Anatomy of Threats to the Internet of Things

The world is resorting to the Internet of Things (IoT) for ease of control and monitoring of smart devices. The ubiquitous use of IoT ranges from industrial control systems (ICS) to e-Health, e-Commerce, smart cities, supply chain management, smart cars, cyber physical systems (CPS), and a lot more. Such reliance on IoT is resulting in a significant amount of data to be generated, collected, processed, and analyzed. The big data analytics is no doubt beneficial for business development. However, at the same time, numerous threats to the availability and privacy of the user data, message, and device integrity, the vulnerability of IoT devices to malware attacks and the risk of physical compromise of devices pose a significant danger to the sustenance of IoT. This paper thus endeavors to highlight most of the known threats at various layers of the IoT architecture with a focus on the anatomy of malware attacks. We present a detailed attack methodology adopted by some of the most successful malware attacks on IoT, including ICS and CPS. We also deduce an attack strategy of a distributed denial of service attack through IoT botnet followed by requisite security measures. In the end, we propose a composite guideline for the development of an IoT security framework based on industry best practices and also highlight lessons learned, pitfalls and some open research challenges.

[1]  Jelena V. Misic,et al.  MAC layer security of 802.15.4-compliant networks , 2005, IEEE International Conference on Mobile Adhoc and Sensor Systems Conference, 2005..

[2]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[3]  Roger Collier NHS ransomware attack spreads worldwide , 2017, Canadian Medical Association Journal.

[4]  Min Chen,et al.  Narrow Band Internet of Things , 2017, IEEE Access.

[5]  Khaled Salah,et al.  IoT security: Review, blockchain solutions, and open challenges , 2017, Future Gener. Comput. Syst..

[6]  Florian Michahelles,et al.  An Architectural Approach Towards the Future Internet of Things , 2011, Architecting the Internet of Things.

[7]  Vallipuram Muthukkumarasamy,et al.  Securing Smart Cities Using Blockchain Technology , 2016, 2016 IEEE 18th International Conference on High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[8]  Camelia Lemnaru,et al.  Detection and prevention system against cyber attacks and botnet malware for information systems and Internet of Things , 2016, 2016 IEEE 12th International Conference on Intelligent Computer Communication and Processing (ICCP).

[9]  Lena Wosinska,et al.  Vulnerabilities and security issues in optical networks , 2014, 2014 16th International Conference on Transparent Optical Networks (ICTON).

[10]  Franklin Heath LPWA Technology Security Comparison A White Paper from Franklin Heath Ltd , 2017 .

[11]  Vitaly Shmatikov,et al.  De-anonymizing Social Networks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[12]  Yier Jin,et al.  Privacy and Security in Internet of Things and Wearable Devices , 2015, IEEE Transactions on Multi-Scale Computing Systems.

[13]  Nir Kshetri,et al.  Can Blockchain Strengthen the Internet of Things? , 2017, IT Professional.

[14]  Ahmad-Reza Sadeghi,et al.  Security and privacy challenges in industrial Internet of Things , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[15]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[16]  Xuemin Shen,et al.  Securing Fog Computing for Internet of Things Applications: Challenges and Solutions , 2018, IEEE Communications Surveys & Tutorials.

[17]  Geir M. Køien,et al.  Security and privacy in the Internet of Things: Current status and open issues , 2014, 2014 International Conference on Privacy and Security in Mobile Systems (PRISMS).

[18]  Jinjun Chen,et al.  Threats to Networking Cloud and Edge Datacenters in the Internet of Things , 2016, IEEE Cloud Computing.

[19]  Abbas Jamalipour,et al.  A smart city cyber security platform for narrowband networks , 2017, 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).

[20]  Ahmad-Reza Sadeghi,et al.  Security analysis on consumer and industrial IoT devices , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[21]  Scott F. Midkiff,et al.  Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses , 2008, IEEE Pervasive Computing.

[22]  Maruf Pasha,et al.  A Survey of Active Attacks on Wireless Sensor Networks and their Countermeasures , 2017, ArXiv.

[23]  Jolyon Clulow,et al.  New Strategies for Revocation in Ad-Hoc Networks , 2007, ESAS.

[24]  D. L. Lough,et al.  A taxonomy of computer attacks with applications to wireless networks , 2001 .

[25]  Alex Pentland,et al.  Enigma: Decentralized Computation Platform with Guaranteed Privacy , 2015, ArXiv.

[26]  Marshall Copeland,et al.  Microsoft Azure , 2015, Apress.

[27]  Ahmad-Reza Sadeghi,et al.  Invited: Can IoT be secured: Emerging challenges in connecting the unconnected , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[28]  Luca Veltri,et al.  IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios , 2015, IEEE Sensors Journal.

[29]  Kang Yen,et al.  Sensor network security: a survey , 2009, IEEE Communications Surveys & Tutorials.

[30]  J. Manyika,et al.  Disruptive technologies: Advances that will transform life, business, and the global economy , 2013 .

[31]  Sarmad Ullah Khan,et al.  Future Internet: The Internet of Things Architecture, Possible Applications and Key Challenges , 2012, 2012 10th International Conference on Frontiers of Information Technology.

[32]  Frank Piessens,et al.  Advanced Wi-Fi attacks using commodity hardware , 2014, ACSAC.

[33]  Donghyeon Lee,et al.  Arachneum: Blockchain meets Distributed Web , 2016, ArXiv.

[34]  Rabia Riaz,et al.  Security analysis survey and framework design for IP connected LoWPANs , 2009, 2009 International Symposium on Autonomous Decentralized Systems.

[35]  Dave Evans,et al.  How the Next Evolution of the Internet Is Changing Everything , 2011 .

[36]  Sugata Sanyal,et al.  Survey of Security and Privacy Issues of Internet of Things , 2015, ArXiv.

[37]  Ralph Langner To Kill a Centrifuge A Technical Analysis of What Stuxnet ’ s Creators Tried to Achieve , 2013 .

[38]  Sami Zhioua,et al.  The Middle East under Malware Attack Dissecting Cyber Weapons , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops.

[39]  Ahmad-Reza Sadeghi,et al.  EDA for secure and dependable cybercars: Challenges and opportunities , 2012, DAC Design Automation Conference 2012.

[40]  Tie Qiu,et al.  Security and Privacy Preservation Scheme of Face Identification and Resolution Framework Using Fog Computing in Internet of Things , 2017, IEEE Internet of Things Journal.

[41]  Wei Xu,et al.  Advances and challenges in log analysis , 2011, Commun. ACM.

[42]  Mauro Conti,et al.  Provably Secure Authenticated Key Agreement Scheme for Smart Grid , 2018, IEEE Transactions on Smart Grid.

[43]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[44]  Saman A. Zonouz,et al.  Detecting Industrial Control Malware Using Automated PLC Code Analytics , 2014, IEEE Security & Privacy.

[45]  Zsigmond Szilárd,et al.  Mixed line rate virtual topology design considering nonlinear interferences between amplitude and phase modulated channels , 2011, Photonic Network Communications.

[46]  Tal Mizrahi,et al.  Deterministic Networking (DetNet) Security Considerations , 2020, RFC.

[47]  Sathish Alampalayam Kumar,et al.  Security in Internet of Things: Challenges, Solutions and Future Directions , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[48]  Laurence T. Yang,et al.  Cyberentity Security in the Internet of Things , 2013, Computer.

[49]  Roksana Boreli,et al.  Network-level security and privacy control for smart-home IoT devices , 2015, 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[50]  Roberto Baldoni,et al.  Blockchain-Based Database to Ensure Data Integrity in Cloud Computing Environments , 2017, ITASEC.

[51]  M. Caccamo,et al.  ReSecure : A Restart-Based Security Protocol for Tightly Actuated Hard Real-Time Systems Conference , 2016 .

[52]  Gianpiero Costantino,et al.  Practical Privacy-Preserving Medical Diagnosis Using Homomorphic Encryption , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[53]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[54]  Elaine Shi,et al.  The Honey Badger of BFT Protocols , 2016, CCS.

[55]  Bernard Everett Fibre Optic Cables: Tapping into fibre optic cables , 2007 .

[56]  Wolfgang Kellerer,et al.  Software Defined Optical Networks (SDONs): A Comprehensive Survey , 2015, IEEE Communications Surveys & Tutorials.

[57]  Philip Levis,et al.  RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks , 2012, RFC.

[58]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.

[59]  Shahriar Mohammadi,et al.  A Comparison of Link Layer Attacks on Wireless Sensor Networks , 2011, ArXiv.

[60]  Miao Wu,et al.  Research on the architecture of Internet of Things , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[61]  Allison Bishop,et al.  Decentralizing Attribute-Based Encryption , 2011, IACR Cryptol. ePrint Arch..

[62]  Shui Yu,et al.  Distributed Denial of Service Attack and Defense , 2013, SpringerBriefs in Computer Science.

[63]  Ramesh Karri,et al.  Hardware and embedded security in the context of internet of things , 2013, CyCAR '13.

[64]  Lorenzo Mucchi,et al.  The Role of Physical Layer Security in IoT: A Novel Perspective , 2016, Inf..

[65]  Raouf Boutaba,et al.  Cloud computing: state-of-the-art and research challenges , 2010, Journal of Internet Services and Applications.

[66]  Günther Horn,et al.  Towards 5G Security , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[67]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[68]  Lajos Hanzo,et al.  A Survey on Wireless Security: Technical Challenges, Recent Advances, and Future Trends , 2015, Proceedings of the IEEE.

[69]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[70]  Xiang Cheng,et al.  Smart Choice for the Smart Grid: Narrowband Internet of Things (NB-IoT) , 2018, IEEE Internet of Things Journal.

[71]  Roberto Baldoni,et al.  A Prototype Evaluation of a Tamper-Resistant High Performance Blockchain-Based Transaction Log for a Distributed Database , 2017, 2017 13th European Dependable Computing Conference (EDCC).

[72]  Roch H. Glitho,et al.  A Comprehensive Survey on Fog Computing: State-of-the-Art and Research Challenges , 2017, IEEE Communications Surveys & Tutorials.

[73]  Nerea Toledo,et al.  FlowNAC: Flow-based Network Access Control , 2014, 2014 Third European Workshop on Software Defined Networks.

[74]  P. Serena,et al.  Which is the dominant nonlinearity in long-haul PDM-QPSK coherent transmissions? , 2010, 36th European Conference and Exhibition on Optical Communication.

[75]  A. Perrig,et al.  The Sybil attack in sensor networks: analysis & defenses , 2004, Third International Symposium on Information Processing in Sensor Networks, 2004. IPSN 2004.

[76]  Mohsen Guizani,et al.  Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications , 2015, IEEE Communications Surveys & Tutorials.

[77]  Rania A. Mokhtar,et al.  Anomaly detection approach using hybrid algorithm of data mining technique , 2017, 2017 International Conference on Communication, Control, Computing and Electronics Engineering (ICCCCEE).

[78]  David A. Wagner,et al.  Security considerations for IEEE 802.15.4 networks , 2004, WiSe '04.

[79]  Gaute Wangen,et al.  The Role of Malware in Reported Cyber Espionage: A Review of the Impact and Mechanism , 2015, Inf..

[80]  Tao Zhang,et al.  Attacks and countermeasures in the internet of vehicles , 2016, Annals of Telecommunications.

[81]  Manoj Kumar,et al.  Internet of Things: Proposed security aspects for digitizing the world , 2016, 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom).

[82]  Christian Haas,et al.  Anomaly Detection in Industrial Networks using Machine Learning: A Roadmap , 2016, ML4CPS.

[83]  Harit Shah,et al.  Security Issues on Cloud Computing , 2013, ArXiv.

[84]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[85]  Ozan K. Tonguz,et al.  Failure location algorithm for transparent optical networks , 2005, IEEE Journal on Selected Areas in Communications.

[86]  Günther Horn,et al.  Towards 5 G Security , 2016 .

[87]  Athanasios V. Vasilakos,et al.  Security of the Internet of Things: perspectives and challenges , 2014, Wireless Networks.

[88]  Peter Friess,et al.  Internet of Things: Converging Technologies for Smart Environments and Integrated Ecosystems , 2013 .

[89]  Maode Ma,et al.  An anonymous authentication scheme for multi-domain machine-to-machine communication in cyber-physical systems , 2017, Comput. Networks.

[90]  Christopher Bronk,et al.  The Cyber Attack on Saudi Aramco , 2013 .

[91]  Ross Brewer,et al.  Ransomware attacks: detection, prevention and cure , 2016, Netw. Secur..

[92]  Luming Tan,et al.  Future internet: The Internet of Things , 2010, 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE).

[93]  Alina M. Chircu,et al.  SECURING THE INTERNET OF THINGS : A REVIEW , 2016 .

[94]  Jinjun Chen,et al.  A dynamic prime number based efficient security mechanism for big sensing data streams , 2017, J. Comput. Syst. Sci..

[95]  Chris Rose,et al.  A Break in the Clouds: Towards a Cloud Definition , 2011 .

[96]  Yu Yang,et al.  Study and application on the architecture and key technologies for IOT , 2011, 2011 International Conference on Multimedia Technology.

[97]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[98]  Jesse M. Ehrenfeld WannaCry, Cybersecurity and Health Information Technology: A Time to Act , 2017, Journal of Medical Systems.

[99]  Mohamed Azab,et al.  Survey on Security Issues in Vehicular Ad Hoc Networks , 2015 .

[100]  Ahmad-Reza Sadeghi,et al.  SEDA: Scalable Embedded Device Attestation , 2015, CCS.

[101]  Thomas M. Chen,et al.  Lessons from Stuxnet , 2011, Computer.

[102]  Grant Hernandez,et al.  Smart Nest Thermostat A Smart Spy in Your Home , 2014 .

[103]  Tanupriya Choudhury,et al.  Securing the Internet of Things: A proposed framework , 2017, 2017 International Conference on Computing, Communication and Automation (ICCCA).

[104]  Nader Mohamed,et al.  Challenges in middleware solutions for the internet of things , 2012, 2012 International Conference on Collaboration Technologies and Systems (CTS).

[105]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[106]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[107]  Kwok-Yan Lam,et al.  Wireless Communication and Security Issues for Cyber–Physical Systems and the Internet-of-Things , 2018, Proceedings of the IEEE.

[108]  Seung-Hoon Hwang,et al.  A survey on LPWA technology: LoRa and NB-IoT , 2017, ICT Express.

[109]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[110]  Lida Xu,et al.  The internet of things: a survey , 2014, Information Systems Frontiers.

[111]  Kishore Angrishi,et al.  Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets , 2017, ArXiv.

[112]  Craig Gentry,et al.  Fully Homomorphic Encryption over the Integers , 2010, EUROCRYPT.

[113]  Luis Rodero-Merino,et al.  Finding your Way in the Fog: Towards a Comprehensive Definition of Fog Computing , 2014, CCRV.

[114]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[115]  Rodrigo Roman,et al.  Mobile Edge Computing, Fog et al.: A Survey and Analysis of Security Threats and Challenges , 2016, Future Gener. Comput. Syst..

[116]  B. Balamurugan,et al.  Security in Network Layer of IoT: Possible Measures to Preclude , 2017 .

[117]  Xiaohui Liang,et al.  Exploiting mobile social behaviors for Sybil detection , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[118]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[119]  Habtamu Abie,et al.  Towards metrics-driven adaptive security management in e-health IoT applications , 2012, BODYNETS.

[120]  François-Xavier Standaert,et al.  Introduction to Side-Channel Attacks , 2010, Secure Integrated Circuits and Systems.

[121]  Olivier Flauzac,et al.  SDN Based Architecture for IoT and Improvement of the Security , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications Workshops.

[122]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[123]  Maode Ma,et al.  A Mutual Authentication and Key Establishment Scheme for M2M Communication in 6LoWPAN Networks , 2016, IEEE Transactions on Industrial Informatics.

[124]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[125]  Jonathan-Christofer Demay,et al.  Practical security overview of IEEE 802.15.4 , 2016, 2016 International Conference on Engineering & MIS (ICEMIS).

[126]  Martin Reisslein,et al.  Ultra-Low Latency (ULL) Networks: The IEEE TSN and IETF DetNet Standards and Related 5G ULL Research , 2018, IEEE Communications Surveys & Tutorials.

[127]  Jian Shen,et al.  An untraceable temporal-credential-based two-factor authentication scheme using ECC for wireless sensor networks , 2016, J. Netw. Comput. Appl..

[128]  Maode Ma,et al.  An authentication scheme with identity-based cryptography for M2M security in cyber-physical systems , 2016, Secur. Commun. Networks.

[129]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.