Identifying the attack surface for IoT network

Abstract For this research, our primary goal is to define an attack surface for networks utilizing the IoT (Internet of Things) devices. The IoT consists of systems of integrated objects, computing devices, digital, or mechanical machines that are given the ability to transmit and receive the data over a network without the need for human interaction. Each of these devices can operate independently within the existing Internet infrastructure. Issues will continue to increase as devices become more prevalent and continuously evolve to counter newer threats and schemes. The attack surface of a network sums up all penetration points, otherwise known as attack vectors. An attacker or an unauthorized user can take advantage of these attack vectors to penetrate and change or extract data from the threat environment. For this research, we define a threat model that allows us to systematically analyze the security solutions to mitigate potential risks from the beginning of the design phase. By designing an IoT architecture and breaking it down into several zones, we focus on each zone to identify any vulnerability or weaknesses within a system that allows unauthorized privileges, as well as any attacks that can target that area. We also investigate the available IoT devices across several domains (e.g., wellness, industrial, home, etc.) to provide a 1:1 and 1:n mapping across devices, vulnerabilities, and potential security threats based on the subjective assessment.

[1]  Shuyuan Jin,et al.  XSS Vulnerability Detection Using Optimized Attack Vector Repertory , 2015, 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery.

[2]  Mark Stephen Anderson,et al.  Towards Countering the Rise of the Silicon Trojan , 2008 .

[3]  Roland van Rijswijk-Deij,et al.  Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers , 2019, CCRV.

[4]  Ali Ismail Awad,et al.  Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes , 2018, Sensors.

[5]  Antonio Iera,et al.  A systemic and cognitive approach for IoT security , 2014, 2014 International Conference on Computing, Networking and Communications (ICNC).

[6]  Jims Marchang,et al.  Hacking NHS Pacemakers: A Feasibility Study , 2019, 2019 IEEE 12th International Conference on Global Security, Safety and Sustainability (ICGS3).

[7]  Nigel H. Lovell,et al.  A web-based approach for electrocardiogram monitoring in the home , 1999, Int. J. Medical Informatics.

[8]  Khaled Labib Computer security and intrusion detection , 2004, CROS.

[9]  Geir M. Køien,et al.  Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks , 2015, J. Cyber Secur. Mobil..

[10]  Huseyin Cavusoglu,et al.  The critical elements of the patch management process , 2009, Commun. ACM.

[11]  Vinita Malik,et al.  Internet of Things: Risk Management , 2020 .

[12]  D. C. Chou,et al.  Disaster recovery planning: a strategy for data security , 2000, Inf. Manag. Comput. Secur..

[13]  Yong Wang,et al.  Access Control Attacks on PLC Vulnerabilities , 2018 .

[14]  Sharifah Yaqoub A. Fayi,et al.  What Petya/NotPetya Ransomware Is and What Its Remidiations Are , 2018 .

[15]  Bernd Klauer,et al.  New attack vectors for building automation and IoT , 2017, IECON 2017 - 43rd Annual Conference of the IEEE Industrial Electronics Society.

[16]  Biplab Sikdar,et al.  Consumer IoT: Security Vulnerability Case Studies and Solutions , 2020, IEEE Consumer Electronics Magazine.

[17]  Md. Zakirul Alam Bhuiyan,et al.  Security and Attack Vector Analysis of IoT Devices , 2017, SpaCCS Workshops.

[18]  Paul A. Wortman,et al.  Proposing a modeling framework for minimizing security vulnerabilities in IoT systems in the healthcare domain , 2017, 2017 IEEE EMBS International Conference on Biomedical & Health Informatics (BHI).

[19]  Jungwoo Ryoo,et al.  Cloud Security Auditing: Challenges and Emerging Approaches , 2014, IEEE Security & Privacy.

[20]  Jin B. Hong,et al.  Evaluating the Security of IoT Networks with Mobile Devices , 2018, 2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC).

[21]  Ahmad-Reza Sadeghi,et al.  Security and privacy challenges in industrial Internet of Things , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[22]  H. S. Chandrashekar,et al.  Packet sniffing: a brief introduction , 2003 .

[23]  Robert C. Atkinson,et al.  Threat analysis of IoT networks using artificial neural network intrusion detection system , 2016, 2016 International Symposium on Networks, Computers and Communications (ISNCC).

[24]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[25]  Joxean Koret,et al.  Identifying the Attack Surface , 2015 .

[26]  Wassim El-Hajj,et al.  Two factor authentication using mobile phones , 2009, 2009 IEEE/ACS International Conference on Computer Systems and Applications.

[27]  Lwin Khin Shar,et al.  Defeating SQL Injection , 2013, Computer.

[28]  Anirban Sengupta,et al.  Security in consumer electronics and internet of things (IoT) , 2019 .

[29]  Yan Cao,et al.  A Web Application Runtime Application Self-protection Scheme against Script Injection Attacks , 2018, ICCCS.

[30]  Syed Rameem Zahra,et al.  RansomWare and Internet of Things: A New Security Nightmare , 2019, 2019 9th International Conference on Cloud Computing, Data Science & Engineering (Confluence).

[31]  Marko Wolf,et al.  Strategies against being taken hostage by ransomware , 2018 .

[32]  Edward F. Gehringer Choosing passwords: security and human factors , 2002, IEEE 2002 International Symposium on Technology and Society (ISTAS'02). Social Implications of Information and Communication Technology. Proceedings (Cat. No.02CH37293).

[33]  David Kotz,et al.  ZEBRA: Zero-Effort Bilateral Recurring Authentication , 2014, IEEE Symposium on Security and Privacy.

[34]  Jalel Ben-Othman,et al.  An Investigation on Wannacry Ransomware and its Detection , 2018, 2018 IEEE Symposium on Computers and Communications (ISCC).

[35]  Wolfgang Rosenstiel,et al.  Attack Surface Modeling and Assessment for Penetration Testing of IoT System Designs , 2018, 2018 21st Euromicro Conference on Digital System Design (DSD).

[36]  Andrew P. Martin,et al.  Threat-Based Security Analysis for the Internet of Things , 2014, 2014 International Workshop on Secure Internet of Things.

[37]  Ammar Rayes,et al.  Internet of Things Security and Privacy , 2017 .

[38]  Robert Biddle,et al.  Stop Clicking on "Update Later": Persuading Users They Need Up-to-Date Antivirus Protection , 2014, PERSUASIVE.

[39]  P. Bhaskara Reddy,et al.  To detect abnormal event at ATM system by using image processing based on IOT technologies , 2018, International Journal of Engineering & Technology.

[40]  Qi Zhang,et al.  Indra: a peer-to-peer approach to network intrusion detection and prevention , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[41]  Shefalika Ghosh Samaddar,et al.  Different flavours of Man-In-The-Middle attack, consequences and feasible solutions , 2010 .

[42]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[43]  George C. Hadjichristofi,et al.  Internet of Things: Security vulnerabilities and challenges , 2015, 2015 IEEE Symposium on Computers and Communication (ISCC).

[44]  Yuan Liu,et al.  Study of secure boot with a FPGA-based IoT device , 2017, 2017 IEEE 60th International Midwest Symposium on Circuits and Systems (MWSCAS).

[45]  Paul Rad,et al.  Driverless vehicle security: Challenges and future research opportunities , 2020, Future Gener. Comput. Syst..

[46]  Jukka Vuorinen,et al.  Dissecting social engineering , 2013, Behav. Inf. Technol..

[47]  Christoforos Ntantogian,et al.  Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications , 2018, International Journal of Information Security.

[48]  Nora Cuppens-Boulahia,et al.  Demo: Do Not Trust Your Neighbors! A Small IoT Platform Illustrating a Man-in-the-Middle Attack , 2018, ADHOC-NOW.

[49]  Sakir Sezer,et al.  Evolution of ransomware , 2018, IET Networks.

[50]  Georgios Kambourakis,et al.  The Mirai botnet and the IoT Zombie Armies , 2017, MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM).

[51]  Peter A. Carter Reducing the Attack Surface , 2016 .

[52]  S. Mercy Shalinie,et al.  A survey of distributed denial of service attack , 2016, 2016 10th International Conference on Intelligent Systems and Control (ISCO).

[53]  Amala V. Rajan,et al.  Internet of Things (IoT): Application systems and security vulnerabilities , 2016, 2016 5th International Conference on Electronic Devices, Systems and Applications (ICEDSA).

[54]  Antonio Esposito,et al.  Internet of things reference architectures, security and interoperability: A survey , 2018, Internet Things.

[55]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[56]  Hsinchun Chen,et al.  Identifying vulnerabilities of consumer Internet of Things (IoT) devices: A scalable approach , 2017, 2017 IEEE International Conference on Intelligence and Security Informatics (ISI).

[57]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[58]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[59]  Mittal S. Bhiogade Secure Socket Layer , 2001 .