanes, floods, and fire could cause severe damage to computer systems. Few safeguards can be implemented against natural disasters, and nobody can prevent them from happening. Disaster recovery plans like backup and contingency plans are the best approaches to secure systems against natural threats. Human threats are those caused by people, such as malicious threats consisting of internal [37] (someone has authorized access) or exter- nal threats [38] (individuals or organizations working outside the network) looking to harm and disrupt a system. Human threats are categorized into the following:

• Unstructured threats consisting of mostly inexperienced individuals who use easily available hacking tools.

• Structured threats as people know system vulnerabilities and can under- stand, develop and exploit codes and scripts. An example of a structured threat is Advanced Persistent Threats (APT) [39]. APT is a sophisticated network attack targeted at high-value information in business and gov- ernment organizations, such as manufacturing, financial industries and national defense, to steal data [40].

As IoT become a reality, a growing number of ubiquitous devices has raise the number of the security threats with implication for the general public. Unfortunately, IoT comes with new set of security threat. There are

Cyber security and the Internet of Things 73

a growing awareness that the new generation of smart-phone, computers and other devices could be targeted with malware and vulnerable to attack.

2.2.4 Attacks Attacks are actions taken to harm a system or disrupt normal operations by exploiting vulnerabilities using various techniques and tools.Attackers launch attacks to achieve goals either for personal satisfaction or recompense. The measurement of the effort to be expended by an attacker, expressed in terms of their expertise, resources and motivation is called attack cost [32]. Attack actors are people who are a threat to the digital world [6]. They could be hackers, criminals, or even governments [7]. Additional details are discussed in Section 3.

An attack itself may come in many forms, including active network attacks to monitor unencrypted traffic in search of sensitive information; passive attacks such as monitoring unprotected network communications to decrypt weakly encrypted traffic and getting authentication information; close-in attacks; exploitation by insiders, and so on. Common cyber-attack types are:

(a) Physical attacks: This sort of attack tampers with hardware components. Due to the unattended and distributed nature of the IoT, most devices typically operate in outdoor environments, which are highly susceptible to physical attacks.

(b) Reconnaissance attacks – unauthorized discovery and mapping of sys- tems, services, or vulnerabilities. Examples of reconnaissance attacks are scanning network ports [41], packet sniffers [42], traffic analysis, and sending queries about IP address information.

(c) Denial-of-service (DoS): This kind of attack is an attempt to make a machine or network resource unavailable to its intended users. Due to low memory capabilities and limited computation resources, the majority of devices in IoT are vulnerable to resource enervation attacks.

(d) Access attacks – unauthorized persons gain access to networks or devices to which they have no right to access. There are two different types of access attack: the first is physical access, whereby the intruder can gain access to a physical device. The second is remote access, which is done to IP-connected devices.

(e) Attacks on privacy: Privacy protection in IoT has become increas- ingly challenging due to large volumes of information easily available

74 M. Abomhara and G. M. Køien

through remote access mechanisms. The most common attacks on user privacy are:

• Data mining: enables attackers to discover information that is not anticipated in certain databases.

• Cyber espionage: using cracking techniques and malicious software to spy or obtain secret information of individuals, organizations or the government.

• Eavesdropping: listening to a conversation between two par- ties [43].

• Tracking: a users movements can be tracked by the devices unique identification number (UID). Tracking a users location facilitates identifying them in situations in which they wish to remain anonymous.

• Password-based attacks: attempts are made by intruders to duplicate a valid user password. This attempt can be made in two different ways: 1) dictionary attack – trying possible combinations of letters and numbers to guess user passwords; 2) brute force attacks – using cracking tools to try all possible combinations of passwords to uncover valid passwords.

(f) Cyber-crimes: The Internet and smart objects are used to exploit users and data for materialistic gain, such as intellectual property theft, identity theft, brand theft, and fraud [6, 7, 44].

(g) Destructive attacks: Space is used to create large-scale disruption and destruction of life and property. Examples of destructive attacks are terrorism and revenge attacks.

(h) Supervisory Control and Data Acquisition (SCADA) Attacks: As any other TCP/IP systems, the SCADA [45] system is vulnerable to many cyber attacks [46, 47]. The system can be attacked in any of the following ways:

i. Using denial-of-service to shut down the system. ii. Using Trojans or viruses to take control of the system. For instance,

in 2008 an attack launched on an Iranian nuclear facility in Natanz using a virus named Stuxnet [48].

2.3 Primary Security and Privacy Goals

To succeed with the implementation of efficient IoT security, we must be aware of the primary security goals as follows:

Cyber security and the Internet of Things 75

2.3.1 Confidentiality Confidentiality is an important security feature in IoT, but it may not be mandatory in some scenarios where data is presented publicly [18]. However, in most situations and scenarios sensitive data must not be disclosed or read by unauthorized entities. For instance patient data, private business data, and/or military data as well as security credentials and secret keys, must be hidden from unauthorized entities.

2.3.2 Integrity To provide reliable services to IoT users, integrity is a mandatory security property in most cases. Different systems in IoT have various integrity requirements [49]. For instance, a remote patient monitoring system will have high integrity checking against random errors due to information sensitivities. Loss or manipulation of data may occur due to communication, potentially causing loss of human lives [6].

2.3.3 Authentication and authorization Ubiquitous connectivity of the IoT aggravates the problem of authentication because of the nature of IoT environments, where possible communication would take place between device to device (M2M), human to device, and/or human to human. Different authentication requirements necessitate different solutions in different systems. Some solutions must be strong, for example authentication of bank cards or bank systems. On the other hand, most will have to be international, e.g., ePassport, while others have to be local [6]. The authorization property allows only authorized entities (any authenticated entity) to perform certain operations in the network.

2.3.4 Availability A user of a device (or the device itself) must be capable of accessing services anytime, whenever needed. Different hardware and software components in IoT devices must be robust so as to provide services even in the presence of malicious entities or adverse situations. Various systems have different availability requirements. For instance, fire monitoring or healthcare monitor- ing systems would likely have higher availability requirements than roadside pollution sensors.

2.3.5 Accountability When developing security techniques to be used in a secure network, account- ability adds redundancy and responsibility of certain actions, duties and

76 M. Abomhara and G. M. Køien

planning of the implementation of network security policies. Accountability itself cannot stop attacks but is helpful in ensuring the other security techniques are working properly. Core security issues like integrity and confidentiality may be useless if not subjected to accountability. Also, in case of a repudiation incident, an entity would be traced for its actions through an accountability process that could be useful for checking the inside story of what happened and who was actually responsible for the incident.

2.3.6 Auditing A security audit is a systematic evaluation of the security of a device or service by measuring how well it conforms to a set of established criteria. Due to many bugs and vulnerabilities in most systems, security auditing plays an important role in determining any exploitable weaknesses that put the data at risk. In IoT, a systems need for auditing depends on the application and its value.

2.3.7 Non-repudiation The property of non-repudiation produces certain evidence in cases where the user or device cannot deny an action. Non-repudiation is not considered an important security property for most of IoT. It may be applicable in certain contexts, for instance, payment systems where users or providers cannot deny a payment action.

2.3.8 Privacy goals Privacy is an entitys right to determine the degree to which it will interact with its environment and to what extent the entity is willing to share information about itself with others. The main privacy goals in IoT are:

• Privacy in devices – depends on physical and commutation privacy. Sensitive information may be leaked out of the device in cases of device theft or loss and resilience to side channel attacks.

• Privacy during communication – depends on the availability of a device, and device integrity and reliability. IoT devices should communicate only when there is need, to derogate the disclosure of data privacy during communication.

• Privacy in storage – to protect the privacy of data stored in devices, the following two things should be considered:

• Possible amounts of data needed should be stored in devices.

Cyber security and the Internet of Things 77

• Regulation must be extended to provide protection of user data after end-of-device life (deletion of the device data (Wipe) if the device is stolen, lost or not in use).

• Privacy in processing – depends on device and communication integrity [50]. Data should be disclosed to or retained from third parties without the knowledge of the data owner.

• Identity privacy – the identity of any device should only discovered by authorized entity (human/device).

• location privacy – the geographical position of relevant device should only discovered by authorized entity (human/device) [51].

3 Intruders, Motivations and Capabilities

Intruders have different motives and objectives, for instance, financial gain, influencing public opinion, and espionage, among many others. The motives and goals of intruders vary from individual attackers to sophisticated organized-crime organizations.

Intruders also have different levels of resources, skill, access and risk tolerance leading to the portability level of an attack occurring [52]. An insider has more access to a system than outsiders. Some intruders are well- funded and others work on a small budget or none. Every attacker chooses an attack that is affordable, an attack with good return on the investment based on budget, resources and experience [6]. In this section, intruders are categorized according to characteristics, motives and objectives, capabilities and resources.

3.1 Purpose and Motivation of Attack

Government websites, financial systems, news and media websites, military networks, as well as public infrastructure systems are the main targets for cyber-attacks. The value of these targets is difficult to estimate, and estimation often varies between attacker and defender. Attack motives range from identity theft, intellectual property theft, and financial fraud, to critical infrastructure attacks. It is quite difficult to list what motivates hackers to attack systems. For instance, stealing credit card information has become a hackers hobby nowadays, and electronic terrorism orga- nizations attack government systems in order to make politics, religion interest.

78 M. Abomhara and G. M. Køien

3.2 Classification of Possible Intruders

A Dolev-Yao (DY) type of intruder shall generally be assumed [53, 54]. That is, an intruder which is in effect the network and which may intercept all or any message ever transmitted between IoT devices and hubs. The DY intruder is extremely capable but its capabilities are slightly unrealistic. Thus, safety will be much stronger if our IoT infrastructure is designed to be DY intruder resilient. However, the DY intruder lacks one capability that ordinary intruders may have, namely, physical compromise. Thus, tamper- proof devices are also greatly desirable. This goal is of course unattainable, but physical tamper resistance is nevertheless a very

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteDemy. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

Order Plagiarism Free Answer Here

About Wridemy

We are a professional paper writing website. If you have searched a question and bumped into our website just know you are in the right place to get help in your coursework. We offer HIGH QUALITY & PLAGIARISM FREE Papers.

How It Works

To make an Order you only need to click on “Order Now” and we will direct you to our Order Page. Fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Are there Discounts?

All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Hire a tutor today CLICK HERE to make your first order

Related Tags

Academic APA Writing College Course Discussion Management English Finance General Graduate History Information Justify Literature MLA