The long history of the Internet started in the 1950s following the development of electronic computers. Packet switched networks, such as the ARPANet (Advanced Research Projects Agency), were developed in the 1960s and 1970s, using a variety of protocols to join separate networks. In the 1980s, the TCP/IP (Transmission Control Protocol/Internet Protocol) Internet protocol suite was standardized, and the concept of the Internet as a worldwide network was introduced. In the 1990s, owing to the introduction of almost instantaneous communications, the Internet gave rise to a real revolution in everyday life, with domains as shown in a wide variety of popular networked applications.
The concept of the Internet of Things (IoT) was introduced in 1999, after the explosion of the wireless devices market, and the introduction of the Radio Frequency Identification (RFID) and the Wireless Sensor Networks (WSN) technologies. The IoT concept aims to connect anything with anyone, anytime, and anywhere. It uses things or objects, e.g., sensors, actuators, RFID tags and readers, to enable interactions between the physical and virtual worlds.
In 2011, the number of interconnected systems exceeded the number of human beings. In 2012, nine billion devices were interconnected; this number is expected to reach 24 billion devices in 2020. The size of the financial market approaches the amount of 1.3 trillion dollars for mobile network operators in various domains and applications such as healthcare, transportation, public services and electronics applications.
IoT Security Challenge
The IoT is susceptible to many types of attacks: message modification and/or alteration, traffic analysis, Denial of Service (DoS), Distributed DoS, eavesdropping, Sybil attacks, etc. Concretely, many real attacks occurred in the latest period. An example of an attack related to the IoT was led against Supervisory Control and Data Acquisition (SCADA) systems, which aim to facilitate the management of remote systems by issuing real-time supervisory commands over communication channels. As a result of the commercial availability of cloud computing, these systems were progressively being used by IoT technology to decrease the infrastructure fees and facilitate maintenance and integration operations. highlighted several security vulnerabilities and possible attacks of these systems.
The most common and easily addressable security issues reported are:
- Boot Process Vulnerabilities: The boot sequence is a common component to target in attacks. This is primarily because the boot process is the root of trust as well as the starting point of the device’s operation, and consequently any attacks that compromise this component are capable of controlling anything that occurs in a subsequent stage of operation.
- Hardware Exploitation: Hardware level exploitation is critical as it is often overlooked by designers, who focus more on security at the software or firmware levels. These attacks rely on the hardware itself, often including tactics such as looking for debugging ports the designer has left exposed, modifying external Flash memories, glitching address lines, etc.
- Chip-Level Exploitation: Chip-level exploitation involves semi-invasive and invasive attacks on the chip itself. These are a serious threat to smart devices, which rely on trust boot sequences which rely on hardware chip assets for their security. Previously security information such as encryption and decryption keys, along with other sensitive information, was considered secure if it was stored on-chip. However, newly developed methods can extract this information, and consequently disrupt the security claims used on the assumption of on-chip security. For example, researchers were able to extract a stored AES key from the internal memory of an Actel ProASIC3 FPGA by “bumping” the internal memory.
- Encryption, Hash Function and Authentication Implementations: Similarly, many attacks today result from weak authentication mechanisms. While system designs will impose strong authentication mechanisms, e.g. x.509 certificate based TLS , unless the credentials (e.g., keys) are securely stored they can be subject to attack. As IoT devices are now exposed in open and public spaces, the ability for any attacker to recover such credentials becomes a trivial attack; once the keys are recovered, those identities are then compromised obviating the security properties afforded by any encryption mechanism.
- Backdoors in Remote Access Channels: For the sake of convenience, smart devices now commonly come equipped with channels that allow for remote communication and de-bugging after manufacture. These channels are often used for over-the-air (OTA) firmware upgrades. Any insecurities in the protocol used for the OTA firmware upgrade would allow an attacker control over the firmware of a device, and consequently complete control over the device. Additionally, manufacturers may leave in APIs used during development that would allow arbitrary command execution, or they may not properly secure some communication channels.
- Privacy concerns: Eight of the 10 devices tested, along with their corresponding cloud and mobile application components, raised privacy concerns regarding the collection of consumer data such as name, email address, home address, date of birth, credit card credentials and health information. Moreover, 90 percent of tested devices collected at least one piece of personal information via the product itself, the cloud or its mobile application.
- Insufficient authorization: 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length, with most devices allowing password such as “1234.” In fact, many of the test accounts HP configured with weak passwords were also used on the products’ websites and mobile applications.
- Lack of transport encryption: 70 percent of IoT devices analyzed did not encrypt communications to the internet and local network, while half of the devices’ mobile applications performed unencrypted communications to the cloud, internet or local network. Transport encryption is crucial given that many of the tested devices collected and transmitted sensitive data across channels.
- Insecure web interface: Six of the 10 devices evaluated raised security concerns with their user interfaces such as persistent XSS, poor session management, weak default credentials and credentials transmitted in clear text. Seventy percent of devices with cloud and mobile components would enable a potential attacker to determine valid user accounts through account enumeration or the password reset feature.
- Inadequate software protection: 60 percent of devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could even be intercepted, extracted and mounted as a file system in Linux where the software could be viewed or modified.
To protect against security hazards that come along with the rise of IoT, it is imperative for organizations to implement an end-to-end approach to identify software vulnerabilities before they are exploited. Solutions like HP Fortify (And Many More Software) on Demand enable organizations to test the security of software quickly, accurately, affordably and without any software to install or manage—proactively eliminating the immediate risk in legacy applications and the systemic risk in application development.
Vulnerabilities from a large sample of IoT devices were aggregated into database. The development of the database produced a taxonomy for threats to IoT devices, and this taxonomy was used to create a set of design rules that would avoid the major mistakes in device design. Additionally, the database provides a better understanding of the severity and importance of the different potential vulnerabilities, further supplementing the design rules with a more intuitive understanding of the severity of the vulnerabilities.