Abstract

IoT devices are proliferating the modern landscape and while the benefits of these devices are
immense and supersede various industries, they also present a challenge for cybersecurity teams
because in essence they increase the attack surface of networks. It is paramount to secure IoT
devices especially in this era where skilled malicious actors are growing in number due to the value
assigned to data. Basic best practices need to be adhered to when securing disparate systems but
this is not enough to guarantee a secure embedded system and therefore it begs for further
research into technologically aided techniques to guarantee the overall security posture of these
systems.
Introduction
Internet of Things (IoT) devices and their applications are becoming more variant and prevalent with
the progression of technology and its adaptation by individuals and organizations to offer
convenience and improvement in service delivery. The number of IoT-connected devices is, currently
estimated at 42 billion [1]. IoT devices can be described as physical objects that incorporate a
disparate range of sensors for the purpose of data transfer to and from systems and other devices
[2]. Cyberattacks are becoming more prevalent, and as the attack surface continues to expand, the
need to protect these devices becomes more important. Symantec reported a 600% increase in IoT
attacks in 2017 [3]. With multiple interconnected devices that span industries and use cases security
is becoming an increasingly important factor. With the rapid increase in the use of IoT, the need to
improve the security of these devices is of paramount importance.

With smart devices embedded and becoming an integral part of our daily lives, there is a switch in
the reliance that we place on these devices. Protecting certain systems may become less efficient
due to inadequate or lacking security measures due to the disconnect in the rate of adaptation
versus the rate of security improvements and cost reduction. As a result, malicious hackers can
exploit these vulnerabilities and security holes. This document describes how these attacks are
carried out to compromise one, many, or all security goals of a given system. The purpose of this
report is to do a deep dive into the security of IoT devices through ethical hacking. Mitigation and
detection techniques are also in the scope of this paper and will be discussed based on different
security vulnerabilities.
Related Work and Background
As the variety of smart devices expand, the amount of effort needed to secure these systems
increases. Currently there are no regulated international cybersecurity laws related to IoT. However,
there are national laws and authorities pushing the issue and demanding higher security thresholds
in IoT. Currently, the security aspect is not a strong incentive for publishers, as it is difficult to blame
them for vulnerabilities [4]. Therefore, the responsibility lies with the consumer, not with the
manufacturer. The risk of attacks against these products, therefore, depends on the implementation
of risk mitigation by individual consumers and organizations.

With increasing usage, new vulnerabilities are emerging in IoT devices. According to OWASP (Open
Web Application Security Project) common Internet of Things (IoT) vulnerabilities are:

 Insecure web interfaces are a commonly witnessed vulnerability. An insecure web interface
may exist if there are issues such as account enumeration, missing account locks, or
credential vulnerabilities [5]. Attackers use weak credentials, obtain plaintext credentials, or
enumerate accounts to access web interfaces used to configure IoT devices. An insecure
web interface can lead to data loss or corruption, lack of accountability, denial of access, and
even complete device takeover.
 Poor Authentication/Authorization: Most IoT devices don’t have stringent password
requirements and thus are protected by weak password combinations such as 1234, and
qwerty [5]. Manufacturers also tend to deploy their IoT devices with the weakest common
credentials and it is imperative that the end user be proactive and change the
username/password combination from their own initiative. Poor
authentication/authorization can lead to data loss or corruption, lack of accountability, or
denial of access, and can lead to complete compromise of devices and user accounts.
 Insecure Network Services: Some IoT devices are based on network services such as Telnet,
FTP, etc. Insecure network services can lead to data loss or corruption, denial of service, or
attacks on other devices [5].
 Lack of transport encryption: This allows a middleman to view data being transmitted over a
network. Attackers exploit the lack of transport encryption to view data as it travels over the
network. Lack of transport encryption can lead to data loss and, depending on the data
exposed, a complete compromise of the device or user account [5].
 Insecure Software/Firmware: The content of software updates may be altered or replaced
before they reach automatically updated devices. This could allow unauthorized users to run
arbitrary code on the device, including backdoors and data harvesting malware. Additionally,
the inability to update the device is a security weakness. Devices should be able to update
when vulnerabilities are discovered. Insecure software/firmware can lead to usage data
compromise, device control, and attacks on other devices [5].
The Ethical Hacking Life Cycle
The Ethical Hacking Life Cycle is divided into five main phases [6]. These include reconnaissance,
scanning, gaining access, gaining access, and covering footprints.

• Reconnaissance:

The Reconnaissance phase is based on the use of available processes and techniques that can be
used covertly or specifically to gather information about systems and users. This is the information
gathering phase of the lifecycle. During this phase, ethical hackers use passive attacks (such as
eavesdropping) to covertly gather information about the network over an extended period of time
[1]. Additionally, while you can be proactive by gathering as much information as possible, you run
the risk of being discovered. Information gathering can be either physical methods that require some
form of stalking to gather as much information as possible via social engineering or reverse
engineering, or logical methods based on interception or sniffing of network packets.

• Scanning:

This is the next step that ethical hackers use and rely on to exploit more vulnerabilities through
simulated attacks. Scans are based on conducting penetration tests to discover security and/or
vulnerabilities that can be used to carry out attacks. This includes open and/or unused open ports,
live hosts, devices, systems, services and firewalls, intrusion detection systems/intrusion prevention
systems (IDS/IPS), and router and switch including configuration/security vulnerability searches.
Once the full image is built on the system, the vulnerability has already been identified [7]. The
second part of the scan is done to gather information about specific target machines, devices,
systems, or services. This is done by maintaining an active connection with it.

• Gaining Access:

Once a vulnerability has been identified and all the necessary information has been gathered, a
hacker attempts to gain access. This is accomplished by relying on various pentesting tools and
techniques to virtually compromise systems and bypass security measures. One such phase is based
on obtaining passwords through cracking attacks. In fact, the available tools can also be used for
password-cracking attacks [8]. Therefore, the is intended for approval or certification of specific
systems, as appropriate.

• Maintaining Access:

Once access to a particular system is gained, the system's resources can be exploited by searching
for other commonly vulnerable devices. This includes spreading and infecting worms, or spreading
malware and viruses [9]. This can turn these devices into bots or "zombies" or implement rootkits.
This ensures remote access with privilege escalation. This gives administrator rights at both the
operating system level and the application level. However, to prevent such attacks, not only the
firewall and his IDS/IPS but also honeypots should be implemented. In fact, choosing a honeypot
seems to be the most effective way to catch attackers trying to gain and maintain access to a
particular system.

• Covering Tracks:

After an attacker has been successfully attacked, they will attempt to cover their tracks. This is
accomplished using forensic and anti-forensic techniques and tools. Hackers typically rely on
deleting log files, audit files, and registry files containing their failed login attempts and suspicious
network activity to cover their tracks. They also rely on the use of anti-forensic tools and techniques
to conceal any source of evidence. Therefore, the source of evidence is eliminated. In fact, attackers
rely on specific systems to launch further attacks without being detected. This is accomplished by
turning the desired device into a bot to launch a DDoS attack. So, the track-laying phase could be the
beginning of a new cycle [10].

Figure 1: The Ethical Hacking Lifecycle and Tools used for each stage
Literature Review
Jacob C et al. used Software Defined Networking (SDN) for early detection and removal of ARP
spoofing. They proposed a security framework that detects ARP spoofing attacks early, before the
attack affects other hosts on the network. This approach extends a simple MAC learning protocol on
OpenFlow-enabled switches by hashing the host's physical address with the appropriate IP port
mapping to prevent real-time ARP spoofing. Segwon et al. al proposed an application framework,
FRESCO that exports scripting API that enables network administrators to code security monitoring
and threat detection logic. The research aimed to enable the modular design of complex OpenFlow-
enabled network security services that can be built from smaller sharable libraries of security
functions. The researchers implemented two components in an open-source OpenFlow controller,
NOX; an application layer that provides an interpreter and APIs to support composable applications,
and a security enforcement kernel (SEK), that enforces the policy actions from developed security
applications.

Ahmed S et al. proposed a mechanism to detect and prevent intruders by implementing an

intelligent security architecture using random neural networks (RNNs). Application source code is
instrumented at compile time to detect unbound memory accesses based on creating a tag paired
with each memory allocation and placing additional tag inspection statements for each memory
access. increase. It can detect the presence of suspicious sensor nodes within the operating range of
the system and anomalous activity on base stations. Xin M. proposed a hybrid cryptography
technique (encryption paradigm) that offers symmetric and asymmetric key performance
advantages for IoT security. This approach focuses on protecting the application layer of IoT to
ensure information integrity, confidentiality, and non-repudiation of data transmitted over IoT using
mixed cryptographic algorithms. I was. Advanced Encryption Standard (AES) and Elliptic Curve
Cryptography (ECC) algorithms. Messages and data sent and received over IoT networks are
encrypted. The ECC algorithm was used as the digital signature and AES was used to encrypt the
data.

Padraig, F. We, proposed a protocol that combines zero-knowledge proofs and key exchange
mechanisms to provide secure and authenticated communication over static machine-to-machine
networks. This protocol requires prior knowledge of network design and structure and guarantees
perfect forward secrecy. Zero Knowledge Proof (ZKP) is a challenge/response authentication
protocol that allows a party (any her IoT network) must declare the accuracy of their secrets without
disclosing any information that could be used to help another party deduce those secrets.

Quangang W, implements the use of cryptographic security certificates. Certificates provide a one-
time encryption method between communicating parties (sensor nodes in IoT). It uses a simple
encryption or decryption method using timestamp technology. It ensures that the two
communicating nodes are up to date. Pedro M et al. Devices with limited capabilities and Internet
Protocol (IP)-based network connectivity, such as IoT devices, realizations that use the Extensible
Authentication Protocol (EAP)/Protocol (PANA) to carry authentication for network access showed
the possibilities. The researcher designed a version of PANA to provide the scientific community with
a lightweight and interoperable first implementation of his EAP/PANA for his IoT devices on the
Contiki operating system. Sachin B et al. proposed an embedded security framework as a feature of
a jointly developed software/hardware methodology that helps designers and developers deliver
more secure devices. This research uses a hardware- and software-based security architecture for
IoT. It serves as the best compromise between cost/efficiency or security/performance by using
lightweight cryptography, physical security on trusted platform modules, standardized security
protocols, and secure operations. The purpose is that. Storage used by the system and security.
Techniques for Mitigation/Detection
Several tools can aid in the detection of vulnerabilities:

 Nmap Scanner

The Nmap scanner looks for open ports and attempts to detect services running on open ports.
Vulnerability scans are performed on open ports based on the services running on that port. It also
tries to get information about the OS version of the device.

 Mirai Scanner

The scanner checks the type of IoT device and attempts to log in with factory credentials. Mirai
scanners attempt to establish a TCP connection with the device to determine the device type and
attempt to log into the device using known factory credentials.

 Wireshark

Using Wireshark to monitor incoming and outgoing network traffic is one way to examine the
communication behavior of the target device. This is called mirroring because it represents all
Internet packets sent and received from the local network. Therefore, reveals fingerprints and
potential entry points.
# ssh root@<routers ip> tcpdump -U -w - -i br0 not port 22 | wireshark -k -i –
The command to monitor all internet traffic by the device

How passive the device was when I first looked into Wireshark. Various DNS queries were observed
resolving the client's domain name. User interaction with a web browser resulted in a TCP
handshake and DNS resolutions and HTTP requests. TLS 1.2 encryption was introduced to protect
data, even for sensitive operations such as registering users and logged-in users. A study of how
devices operate their communication ports, a theory of what services existed. We found ephemeral
or dynamically assigned ports in the data exchanged between client and server. This was because
the device was using the upper port range (32768 to 61000 in the Linux kernel). This means that the
device itself did not receive queries of any kind and instead used queries to the Cloud service to
update its current status. In addition, this meant that device could not be called by a server or peer
request, as it only expected a response from the 's self-initiated connection.

 Ettercap18

Ettercap18 is a tool that supports active and passive inspection of logs (including encrypted logs)
exchanged between victims. This utility introduces and simplifies his techniques such as DNS
spoofing and ARP poisoning [21]. This allows manipulation and tampering with packets. This tool is
introduced and demonstrated in the IoT Penetration Testing Cookbook. The Macchanger19 tool is
implemented in the Kali Linux environment. This tool helps spoof the hardware MAC address of the
network card when the tries to impersonate itself to an external server.

 TCP Dump Tool

Proposed Data packets exchanged on the network can be intercepted and analyzed. The IoT
Penetration Testing Cookbook uses the TCPDump16 tool to sniff packets. The TCPDump tool can be
directed to the Wireshark network protocol analyzer which shows in more detail what data is being
sent by examining the contents of the packet. H. Bits, hexadecimal or plain text. Information such as
the destination and source of packet and its protocol and port17.
Mitigation
Any system connected to the Internet can be subject to cyberattacks. However, for IoT, there are
some effective strategies companies can take to protect their digital environment. Looking Beyond
Hardware Physical access to IoT is one of the most relevant vulnerabilities in this technology.
However, it's important to remember that hardware is only part of the device. This means that when
starting a vulnerability assessment, it's important to look at the entire system where the device
works or underperforms. This includes the network, APIs, cloud interface, software, manufacturer's
information, etc.,

 Running a Network Mapping for an overview of your network is the first step toward a
successful vulnerability detection process.
 Create a White List with a list of devices authorized to operate on your organization's
network. This makes it easy to spot suspicious activity from unknown devices. Investing in
Artificial Intelligence Digital threats are becoming more complex and harder to detect. In this
context, using smarter resources to protect your system is essential. When you invest in
tools that integrate artificial intelligence (AI), you can expect cutting-edge technology that
can fully record the behavior of devices on your network. Automatic learning enables AI to
identify normal network behavior and self-detect suspicious patterns to signal them as
potential threats.

NB: Perform Tests All the Time; the possibility of new unauthorized devices joining the network
will always be present. That's why constant testing is a key factor in keeping your systems
secure. A scanner is an excellent way to automate vulnerability detection assessments. These
types of tools can help you identify critical security elements such as unpatched applications,
new software installed, etc.
Discussion and Evaluation of the Proposed Solution

1. Federated Architecture

To overcome the heterogeneity of various IoT devices, software, and protocols a functional transfer
mechanism and access delegation can be achieved through the incorporation of contextual
information and secure functions. In a federated IoT environment a model that represents
transmission is realized. Secure IoT using an identity-based, function-based access control approach.
This proposed solution takes into account flexibility and scalability, which are key characteristics of
IoT systems. The proposal aims to ensure the trust and integrity of software installed on IoT devices
by defining policies and standards to ensure security. It also provides a mechanism for enforcing
policies to follow. For example, software must be executed on the device and signed by an
authorized party. This creates policies that restrict device, component, and application permissions
to allow access only to the resources they need.

2. IoT Security Services

To address some of the security challenges of the Internet of Things, businesses and organizations
need to develop and implement tools to help users determine if devices on their home or nearby
networks are vulnerable. These tools must identify high-risk IoT devices, institute checks for
standard or hardcoded passwords, and generate clear IoT vulnerability reports and remediation
guides. Devices that already have communication access on the network may allow attackers to
exploit vulnerable IoT devices, therefore having a vulnerability report will help to secure these
devices and reduce attack surfaces for would-be attackers.
Conclusion and Future Work
As future work, we can consider improving the user experience of most of the available vulnerability
assessment and mitigation tools. This will make it easier for novice users to understand what
vulnerabilities exist and how to fix them. The implementation of software programs on embedded
devices (particularly network devices) is worth investigating. Additional functionality can be
implemented to run scheduled vulnerability scans on hosts (IoT devices) to ensure security checks
are up to date. You can also use this feature to address security issues that arise after the initial
installation of your IoT devices or to apply updated security policies when new vulnerabilities
emerge on your IoT devices. Optimizing these scanners and implementing additional best-fit
scanners that can reduce scanning while uncovering most of the IoT-specific vulnerabilities would
greatly improve the current systems.

Another important aspect of research is building a custom knowledge base of IoT devices to
remediate vulnerabilities and provide more comprehensive and useful information to users.
References

[1] F. H. a. J. N, Security and Privacy in Internet of Things (IoTs) : Models, Algorithms, and
Implementations, 2016.

[2] T. Y. F. A. a. I. Z. R. Mahmoud, "Internet of things (IoT) security: Current status, challenges and
prospective measures," in 10th International Conference for Internet Technology and Secured
Transactions (ICITST), 2015.

[3] M. Bishop, About penetration testing, IEEE Security & Privacy, 2007.

[4] S. Y. a. P. W. Lei Zhang, "A Survey on latest Botnet attack and defense," in IEEE Proceedings,
2011.

[5] Symantec, "Internet Security Threat Report," 2018.

[6] N. V. a. D. Zhou, "“IoT as a Land of Opportunity for DDoS Hackers," 2018.

[7] P. Engebretson, "The Basics of Hacking and Penetration Testing," 2011.

[8] Netscout and Arbor, "Getting Ready for the Next Wave of DDoS Attacks," Hong Kong Network
Operators Group, Hong Kong, 2018.

[9] S. Gallagher, "Double-dip Internet-of-Things botnet attack felt across the Internet," 2016.

[10] C. C. a. G. H. I. Andrea, "Internet of Things: Security vulnerabilities and challenges," in IEEE

Symposium on Computers and Communication (ISCC), 2015.

[11] OWASP, "Open web application security project," 2018.

[12] A. A. A. J. a. H. L. A. Saeed, "Intelligent intrusion detection in low-power iots,," 2016.

[13] M. Kauffman, "IP Range Based Authentication," 2019.

[14] A. S. N. P. a. R. P. S. Barbar, "Proposed embedded security framework for internet of things

(IoT)," 2011.