ABSTRACT

Nowadays, the technology become an important part from our

live. Moreover, Internet of Things (IoT) is expressed by mixed
technologies at the system level in many applications domains.
The IoT can be applicated in several environments. Therefore,
the security of Internet of Things (IoT) has become a critical
concern. Recently, it is observed that there are several types of
sophisticated attack could target the IoT and make the services
useless from the legitimate users. In this work, the IoT
applications, IoT security which include the most common
attack and the proposed solution. The majority of the offered
solutions have various downsides and restrictions. However,
the most suitable and reliant protection features, processes,
strategies, and approaches for dealing with sophisticated
threats targeting the IoT environment remain unknown.
This report focuses on the most common and effective solution
for securing the IoT environment against the cyberattack that
adopt the traditional and modern approaches. Finally, this
report gives a framework and potential areas of convergence
for constructing enhanced DDoS defensive solution models.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 4

 TABLE OF CONTENTS

CHAPTE CONTENTS PAGE

R NO

I INTRODUCTION 7

II MOTIVATION 10

III LITERATURE REVIEW 12

IV RECENT TRENDS 14

V IOT ATTACKS 16

VI REAL WORLD IOT ATTACKS 17

VII CONCLUSION 20

VIII REFERENCES 23

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 5

Semester VI Information Technology Year: III

LIST OF FIGURES

FIG NO. TITLE PAGE

NO.

1.1 IOT Architecture 8

1.2 IOT Key building blocks 9

2.1 Cyber attack motives 11

7.1 IOT Security challenges 22

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 6

Semester VI Information Technology Year: III

CHAPTER I

INTRODUCTION

The Internet of Things (IoT) has received a lot of interest in recent

years. Kevin Ashton was the first to propose the Internet of
Things idea in 1999.Communications within IoT devices have
become more accessible than ever before because to significant
improvements in mobile communication, Radio Frequency
Identification, cloud computing, and Wireless Sensor
Networks.Smart phones, laptops, PDAs, and other hand-held
embedded devices are all part of IoT. To connect with one
another and convey useful data to the centralized system, IoT
devices rely on wireless communication networks. The data by IoT
devices is handled in a centralized system before being distributed
to the designated recipients. Our everyday routines are more
focused on a fictitious realm of virtual world due to the fast
rise of communication and internet technologies. People can
shop, work, communicate, and nurture pets and plants in the
network's virtual environment, but humans must live in the
actual world . As a result, replacing all human tasks with totally
automated life is extremely tough. The better services for future
development of internet there is restriction of frictional space
bounding limit. The Internet of Things has effectively brought
the fictitious world and the actual world both on the same
interface.The adoption rate of IoT devices is now quite strong, with
an increasing number of devices linked to the internet. According to
estimates there will be 35 billion related objects with around 300
billion linkages by 2021, generating income of over 800 billion
euros.
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 7
Semester VI Information Technology Year: III

In China, nine billion devices currently is connected and the number

predicted to rise to 24 billion by 2020. The IoT will allow personals and
devices to communicate anywhere, anytime with any device by using
any services or networks under ideal conditions.The basic aim of IoT is
better future for human beings with a superior world. However, the
substance of apps and devices are not built to withstand confidentiality
threats, which raises a slew of privacy and security issues in IoT
networks, including secrecy, identification, data integrity, and access
control. Attackers and intruders target IoT devices on a daily basis. In
this work, the IoT environment background with it is application in our
live have been illustrated. Also, the most common and effective types of
attack and recent defense methods have been presented.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 8

Semester VI Information Technology Year: III

The data by IoT devices is

handled in a centralized
system before being
distributed to the designated
recipients. Our everyday
routines are more
focused on a fictitious realm
of virtual world due
to the fast rise of
communication and internet
technologies. [3]. People can
shop, work,
communicate, and nurture
pets and plants in the
network's virtual
environment, but humans
must
live in the actual world [4].
[4]. As a result,
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 9
Semester VI Information Technology Year: III

replacing all human tasks

with totally automated
life is extremely tough. The
better services for
future development of internet
there is restriction
of frictional space bounding
limit. The Internet of
Things has effectively
brought the fictitious world
and the actual world both on
the same interface
[5].
FIGURE:1.1, Architecture of IOT

What is IOT?

 The Internet of Things (IoT) describes the network of physical

objects—“things”—that are embedded with sensors, software, and
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 10
Semester VI Information Technology Year: III
other technologies for the purpose of connecting and exchanging
data with other devices and systems over the internet.

 These devices range from ordinary household objects to

sophisticated industrial tools. With more than 7 billion connected
IoT devices today, experts are expecting this number to grow to 10
billion by 2020 and 22 billion by 2025.

 Over the past few years, IoT has become one of the most
important technologies of the 21st century.

 Now that we can connect everyday objects—kitchen appliances,

cars, thermostats, baby monitors—to the internet via embedded
devices, seamless communication is possible between people,
processes, and things.

 By means of low-cost computing, the cloud, big data, analytics,

and mobile technologies, physical things can share and collect
data with minimal human intervention.

FIGURE:1.2, IOT key building blocks

CHAPTER II
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 11
Semester VI Information Technology Year: III
MOTIVATION

 The motivation of hackers sometimes can be plain as day. Other

times, not so much.
 As attacks on Internet of Things (IoT) devices and deployments
escalate, it is important to understand what these attackers are
trying to accomplish. Understanding these motives, after all, can
help us to pinpoint why a security vulnerability represents a risk,
to prioritize mitigation and defenses, and to focus responses to
attacks.
 This analysis is especially important if you provide products and
platforms to companies deploying IoT and need to ensure that
your embedded system security is strong enough to protect your
customers.

Cyberattack Motivations
Every year Verizon publishes the highly informative Data Breach
Investigations Report, a compilation of the characteristics and trends
of cyberattacks and threats in the previous year.
In 2018’s edition, the 11th annual, Verizon’s researchers
characterized the motivations of attackers and “threat actors” in these
ways (where the motivations can be discerned):
1. Financial gain is the dominant motivation of attackers.
2. Espionage — such as obtaining corporate or government secrets
for strategic advantage — ranks second highest as a motivation.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 12

Semester VI Information Technology Year: III
3. Financial gain and espionage account for almost 90% of attack
motivations. Other motivations — such as attacking a company
because of a grudge, or simply for fun — are far down the scale in
terms of motivations.

 This seems pretty straightforward and intuitive. The majority of

attacks, malware coding, and exploit attempts are likely to be
geared toward making money.
 But motivations for attacks might have multiple layers. Blindly
assuming your system is safe because there is no obvious path to
financial gain would miss the motivations behind some of the
prevalent attacks against IoT and similar small smart devices.
 After all, how can an attacker make money by taking control of a
surveillance camera or a home appliance? As it turns out, there are
plenty of ways.

FIGURE:2.1, Cyber attack motives

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 13

Semester VI Information Technology Year: III
CHAPTER III
LITERATURE REVIEW

There is no unique definition available for Internet of Things that is

acceptable by the world community of users. In fact, there are many
different groups including academicians, researchers, practitioners,
innovators, developers and corporate people that have defined the term,
although its initial use has been attributed to Kevin Ashton, an expert on
digital innovation. What all of the definitions have in common is the idea
that the first version of the Internet was about data created by people,
while the next version is about data created by things. The best definition
for the Internet of Things would be:
“An open and comprehensive network of intelligent objects that have the
capacity to auto-organize, share information, data and resources, reacting
and acting in face of situations and changes in the environment”.

Time Series
1999: The term Internet of Things is coined by Kevin Ashton, Executive
Director of the Auto-ID Center in Massachute Institute of Technology
(MIT).
1999: Neil Gershenfeld first time spoken about IoT principles in his
book titled “When Things Start to Think”.
1999: MIT Auto-ID Lab, originally founded by Kevin Ashton, David
Brock and Sanjay Sarma in this year. They helped to develop the
Electronic Product Code.
2000: LG announced its first Internet of refrigerator plans.

2002
: The Ambient Orb created by David Rose and others in a spin-off from

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 14

Semester VI Information Technology Year: III
the MIT Media Lab is released into wild with NY Times Magazine
naming it as one of the Ideas of Year.
(2003-2004): RFID is deployed on a massive scale by the US
Department of Defense in their Savi program and Wal-Mart in the
commercial world.
2005: The UN’s International Telecommunications Union (ITU)
published its first report on the Internet of Things topic.
2008: Recognition by the EU and the First European IoT conference is
held.
2008: A group of companies launched the IPSO Alliance to promote the
use of IP in networks of “Smart Objects” and to enable the Internet of
Things.
2008: The FCC voted 5-0 to approve opening the use of the ‘white
space’ spectrum.
(2008-2009): The IoT was born according to Cisco’s Business Solutions
Group.
2008: US National Intelligence Council listed the IoT as one of the 6
“Disruptive Civil Technologies” with potential impacts on US interests
out to 2025.
2010: Chinese Premier Wen Jiabao calls the IoT a key industry for China
and has plans to make major investments in Internet of Things.
2011: IPv6 public launch-The new protocol allows for 340, 282, 366,
920, 938, 463, 463, 374, 607, 431,768, 211, 456 (2128) addresses.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 15

Semester VI Information Technology Year: III
CHAPTER IV
RECENT TRENDS

Many IoT devices collect and store valuable data, while also receiving
commands over the IoT network. In order to protect critical data
transferred over the network and thus the applications running on the
device, OPTIGA™ Trust M offers a secured communication feature. It
supports the TLS and DTLS protocols to protect against eavesdropping,
tampering and message forgery.

The OPTIGA™ Trust M is a high-end security solution that provides an

anchor of trust for connecting IoT devices to the cloud, giving every IoT
device its own unique identity. This pre-personalized turnkey solution
offers secured, zero-touch onboarding and the high performance needed
for quick cloud access.

OPTIGA™ Trust M offers a wide range of security features, making it

ideal for industrial and building automation applications, smart homes
and connected consumer devices.

The turnkey set-up with full system integration minimizes design,

integration and deployment effort.

OPTIGA™ Trust M is available in two temperature ranges:

 SLS32AIA010MK standard temperature range of -25 to +85°C for

most commercial implementations.
 SLS32AIA010ML extended temperature range of -40 to +105°C
for harsh industrial environments.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 16

Semester VI Information Technology Year: III

Summary of Features

 High-end CC EAL6+ (high) certified security controller

o ECC: NIST curves up to P-521, Brainpool r1 curve up to
512
o RSA® up to 2048
o AES key up to 256, HMAC up to SHA-512
o TLS v1.2 PRF and HKDF up to SHA-512
o TRNG/DRNG › I2C interface with shielded connection
 Hibernate mode for zero power consumption
 USON-10 package (3 x 3 mm)
 Standard and extended temperature ranges: -40 to + 105°C
 Up to 10 kB user memory
o Protected updates
o Usage counters
o Dynamic object (e.g. credentials) locking.
 Configurable device security monitor
 Lifetime of 20 years for industrial and infrastructure applications

 Cryptographic ToolBox commands for SHA-256, ECC and RSA®

Feature, AES, HMAC and Key derivation.
 MIT licensed software framework on GitHub
github.com/Infineon/optiga-trust-m.
 OPTIGA™ Trust M’s development process is certified according
to the security standard IEC62443-4-1 for industrial automation
and control systems, acting as an enabler to achieve component
level certification according to IEC62443-4-2.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 17

Semester VI Information Technology Year: III

CHAPTER V

IOT ATTACKS
IoT devices are particularly vulnerable to network attacks such as data
thefts, phishing attacks, spoofing and denial of service attacks (DDoS
attacks).

Data theft – also known as information theft – is the illegal transfer or

storage of personal, confidential, or financial information. This could
include passwords, software code or algorithms, and proprietary
processes or technologies.

Phishing- refers to an attempt to steal sensitive information, typically

in the form of usernames, passwords, credit card numbers, bank account
information or other important data in order to utilize or sell the stolen
information.

Spoofing- It is the act of disguising a communication or identity so that

it appears to be associated with a trusted, authorized source. Spoofing
attacks can take many forms, from the common email spoofing attacks
that are deployed in phishing campaigns to caller ID spoofing attacks
that are often used to commit fraud.

A Denial-of-Service (DoS) attack- It is an attack meant to shut

down a machine or network, making it inaccessible to its intended users.

These can lead to other cyber security threats like ransomware attacks
and serious data breaches that can take businesses a lot of money and
effort to recover from.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 18

Semester VI Information Technology Year: III

CHAPTER VI
REAL WORLD IOT ATTACKS

Hackers have the power to launch assaults and enter thousands or

millions of unprotected connected devices, destroying infrastructure,
taking down networks, or accessing confidential data. Here are some of
the most illustrative cyber attacks demonstrating IoT vulnerabilities:

1.The Mirai Botnet

 An IoT botnet (a network of computers, each of which runs bots)

was used to execute the worst DDoS attack against Internet
performance management services provider Dyn back in October
2016.

 As a result, several websites went offline, including majors like

CNN, Netflix, and Twitter.

 After becoming infected with Mirai malware, computers

continuously search the web for susceptible IoT devices before
infecting them with malware by logging in using well-known
default usernames and passwords.

 These gadgets included digital cameras and DVR players, for

example.

2.The Verkada hack

 Verkada, a cloud-based video surveillance service, was hacked

in March 2021.
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 19
Semester VI Information Technology Year: III

 The attackers could access private information belonging to

Verkada software clients and access live feeds of over 150,000
cameras mounted in factories, hospitals, schools, prisons, and
other sites using legitimate admin account credentials found on
the internet.

 Over 100 employees were later found to have "super admin"

privileges, enabling them access to thousands of customer
cameras, revealing the risks associated with over privileged
users.

3.Cold in Finland
 In November 2016, cybercriminals turned off the heating in two
buildings in the Finnish city of Lappeenranta.

 After that, another DDoS assault was launched, forcing the

heating controllers to reboot the system repeatedly, preventing
the heating from ever turning on.

 This was a severe attack since Finland experiences severely low

temperatures at that time of year.

4.The Jeep Hack

 In July 2015, a group of researchers tested the security of the
Jeep SUV.

 They managed to take control of the vehicle via the Sprint

cellular network by taking advantage of a firmware update
vulnerability.
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 20
Semester VI Information Technology Year: III
 They could then control the vehicle’s speed and even steer it off
the road.

5.Stuxnet
 Stuxnet is probably the most well-known IoT attack.
 Its target was a uranium enrichment plant in Natanz, Iran.
 During the attack, the Siemens Step7 software running on
Windows was compromised, giving the worm access to the
industrial program logic controllers.
 This allowed the worm's developers to control different
machines at the industrial sites and get access to vital industrial
information.
 The first indications of a problem with the nuclear facility's
computer system surfaced in 2010.
 When IAEA inspectors visited the Natanz plant, they saw that a
strangely high percentage of uranium enrichment centrifuges
were breaking. Multiple malicious files were later found on
Iranian computer systems in 2010.
 It was discovered that the Stuxnet worm was included in these
malicious files.
 Iran hasn't provided detailed information on the attack's results,
but the Stuxnet virus is believed to have damaged 984 uranium-
enrichment centrifuges.
 According to estimates, this resulted in a 30% reduction in
enrichment efficiency.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 21

Semester VI Information Technology Year: III

CHAPTER VII
CONCLUSION

1.Set System-Wide Protections - Businesses that utilization IoT

gadgets vigorously ought to introduce frameworks explicitly intended to
safeguard IoT gadgets. These frameworks ought to get standard IoT
gadget conduct and know the examples of likely dangers. Whenever
dangers are distinguished, these frameworks should hinder them, and

afterward forestall comparative dangers later on.

2.Add solid passwords - One of the most ideal ways to forestall both
a digital assault is by adding solid and novel passwords for all gadget
accounts, associated gadgets, and WiFi organizations. A solid secret
word will be in excess of ten characters and incorporate a blend of
images, numbers, and capital letters to make it challenging for even a PC
to figure. From that point, multifaceted verification (MFA) can give
extra safety efforts outside of an intricate secret word.

3.Utilize a VPN - If conceivable, your business should utilize a virtual

private organization (VPN) to assist with getting all information sent
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 22
Semester VI Information Technology Year: III
from the WiFi organization. All things considered, this action is
fundamental for representatives who work from a distance since public
WiFi is undeniably more helpless against digital dangers.

4.Make network division and firewalls - IoT gadgets ought not

approach your whole framework. Any other way, they can be utilized as
exploitable entryways. By sectioning the frameworks, you could in fact
keep an effective hack from going any more profound with apparatus
like owasp IoT attack surface.

Make a "visitor" organization - By making a visitor network for your

gadgets, an assailant can not involve the gadget as a door to different
advances like your telephone, PC, or organization.

5.Shield against actual altering - From gadget robbery or

misfortune to interfering with the gadget's influence or associating with
uncovered ports like USB, SD Cards, or Ethernet, actual altering should
be supported against. To forestall an actual assault, think about the
accompanying activities:

 Ensure that the item has no uncovered ports or connectors that are
effectively open to non-workers.

 Set locks or access limitations on gadgets.

 Keep IoT gadgets in secure spaces.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 23
Semester VI Information Technology Year: III
 Try not to leave compact IoT gadgets unattended.

6.Switch off friendly sharing elements - Social sharing elements

might conceivably uncover your exercises and area. For example, a
programmer might have the option to utilize that data to find when away
from your office or home.

7.Safeguard PCs, tablets, and cell phones - Although they aren't

viewed as IoT, infections, malware, and other digital dangers can seep
through IoT gadgets and afterward contaminate your most significant
innovations. By introducing excellent security programming on these
gadgets, you can defend delicate information.

FIGURE:7.1, IOT security challenges

• If you’re a business that relies heavily on IoT devices, it is

important
SRMto INSTITUTE
evaluate theOFsafety of your
SCIENCE ANDinformation
TECHNOLOGY systems Page
and 24
Semester VI Information Technology Year: III
the data being processed by these devices.
• You need to consider effective security solutions that can protect
your business from cyber attacks and ransomware attacks that
could occur as a result of IoT security vulnerabilities.
• Hiring a cybersecurity expert to advise and guide you is one of the
best solutions if you’re concerned about IoT vulnerabilities.

CHAPTER VIII
REFERENCES

Links

1)Reasearch gate -

https://www.researchgate.net/publication/
324149744_A_Comprehensive_IoT_Attacks_Survey_based_on_a_Build
ing-blocked_Reference_Mode

2) IEEE -

https://ieeexplore.ieee.org/document/9343051

3)Science Direct –

https://www.sciencedirect.com/science/article/pii/S2542660522000592

Papers

1)Sivapriyan, R., Sushmitha, S. V., Pooja, K., & Sakshi, N. (2021,

December). Analysis of Security Challenges and Issues in IoT Enabled
Smart Homes. In 2021 IEEE International Conference on Computation
SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 25
Semester VI Information Technology Year: III
System and Information Technology for Sustainable Solutions (CSITSS)
(pp. 1-6). IEEE.

2) Mohan Kumar, U., Siva SaiManikanta, P., & AntoPraveena, M. D.

(2019). Intelligent security system for banking using Internet of Things.
Journal of Computational and Theoretical Nanoscience, 16(8), 3296-
3299.

SRM INSTITUTE OF SCIENCE AND TECHNOLOGY Page 26