A new approach to investigate IoT threats based on a four layer model

This paper is a first attempt to define a set of security vulnerabilities for the Internet of Things (IoT), in a corporate environment, in order to classify various connected objects based on a taxonomy that was previously proposed. The IoT is a complex infrastructure that we divide in four parts (objects, transport, storage, interfaces). It needs protection and supervision. The object and its ecosystem are surrounded with other devices that can become entry points or targets of attacks, even if they are protected from the outer world but not from their local environment. We study the impact of attacks (such as OS reprogramming that has been recently published) on connected thermostats and their possible consequences on their environment, as a first approach to a threat analysis for the IoT.

[1]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[2]  J. Vacca Guide to Wireless Network Security , 2006 .

[3]  Farnam Jahanian,et al.  Empirical Exploitation of Live Virtual Machine Migration , 2007 .

[4]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[5]  Ramjee Prasad,et al.  Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) , 2010, CNSA.

[6]  Robert Avag,et al.  Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? | Institute for Science and International Security , 2010 .

[7]  Dave Evans,et al.  How the Next Evolution of the Internet Is Changing Everything , 2011 .

[8]  Esraa Alomari,et al.  Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art , 2012, ArXiv.

[9]  Jiafu Wan,et al.  Security in the Internet of Things: A Review , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[10]  S VivinSandar,et al.  Economic Denial of Sustainability (EDoS) in Cloud Services using HTTP and XML based DDoS Attacks , 2012 .

[11]  Holger Junker OWASP Enterprise Security API , 2012, Datenschutz und Datensicherheit - DuD.

[12]  Oscar Garcia-Morchon,et al.  Security Considerations in the IP-based Internet of Things , 2013 .

[13]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[14]  Mohammad Zulkernine,et al.  Attacks in Public Clouds: Can They Hinder the Rise of the Cloud? , 2014 .

[15]  Grant Hernandez,et al.  Smart Nest Thermostat A Smart Spy in Your Home , 2014 .

[16]  Gorka Irazoqui Apecechea,et al.  Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud , 2015, IACR Cryptol. ePrint Arch..

[17]  Pascal Urien,et al.  Internet of Things: A Definition & Taxonomy , 2015, 2015 9th International Conference on Next Generation Mobile Applications, Services and Technologies.

[18]  H. Viswanathan,et al.  THE FUTURE of THE INTERNET of THINGS , 2016 .