DOCSLIB.ORG

Demystifying Iot Security: an Exhaustive Survey on Iot Vulnerabilities and a First Empirical Look on Internet-Scale Iot Exploitations

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/332277406 Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations Article in IEEE Communications Surveys & Tutorials · April 2019 CITATIONS READS 48 2,649 5 authors, including: Nataliia Neshenko Elias Bou-Harb Florida Atlantic University University of Texas at San Antonio 12 PUBLICATIONS 84 CITATIONS 85 PUBLICATIONS 785 CITATIONS SEE PROFILE SEE PROFILE Jorge Crichigno Georges Kaddoum University of South Carolina École de Technologie Supérieure 80 PUBLICATIONS 484 CITATIONS 249 PUBLICATIONS 3,798 CITATIONS SEE PROFILE SEE PROFILE Some of the authors of this publication are also working on these related projects: Explicit feedback for congestion control inScience DMZ cyberinfrastructures based onprogramable data-plane switches View project Deep Learning View project All content following this page was uploaded by Elias Bou-Harb on 08 April 2019. The user has requested enhancement of the downloaded file. 1 Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations Nataliia Neshenko, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum and Nasir Ghani Abstract—The security issue impacting the Internet-of-Things physical therapy [4], while the Autism Glass [5] aims at aiding (IoT) paradigm has recently attracted significant attention from autistic children to recognize emotions of other people in real- the research community. To this end, several surveys were put time [6]. forward addressing various IoT-centric topics including intrusion detection systems, threat modeling and emerging technologies. Safety-centric IoT solutions endeavor to minimize haz- In contrast, in this work, we exclusively focus on the ever- ardous scenarios and situations. For example, the concept of evolving IoT vulnerabilities. In this context, we initially pro- connected vehicles prevents the driver from deviating from vide a comprehensive classification of state-of-the-art surveys, proper trajectory paths or bumping into objects. Further, which address various dimensions of the IoT paradigm. This such concept enables the automatic emergency notification aims at facilitating IoT research endeavors by amalgamating, comparing and contrasting dispersed research contributions. of nearest road and medical assistance in case of accidents Subsequently, we provide a unique taxonomy, which sheds [7]. Additionally, autonomous, self-driving mining equipment the light on IoT vulnerabilities, their attack vectors, impacts keeps workers away from unsafe areas, while location and on numerous security objectives, attacks which exploit such proximity IoT sensors allow miners to avoid dangerous situa- vulnerabilities, corresponding remediation methodologies and tions [8]. Moreover, deployed IoT sensors at factories monitor currently offered operational cyber security capabilities to infer and monitor such weaknesses. This aims at providing the reader environmental pollution and chemical leaks in water supply, with a multidimensional research perspective related to IoT while smoke, toxic gases and temperature sensors coupled with vulnerabilities, including their technical details and consequences, warning systems prevent ecological disasters [9]. Indeed, a which is postulated to be leveraged for remediation objectives. number of case-studies have reported on the significant impact Additionally, motivated by the lack of empirical (and malicious) of IoT on natural resources’ integrity and consumption. For data related to the IoT paradigm, this work also presents a first look on Internet-scale IoT exploitations by drawing upon more instance, water pressure sensors in pipelines monitor flow than 1.2 GB of macroscopic, passive measurements’ data. This activity and notify operators in case of a leak, while smart aims at practically highlighting the severity of the IoT problem, IoT devices and systems enable citizens to control water and while providing operational situational awareness capabilities, energy consumption [9]. In fact, the IoT notion is introducing which undoubtedly would aid in the mitigation task, at large. notable solutions for contemporary operations, well-being and Insightful findings, inferences and outcomes in addition to open challenges and research problems are also disclosed in this safety. In this context, several ongoing IoT endeavors promise work, which we hope would pave the way for future research to transform modern life and business models, hence improv- endeavors addressing theoretical and empirical aspects related to ing efficiency, service level, and customer satisfaction. the imperative topic of IoT security. The undeniable benefits proposed by the IoT paradigm, nev- Index Terms—Internet of Things, IoT Vulnerabilities, IoT ertheless, are coupled with serious security flaws. Profit-driven Data, IoT Security businesses and time-to-market along with the shortage of related legislation have stimulated manufacturers to overlook security considerations and to design potentially vulnerable I. INTRODUCTION IoT devices, opening the door for adversaries, which often HE CONCEPTION of the prominent Internet-of-Things exploit such devices with little or no effort. The negligence of T (IoT) notion is envisioned to improve the quality of mod- a number of security considerations enables the exposure of ern life. People-centric IoT solutions, for instance, significantly sensitive information ranging from unprotected video stream- enhance daily routines of elderly and disabled people, thus ing of baby monitors [10] to the uploading of unauthorized increasing their autonomy and self-confidence [1]. Implantable voice recordings, emails and passwords by Internet-connected and wearable IoT devices monitor and extract vital measure- IoT toys [11], [12]. Moreover, poorly designed devices allow ments to enable the real-time emergency alerting in order the execution of arbitrary commands and re-programming of to increase patients’ chances of survival [2]. This emerging device firmware [13]. Indeed, given the Internet-wide deploy- technology is also being leveraged to reduce response times ment of IoT devices, such malicious manipulations have a in reacting to abrupt health incidents such as the sudden profound impact on the security and the resiliency of the entire infant death syndrome during sleep [3]. Moreover, advanced Internet. Among the many cases that recently attracted the solutions for in-home rehabilitation strive to revolutionize public attention, the cyber attack launched by the IoT-specific NN and EBH are with FAU, USA; NG is with USF, USA; JC is with USC, malware Mirai [14] provides a clear example of the severity of USA; GK is with ETS, Canada the threat caused by instrumenting exploited IoT devices. In 2 this case, the primary DNS provider in the US, Dyn, became the light on currently offered IoT cyber security situational the target of an orchestrated Denial of Service (DoS) attack, awareness capabilities, which endeavor to identify, attribute, jeopardizing the profit and reputation of its clients. In fact, characterize and respond to such vulnerabilities or their Dyn lost nearly 8% of its customers right after the mentioned possible exploitation attempts. Further, given that the problem attack [15]. of IoT security is still at its infancy due to the lack of Such and other security incidents impair the confidence in IoT-relevant empirical data and IoT-specific attack signatures the IoT paradigm, hindering its widespread implementation [21], we note the shortage of literature approaches, which can in consumer markets and critical infrastructure. While the practically identify Internet-wide compromised IoT devices, disclosure of private and confidential information coupled with in near real-time, and address this research development gap the launch of debilitating DoS attacks cause various privacy by exploring unique empirical data. violations and business disruptions, the most significant danger from exposed IoT devices remains the threat to Specifically, in this survey, we uniquely approach IoT secu- people’s lives and well-being. Security risks rendered by rity by analyzing the aforementioned dimensions as they inter- unauthorized access and reconfiguration of IoT medical relay with certain identified IoT vulnerabilities. Specifically, devices, including implantable cardiac devices, have been we frame the contributions of this survey as follows: already confirmed by the US Food and Drug Administration • Amalgamating and classifying currently available IoT- (FDA) [16]. Moreover, the hacking of traffic lights [17] relevant literature surveys to highlight research trends in and connected vehicles [18], [19] not only causes havoc this emerging field and to facilitate research initiation by and increases pollution, but also possesses the capability to new researchers through eliminating repetitive research cause injury and drastic accidents leading to fatalities. While efforts. benefits from using these IoT devices and corresponding • Introducing a unique taxonomy by emphasizing and technologies possibly outweigh the risks, undoubtedly, IoT discussing IoT vulnerabilities in the context of various, security at large should be carefully and promptly addressed. previously unanalyzed dimensions through comparing, contrasting and analyzing near 100 research contribu- Several technical difficulties, including limited storage, tions.
Recommended publications
  • Turning Internet of Things(Iot) Into Internet of Vulnerabilities (Iov) : Iot Botnets

    Turning Internet of Things(Iot) Into Internet of Vulnerabilities (Iov) : Iot Botnets

    TURNING IOT INTO IOV : IOT BOTNETS 1 Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets Kishore Angrishi Abstract—Internet of Things (IoT) is the next big evolutionary step in the world of internet. The main intention behind the IoT is to enable safer living and risk mitigation on different levels of life. Home Automation / With the advent of IoT botnets, the view towards IoT devices Smart Home has changed from enabler of enhanced living into Internet of vulnerabilities for cyber criminals. IoT botnets has exposed two Industrial Control Systems different glaring issues, 1) A large number of IoT devices are Smart City accessible over public Internet. 2) Security (if considered at all) is often an afterthought in the architecture of many wide spread Internet of Things (IoT) IoT devices. In this article, we briefly outline the anatomy of Autonomous the IoT botnets and their basic mode of operations. Some of the Vehicles Medical and healthcare major DDoS incidents using IoT botnets in recent times along Smart traffic & parking with the corresponding exploited vulnerabilities will be discussed. control We also provide remedies and recommendations to mitigate IoT Smart Metering & related cyber risks and briefly illustrate the importance of cyber Smart Grids insurance in the modern connected world. Index Terms—DDoS, IoT, IoT Botnets, Mirai Botnet, Cyber Insurance, Security I. INTRODUCTION Fig. 1. Internet of Things (IoT) The Internet of Things (IoT) is key in the digital world of connected living. The futuristic appeal to make life bit more enjoyable in a hectic day-to-day routine is enticing to many.
  • On the State of Internet of Things Security: Vulnerabilities, Attacks, and Recent Countermeasures

    On the State of Internet of Things Security: Vulnerabilities, Attacks, and Recent Countermeasures

    On the State of Internet of Things Security: Vulnerabilities, Attacks, and Recent Countermeasures DEVKISHEN SISODIA, University of Oregon In this paper, we review the state of Internet of Things (IoT) security research, with a focus on recent countermeasures that attempt to address vulnerabilities and attacks in IoT networks. Due to the fact that IoT encompasses a large range of significantly distinct environments, each of which merits their own survey, our survey focuses mainly on the smart home environment. Based on the papers surveyed, we pinpoint several challenges and open issues that have yet to be adequately addressed in the realm of IoT security research. Lastly, in order to address these open issues, we provide a list of future research directions on which we believe researchers should focus. CCS Concepts: • Security and privacy → Mobile and wireless security. Additional Key Words and Phrases: Internet of Things (IoT); security; vulnerabilities; attacks; countermeasures 1 INTRODUCTION The Internet of Things (IoT) is a computer networking paradigm that refers to scenarios where network connectivity and computing capability extends to embedded sensors and everyday devices, allowing them to generate, exchange, consume, and act upon data with minimal to no human intervention. This paradigm is possible due to recent advancements in the miniaturization of electronics, networking capabilities, and computing power. Even in its relative infancy, IoT is already impacting our everyday lives in profound ways, from healthcare to home automation. In 2018, 7 billion devices were connected to the Internet [1] and this number is expected to increase to 19.8 billion by 2023 [2]. While IoT devices and traditional machines suffer from the same types of attacks, IoT devices tend to be harder to secure due to some unique properties.
  • Measurement and Analysis of Hajime, a Peer-To-Peer Iot Botnet

    Measurement and Analysis of Hajime, a Peer-To-Peer Iot Botnet

    Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet Stephen Herwig1 Katura Harvey1;2 George Hughey1 Richard Roberts1;2 Dave Levin1 1University of Maryland 2Max Planck Institute for Software Systems (MPI-SWS) {smherwig, katura}@cs.umd.edu, [email protected], {ricro, dml}@cs.umd.edu Abstract—The Internet of Things (IoT) introduces an unprece- While there have been in-depth studies into the kinds of dented diversity and ubiquity to networked computing. It also attacks that IoT botnets have launched [8], as well as the introduces new attack surfaces that are a boon to attackers. vulnerabilities that make IoT botnets able to flourish [6], The recent Mirai botnet showed the potential and power of a [37], there remains much to understand about the underlying collection of compromised IoT devices. A new botnet, known as makeup of the vulnerable IoT devices themselves. For exam- Hajime, targets many of the same devices as Mirai, but differs ple: In what countries do more vulnerable devices reside? IoT considerably in its design and operation. Hajime uses a public peer-to-peer system as its command and control infrastructure, devices are often embedded devices; what architectures are and regularly introduces new exploits, thereby increasing its more vulnerable, and where are various architectures more resilience. popular? How large can a global IoT botnet grow today? Can an IoT botnet propagate software updates rapidly and We show that Hajime’s distributed design makes it a valu- thoroughly? able tool for better understanding IoT botnets. For instance, Hajime cleanly separates its bots into different peer groups To answer these questions and more, we present in this depending on their underlying hardware architecture.
  • Fauthesis Sample File

    Fauthesis Sample File

    A NETWORK TELESCOPE APPROACH FOR INFERRING AND CHARACTERIZING IOT EXPLOITATIONS by Nataliia Neshenko AThesisSubmittedtotheFacultyof The College of Engenireeng & Computer Science In Partial Fulfillment of the Requirements for the Degree of Master of Science Florida Atlantic University Boca Raton, FL August 2018 Copyright 2018 by Nataliia Neshenko ii ACKNOWLEDGEMENTS Iwouldliketoexpressmysinceregratitudetoeverypersonwhowasapartof my academic journey for all the support they have given me during this time. It has been honor and pleasure to work with my thesis advisor and mentor Dr. Bou-Harb, who certainly made a profound impact on my future career. His guidance had helped me navigate through the endless ocean of information and form solid knowledge in this field. His critical feedback had sharpened my ability to challenge every part of my work to produce an outcome that I can be proud of. By being an outstanding mentor, he had inspired me to soar above a level that seems to be impossible and had taught me how to encourage people to discover their potential and shape themselves. I would like to express my deep gratitude in advance to the committee members for their constructive feedback and valuable comments. This journey would not be possible without people who had shared with me the treasure of their knowledge. Dr. Mihaela Cardei, Dr. Eduardo Fernandez, Dr. Shihong Huang, Dr. Taghi Khoshgoftaar, Dr. Mehrdad Nojoumian, Dr. Dingding Wang, and Dr. KwangSoo Yang had been fantastic teachers who had given me a lot of things to think about besides homework, who had taught me to ask questions that unlock my passion for learning and exploring.

  • Your Smart Devices Put You at Risk

    Your smart devices are a security risk Table of contents Background | Method 2 Problems in the IoT 3 Timeline of problems in the IoT 4 Taxonomy of IoT vulnerabilities in context 8 User behaviors, attitudes, and vulnerabilities 11 How to protect our IoT devices 13 Conclusion 19 Background Method The Internet of Things (IoT) is everywhere. But, To gain a better understanding of the user aspect with the number of privacy and security issues of IoT, we conducted a survey via CINT. A total of they can expose us to, is it really that “smart” to 7,000 people were surveyed, with 1,000 people bring these devices into our homes? Do you from each of the following countries: Australia, always do everything you can to protect your IoT Canada, France, Germany, the Netherlands, the devices? Blame is often put on users, but they UK, and US. Participants formed representative are only the final point of a long line of problems. samples across gender, age, family situation, and income levels. The questions revolved around There is a strong community of cybersecurity which IoT devices people had in their homes, researchers — both in academia and the industry, what measures they took to secure them, and often working with government agencies — who whose responsibility they thought it was to ensure are committed to finding vulnerabilities, making the security of IoT devices. The results were the risks known, and helping to fix them. cross-referenced with a new user-focused taxonomy of the main vulnerabilities IoT devices But what if you can’t find who to go to when you are exposed to.
  • WHY ROUTERS ARE the NEW BULLSEYE in CYBER ATTACKS Anurag Shandilya K7 Computing, India

    WHY ROUTERS ARE the NEW BULLSEYE in CYBER ATTACKS Anurag Shandilya K7 Computing, India

    WWW.VIRUSBULLETIN.COM/CONFERENCE 2019 LONDON 2 – 4 October 2019 ABSOLUTELY ROUTED!! WHY ROUTERS ARE THE NEW BULLSEYE IN CYBER ATTACKS Anurag Shandilya K7 Computing, India [email protected] ABSTRACT Routers are ubiquitous and highly vulnerable to attack. Despite being the central nervous system of any network, routers are disregarded when it comes to security, as can be proven by the fact that, although vulnerabilities in routers are identifi ed and reported, most devices remain unpatched, making easy targets for cybercriminals. In recent years we have seen threat actors shift their focus from complex operating system- and network-based attacks to comparatively simple router-based ones. Other than merely brute-forcing credentials, cyber gangs have been exploiting known and zero-day router vulnerabilities to host malicious code. CVE-2018-14847 is a vulnerability affecting MikroTik RouterOS from v6.29 to v6.42, which allowed arbitrary fi le read and write over WinBox port 8291, reported in April 2018. Although a patch was available almost immediately, Coinhive, a cryptominer, exploited this vulnerability from July 2018 onwards to inject Monero mining code into the error page served up by the device when a user accessed any HTTP page. CVE-2018-10561 was reported in DZS’ GPON routers, which was then exploited by multiple pieces of router malware including Satori and Hajime to carry out their botnet operations. The Satori malware family exploited this vulnerability to download and execute shell script on the device from the /tmp directory. More recently, CVE-2019-1652 has been reported, affecting Cisco routers and allowing command injection in the router’s certifi cate generation module.