IoT Security

© 2017 Pearson Education, Inc., Hobken, NJ. All rights reserved.

 Slide 4
IoT Security
 IoT Security Risks
• IoT devices may present a variety of potential security
risks that could be exploited to harm consumers by:

(1) Enabling unauthorized access and misuse of personal

information.

(2) facilitating attacks on other systems.

(3) creating safety risks.

 IoT Security Risks
Enabling unauthorized access and misuse of personal information:
• On IoT device, a lack of security could enable intruders to access and misuse
personal information collected and transmitted to or from the device.

• Example: smart televisions enable consumers to surf the Internet, make

purchases, and share photos, similar to a laptop or desktop computer. Any
security vulnerabilities in these televisions could put the information stored on
or transmitted through the television at risk. If smart televisions or other
devices store sensitive financial account information, passwords, and other
types of information, unauthorized persons could exploit vulnerabilities to
facilitate identity theft or fraud. Thus, as consumers install more smart devices
in their homes, they may increase the number of vulnerabilities an intruder could
use to compromise personal information.
 IoT Security Risks
facilitating attacks on other systems:

• security vulnerabilities in a particular device may facilitate attacks

on the consumer’s network to which it is connected, or enable
attacks on other systems.

• Example: a compromised IoT device could be used to launch a

Denial of Service (DoS) attack. Denial of service attacks are more
effective the more devices the attacker has under his or her
control; as IoT devices proliferate, vulnerabilities could enable
these attackers to assemble large numbers of devices to use in
such attacks and launch Distributed Denial of Service (DDoS)
attack. Another possibility is that a connected device could be
used to send malicious emails.
 IoT Security Risks
Creating safety risks:

• Unauthorized persons might exploit security vulnerabilities to create risks to physical safety in some
cases.

• Examples:

1) Remote hacking into insulin pumps and change their settings so that they no longer delivered
medicine.

2) Remote hacking into a car’s built-in telematics unit and control the vehicle’s engine and braking.

3) A thief could remotely access data about energy usage from smart meters to determine whether a
homeowner is away from home.

5) Loss of control of vital infrastructures. "Who turned the lights off in the whole city?
 IoT Privacy Risks
• collection of personal information, habits, locations, health
information, financial account numbers, financial account
numbers.

• companies might use these data to make credit, insurance, and

employment decisions.

• The data gathered by the fitness tracker device could be used in

the future to price health or life insurance or to infer the user’s
suitability for credit or employment.

• Security vulnerabilities in camera-equipped devices have also

raised the specter (ghost) of spying in the home.
  Why can personal data be valuable
to others?
• Sales and Marketing.

• Credit decisions

• Insurance decisions

• Employment decisions

• Fraud and theft

  Examples of personal data that are
valuable for personal data market
• Medical records.

• Social media.

• Educational records.

• Driving offences, sporting statistics, phone records,

financial records, etc.
 Specific security/privacy best practices
IoT companies should consider
• building security into their devices at the outset (at the beginning of design), rather
than as an afterthought.

• Company should do a privacy or security risk assessment, consciously considering the

risks presented by the collection and retention of consumer information

• Companies should test their security measures before launching their products. (They
may simply forget to close vulnerability in their products through which intruders could
access personal information or gain control of the device).

• Companies should also train their employees about good security practices.
 specific security/privacy best practices
IoT companies should consider
• companies should consider implementing reasonable access
control measures to limit the ability of an unauthorized person to
access a consumer’s device and/or data. (Implement Strong
authentication and authorization protocols at the application
level)

• In the IoT ecosystem, strong authentication (at device level) could

be used to permit or restrict IoT devices from interacting with
other devices. (remember man in the middle attack)

• Companies should continue to monitor products throughout the

life cycle and, to the extent feasible, patch known vulnerabilities.
(notify consumers of security risks and updates).
  Hackable devices
• Watch Video 1  All your devices can be hacked - Avi Rubin
(Since 2011) to recognize how some members of the
academic research community hacked into devices -
including implanted medical devices such as pacemakers -
and what they discovered.
• https://youtu.be/BHHCvcCUOWU

• Answer the below questions after watching the Video.

 IOT SECURITY FEARS
• Terrorist IoT cyber attack. (terrorist threats by remote hacking of
energy smart meters in Spain for energy distribution at industrial
plants or hospitals).
• Health insurance fee increase due to fitness devices.
•  Someone being able to tell where you are, what you are doing.
• Getting locked out of your own home by your own security system.
• Hacked autonomous car crashing.
• Attack on health via a medical aid/device.
• Identity theft, impersonation.
• losing a skill or the ability to do something like driving because it
becomes automated.
 Cyber security methods
• If you’re using IoT product, don’t forget the following
additional security measures:
• Disable default passwords
• Disable UPnP (Universal Plug and Play - which allows the
device to automatically make itself available to networks).
• Keep software (firmware) up to date.
• Use encryption and authentication where possible.
• Physically keep device secure. (e.g., metal shield)
 Cyber security methods
Fog computing
• Another way to increase the security of IoT devices, is to
use ‘the fog’. The fog extends the reach of ‘the cloud’, so
it is closer to devices that create and act on IoT data.
• Using fog computing reduces security risks by acting on
data at the source
 Security Challenges in IoT Devices or systems

• IoT devices may not support complex and evolving security

algorithms due to the following factors:
• Limited memory sizes and computing capabilities.
• Encryption algorithms need higher processing power.

• Designed to operate autonomously in the field. Therefore, it

requires secure remote management. (e.g., if the device primary
connection lost, the secondary connection should be stablished)
 Security Challenges in IoT Devices or systems

• Crypto Resilience (Changing cryptographic algorithms)

• Embedded devices may outlive algorithm lifetime
• For example, Smart meters could last beyond 40 years
Crypto algorithms have a limited lifetime before they are broken.

• Physical Protection
• Mobile devices can be stolen
• Fixed devices can be moved
 Security Requirements on a Platform with
Potentially Limited Resources
• Provide lightweight authentication and data protection
protocols (integrity and confidentiality) that are not easily
compromised.
• Maintain availability of the data or the service (sourcing
data from a secondary connection in case of connection
loss)
 hypothetical IoT attack-Cisco
Watch Video 2 which describes a hypothetical IoT attack and try to
answer the below questions.
  IoT Security threats and
attacks
• The cybersecurity challenges in IoT are similar to any other IT
environment but with different dimensions. There are large
numbers of IoT devices, mostly with low protection, that physically
interact with the Internet as their main function.

• This characteristic makes them an easy target for cyber-attacks and

creates complex security challenges.

• Therefore when dealing with cybersecurity in an IoT environment,

it is essential to include device (physical) security as well as data
security.

• The more common cyber-attacks on an IoT environment are

Botnet, Man-in the-Middle, Data and Identity Theft, Code Injection,
and DDOS attacks. (Visit the link below)
  Botnet attacks
• A botnet is a number of internet enabled devices, such as
computers, smartphones or IoT equipment, that are connected
together in order to perform particular tasks.

• Botnets are commonly formed by an attacker taking control of

devices, without the knowledge or consent of the people that own
that device. It is common practice to use botnets in DDOS attacks,
for email spamming campaigns.
  Botnet attacks
• A particularly significant example is the botnet attack on
IoT devices named Mirai, which occurred in 2016.
• Mirai logged into IoT devices such as smart TVs, IP
cameras, home routers, video recorders, and other smart
home appliances using a collection of default usernames
and passwords to execute a  DDOS ( Distributed Denial of
Service) attack on a very large scale - up to 300,000 IoT
vulnerable devices where employed to attack networks
primarily in the United States.
  Botnet attacks - Mirai
• It primarily targets the internet connected systems
running Linux OS to turn them to remotely controlled
“bots”.
• These bots are then used to launch large-scale network
attacks.
  Botnet attacks - Mirai

A DDoS botnet attack is pretty straightforward. It gives attack commands to the

control server. And the control server issues attack commands to each of the
individual nodes (infected devices) in the botnet. They in turn send the attack traffic
to the target.
  Botnet attacks - Mirai

the high level topology of Mirai. There are three distinct workflows that are going
on: scanning, infection and attack.
  Botnet attacks - Mirai
The scanning workflow
is responsible for
identifying potential
new members for
inclusion in the botnet.
They consist of the
botnet nodes, a report
server and the random
systems on the internet
that are being probed. C:\ SYN Specific IP
address or randomized
IP addresses

The Mirai scanning workflow can be broken down into three primary activities:
1. SYN Port Scan – probing the internet to identify possible targets (IoT Telnet /2323)
2. Brute Force Authentication – performing simple pattern matches (list of default passwords)
3. Report Success – results are sent to a centralized reporting server (IP address or MAC of the target)
  Botnet attacks - Mirai

It is worth noting at this point that the malware code is cross-compiled on a variety of
architectures. The loader attempts to identify the architecture of the device and load the proper
executable. Then with the executable running, the device is now a member of the botnet and
begins performing the same scanning and attack activities as any other node in the botnet.
  Botnet attacks - Mirai
Repeating the Attack

The actual attack workflow is shown in the flowchart which illustrates the functionality that’s responsible for
activating the DDoS attacks on the nodes inside the botnet. The process consists of three primary activities.
• The bot master issues an attack command to the command and control server.
• The command and control system tells each node in the botnet to launch an attack with specific details.
• Once the node receives a message from the command and control system it immediately executes the desired attack
sending packets as quickly as possible with no rate limit .
  Botnet attacks - Mirai
• Covering Tracks and Blocking Competitors

• Mirai does a few things to protect itself from discovery. It’ll delete itself from
the file system once the malware is running. It deletes itself from the running
process.

• Another interesting behavior pattern is that the malware attempts to protect

itself from competing botnets. As soon as it breaks into the system, it tries to
prevent anyone else from breaking in using any other methods.
  Botnet attacks - Mirai
why botnets are effective?
• Obfuscation – The attacker is able to conceal themselves
from the victim.
• Amplification – By using compromised systems, the
attacker can launch a larger attack.
• Geographical Dispersion (distribution) – A large botnet
can span the globe making for a massively distributed
attack that is hard to mitigate.
  Man-in-the-Middle (MitM)
Attack

This is a type of impersonation attack that intercepts communications between nodes to steal
information such as authentication credentials. In this attack, a hacker captures part of the
communication, usually login credentials, and replays it to bypass the authentication phase and access
the system. Hackers may also manipulate messages and relay false information.

A scenario of a MitM within the IoT is transmission of fake sensor data to interrupt business operations
and damage physical assets. For example fake information on soil moisture can cause over-watering
and flooding in the area, damaging the crop. False low temperature readings could damage physical
devices by overheating equipment.

Watch Video 3 to know more about MitM attack

  Data and Identity Theft
• Many IoT devices such as tablets, mobile phones, and
wearable devices are configured with weak security
measures making it easy for hackers to collect user’s
personal information and Identity data.
• To perform the identity theft, hackers amass as much
personal data as possible and analyze them to discover
the identity of the target person.
• Watch Vedio 4 to look at many ways that hacker can steel your
identity.
  Code Injection
• In code injection attacks, malicious code is injected into a computer program which
changes the course of its execution. Hackers can spoof an identity (impersonation),
modify or destroy existing data, or even acquire administration of a database server.

• One method of storing IoT applications data is the use databases made using Structured
Query Language (SQL) or Extensible Markup Language (XML). However these databases
may be susceptible to code injection attacks.
• XML injection: During an XML injection an attacker tries to inject various XML tags
into the code with the intention of modifying the XML structure. A successful
attack results in a execution of a restricted operation such as modification of
payment data or unauthorized admin login. WS-Attacks.org  provides examples of
attacks and countermeasures. (http://ws-attacks.org/XML_Injection)

• SQL Injection : Is a code injection technique which involves placing malicious code
in SQL statements via input boxes on web pages. The w3schools site describes the
potential dangers of using user input in SQL statements.
(https://www.w3schools.com/sql/sql_injection.asp)
   XML injection Example
Listing 2 shows a modified payment
transaction. If the SOAP message gets
executed the attacker has to pay only
6.66$ instead of 4000.00$
  Denial of Service (DoS)
• Denial of Service (DoS) is a type of network attack where services are
interrupted or become unavailable to users, devices or applications.

• Overwhelming quantity of traffic – The target is overwhelmed with a massive

amount of data sent by the attacker at a rate not manageable by target devices,
the network, or applications. This large amount of traffic eventually slows down
the service or may even crash the system completely.

• When compared to other types of attack, DoS does not usually steal personal
information or create security breaches, but rather it denies access for
authorized users of the devices or services. This in turn may result in
organizational loss of reputation and usually has a high cost for repairing the
damage.
  Denial of Service (DoS)
• If the DoS attack originates from multiple sources it is then called a Distributed Denial of
Service (DDoS) attack.
  Vulnerabilities in IoT
• Many vulnerabilities in the traditional IT environment  still exist in IoT products
in addition to the new ones that are introduced by the complex, heterogeneous,
distributed, and dynamic IoT environment.

• The vulnerabilities exist in all parts of the IoT environment including sensors,
network, devices, applications, and interfaces. Many IoT devices are not able to
handle the security implementations as they are operating on low power chips
with low storage, memory and battery life.

• In 2014 Open Web Applications Security Project (OWASP) Identified ten major

vulnerabilities in the IoT. This was updated in 2018 .
10 Major vulnerabilities in the
IoT
1) Insecure web interfaces

IoT applications are mostly using web interfaces to

communicate to a web server. It is very common to have an
insecure web interface in IoT products with security flaws
like weak authentication and password recovery systems
(Clue that user name already exists, apply password
without limit, no two factor authentication) and
susceptibility to code injection attack (input boxes).
10 Major vulnerabilities in the
IoT
2)  Insufficient authentication / authorization
• The vulnerabilities in the authentication and authorization process is mostly
caused by an insufficient security policy that fails to properly address the security
requirements in this field. Many IoT devices accept weak passwords with no
expiration and history check. They don’t force the users to change the default
login credentials and reauthenticate for sensitive features. In many cases
encryption is not implemented during the authentication phase and login
credentials are transmitted as plain text.

• Also there are authorization vulnerabilities in many IoT interfaces resulting from
the lack of implementation of access control and privilege assignment. This
means that all users have access to all resources.
10 Major vulnerabilities in the
IoT
3: Insecure network services (Open Unsecure ports)
• Attackers take advantage of insecure network services to
launch DoS, DDoS, and botnet attacks. In many IoT
network services unnecessary ports are open and even
the required open ports are not configured with security
measures.
10 Major vulnerabilities in the
IoT
4) Lack of transport encryption
• In a secure network, traffic is encrypted in transport layers so attackers are not
able to capture the data as cleartext. In some IoT cases the transport encryption
feature is disregarded to reduce the overhead in the internal network where it
is assumed that there is no external access, however an internal attack is still
possible.
10 Major vulnerabilities in the
IoT
5) Privacy concerns
• The lack of data access control, encryption of collected
data in many IoT applications creates serious
vulnerabilities in regards to the privacy of data and
especially for the security of personal data. Hackers can
steal and compromise users personal data in the absence
of proper data protection.
10 Major vulnerabilities in the
IoT
6)  Insecure Cloud interface
• Hackers use server responses to fake usernames and passwords in “Login” and
“Forgot Password” pages to narrow down what the credentials must be. For
example if a server provides the clue that the username already exists then a
brute-force attack only needs to discover the password. Many IoT cloud
interfaces are not configured with a strong authentication system and are easy
to exploit.
10 Major vulnerabilities in the
IoT
7) Insecure mobile interface
• Mobile applications are widely used in IoT environments for collecting, storing
and transmitting data (mostly personal data) via mobile interfaces. The
communication from mobile interfaces to Cloud and IoT devices are not always
secure as in many cases data is transmitted without encryption. Also, just as
with Cloud interfaces, the existence of insufficient authentication processes in
many mobile interfaces make them susceptible to account brute-force attacks.
Accessing mobile interfaces helps the attackers to control the devices and
compromises the user data.
10 Major vulnerabilities in the
IoT
8)  Insufficient security configurability
• Many IoT devices are not compatible with security configurations
and do not have features to address security controls. IoT devices
are mostly considered as cheap, resource constrained devices
which are low in power, memory, processing ability and storage.
Configurations of many strong security measures require a higher
level of resources that would increase the price of the IoT device.
In many cases vendors cut back the security measures to make
cheaper options leading to devices with low security
configurability.
 10 Major vulnerabilities in the
IoT
9) Insecure software / firmware
• Software updates can also be troublesome for IoT devices.
Manufacturers of computing hardware often become aware of
weaknesses and vulnerabilities of the software that ships with
their hardware, and need to send out updates (or patches) to
address these threats. Having a mechanism for updating software
is itself considered a vulnerability, since it gives an avenue for
attackers to exploit that is designed for changing system code.
10 Major vulnerabilities in the
IoT
10)  Poor physical security
• Many IoT devices can be easily disassembled and the storage
medium can also be easily accessed to retrieve the data. So anyone
who has physical access to the device is a threat to the system.

• Also the USB and any other external ports on the device, especially
the unused ones, introduce a security vulnerability where attackers
can access the data and device configurations.
10 Major vulnerabilities in the
IoT
10)  Poor physical security
• The physical security of devices is an essential requirement for safeguarding a system as it
can lead to many other attacks. In an IoT environment devices are mostly required to be
placed in remote locations which makes it difficult to implement physical security
measures. Also IoT devices are constrained and more vulnerable to attacks.

• Attackers may steal the device, physically damage it, or remove the power or data cable
to disable it. Therefore physical security measures such as securing the perimeters, video
surveillance, and intelligent cases that disable devices in the event of tampering are
required to protect IoT devices from attackers. Also, many IoT devices are designed with
self-monitoring systems to trigger an alarm when they detect adjustment problems.

• It is important to implement physical device security at the early stages of IoT security
configuration to circumvent attacks caused by hardware vulnerabilities.
 Introduction to Packet
Tracer
• Learn about packet tracer (can download Packet Tracer from 
https://www.netacad.com/courses/packet-tracer-downlo
ad/
 by enrolling in Cisco’s free Introduction to Packet Tracer
 course. ).
• Watch Video 5 (Packet Tracer Demo) to learn more about packet
tracer tool.
 Practical task 1: Packet Tracer  -
Testing an IoT House
• Complete the Practical task 1: Packet Tracer - Testing an
IoT House activity. (See attached Folder named: Practical
Task 1 - Testing an IoT House - Packet Tracer)
• After completing the Packet Tracer task please answer
the quiz questions at the end of the provided document.
 IoT Device Security Requirements
1) Secure Boot (root of trust) and system Integrity

• IoT devices are sensors, actuators, controllers, and gateways.

These devices usually require operating systems and/or
application programs and data in order to operate.
• IoT devices should have measures to ensure that operating
systems and software (digital Content) are not tampered with by
hackers or malware.
• A secure boot is a process involving cryptography that allows an
IoT device to start executing authenticated and, therefore,
trusted software to operate. In the next slide we explore how to
implement such a secure boot with the help of public key-based
signature verification.
 IoT Device Security Requirements
public key-based signature verification

secure boot
(also called root
of trust) is the
cornerstone of
an electronic
device's
trustworthiness.
 Device Security
2) Secure firmware and operating system updates

It is a critical requirement that device firmware and

operating systems can be updated when vulnerabilities are
discovered. Many IoT devices are deployed in the field. It is
impractical to transport them to a central location for an
update. Therefore, some sort of secure mechanism for
updating these devices over the network must be
deployed.
 Hardware vulnerabilities
• In any IoT system, the underlying hardware plays a
crucial role in all aspects of security including firmware,
software, and networks. 
•  Hardware Trojans (HT) and Side-Channel Analysis (SCA)
attacks are considered to be the 
major hardware security threats in IoT devices.
 Hardware Trojan (HT)
• A malicious modification at any stage of the chip
manufacturing process is known as a Hardware Trojan
(HT)
• An HT attack compromises the security of the device by
corrupting the expected operation of the Integrated
Circuits (ICs). The IC malfunctioning helps attackers gain
access to the hardware and can cause changes in output,
collection of secure information, or damage to the chip.
This is a simple version of an HT attack.
 Hardware Trojan (HT)
• An HT is usually triggered by sensors, internal logic
states, input pattern or internal counter value.
The payload of an HT is the entire activity that
the Trojan executes when it is triggered.
 Hardware Trojan (HT)

In combinational trigger an extremely rare condition is selected by an attacker to

trigger the HT. The diagram shows an example of a digital combinational HT trigger
where the condition of A=0 and B=0 can result in circuit malfunction and
changes to the output.
 Hardware Trojan (HT)

A sequentially triggered HT is activated by the occurrence of a sequence or a period of

continuous operation. The simplest sequential Trojans are synchronous stand-alone counters,
which trigger a malfunction on reaching a particular count. The diagram is an example of
synchronous, where the trigger is a synchronous counter with k-bits that cause the changes in
the output when counter reaches 2k-1.
 Side Channel Attacks
• The attacker reveals the secret key from the side-
channel information such as the consumption power,
emitting electro-magnetic field, and processing time on
the chip under cryptographic operation.
• The attacker only needs oscilloscope and PC to reveal
the key information.
Simple Power Analysis attack
(SPA)
- The attacker exploits key-
dependent differences within
a power trace.

- The attacker objective is to

extract the key.

- If the power consumption trace

under multiplication and square
is distinguishable, the secret
private key d can be derived by
the attacker

60