The Internet-of-Things (IoT) is expanding at an unprecedented pace and is poised to transform enterprises and public services and revolutionize virtually every facet of consumer lifestyles. In most cases, IoT solutions have fragmented ecosystems that consist of disparate technologies designed independently and in many cases for different purposes. Commonly IoT solutions are only partially secured, if at all, and as a result are prone to a slew of security vulnerabilities, that enable IoT network nodes to be compromised, provide host environments for Malware, Botnets and Ransomware, enable data breaches and horizontal attacks that are directed at adjacent systems.
For several years, researchers have demonstrated a variety of IoT vulnerabilities and in 2014 the Open Web Application Security Project (OWASP) identified the top 10 vulnerabilities as being insecure web interfaces, insufficient authentication and authorization, insecure network services, lack of transport encryption, privacy concerns, insecure cloud and mobile interfaces, insufficient security configure-ability, insecure software/firmware and poor physical security. The rudimentary nature of many of the attack surfaces targeting IoT demonstrate the lack of maturity of IoT security.
There are essentially three primary targets for IoT attack surfaces that are of note. These include attacks that aim to disrupt IoT systems, data breaches and malicious software such as Malware, Ransomware and Botnets. To analyze the salient characteristics of these attack surfaces, known security vulnerabilities are analyzed for several notable IoT solutions, which include:
To date, IoT systems have been generally insulated from security attacks, largely because they do not yet offer the financial (or other) rewards necessary to attract large scale malicious attacks. However, as IoT becomes more widely adopted, an increase in attacks is inevitable. Furthermore, given the diversity, scale and complexity of future IoT systems, it is crucial that robust end-to-end security taxonomies are inherent to IoT designs. We expect that conventional approaches to security will be insufficient in protecting IoT systems in the future. Rather it will be necessary for security regimes to adapt with a growing reliance on heuristics to address evolving security demands associated with future IoT systems.
The Internet-of-Things (IoT) is gaining tremendous market momentum and will eclipse the conventional Internet over the next decade. As this occurs, IoT promises to revolutionize enterprise operations, public services and transform consumer lifestyles. At its heart, IoT augments physical objects and environments with connectivity, and intelligent functionality including sensors, storage, microprocessors and software. The applications for IoT are vast, including residential thermostats, wearable devices, intelligent vehicle systems, smart city applications, smart grid technology, and environmental monitoring for critical infrastructure.
As IoT proliferates, security vulnerabilities are emerging and capitalizing on the broadening range of services and applications that are becoming IoT enabled. This has been exacerbated by the protracted and fragmented ecosystems, and a seemingly common theme that currently prevails in IoT where time to market trumps security considerations. Currently IoT security threats lack the financial opportunities that are needed to draw the attention of career hackers, however this is likely to change as IoT usage expands. Furthermore, the consequences of IoT security vulnerabilities are becoming increasingly serious and create the potential for physical harm to people, physical security violations, loss of private and commercially sensitive data, down-time and irreparable damage to physical equipment, and terrorist attacks that compromise critical infrastructure.
The security vulnerabilities that have been observed with current IoT solutions can be attributed to a variety of factors, including:
Many of the security vulnerabilities associated with IoT are attributable to well-known attack surfaces and generally reflect the immaturity of IoT in the context of security. This is illustrated by the list of top ten IoT vulnerabilities published by Open Web Application Security Project (OWASP) in 2014. The list included insecure web interfaces, insufficient authentication and authorization, insecure network services, lack of transport encryption, privacy concerns, insecure cloud and mobile interfaces, insufficient security configure-ability, insecure software/firmware and poor physical security. The immaturity of IoT security is also illustrated by the rudimentary nature of the malicious software that is targeted towards IoT applications. However, the industry must anticipate advancements in IoT security attacks and the need for improvements in security solutions, particularly in the areas of device management and protection, policy, analytics and heuristics, intrusion detection and security gateway functions.
This report is the first in a series to investigate IoT security with case studies that focus on known security threats and attack surfaces. These case studies include IoT solutions for connected cars, intelligent transportation and autonomous vehicles, smart homes and offices and commercial and public infrastructure. A subsequent report will survey the IoT security solutions provided by service providers, systems integrators and other solution providers.
Numerous security vulnerabilities have been identified for existing and proposed IoT solutions, from those that are trivial and perhaps annoying to others that are potentially catastrophic. The scope and variety of these vulnerabilities will increase with IoT adoption, and can be generally classified by those that create:
Cryptography plays a critical role in authentication, non-repudiation and data protection for IoT systems. Essentially encryption uses secret keys to disguise data communication amongst network elements. Currently symmetric and asymmetric key cryptography are the two general schemes that are widely used. Both symmetric and asymmetric techniques require the distribution of keys to enable the necessary encryption and decryption processes. In the case of symmetric key encryption, the same key is used for the purposes of encryption and decryption, while asymmetric encryption uses a public and private key pairs for the encryption and decryption processes, respectively. Commonly used symmetric key encryption techniques include DES (Data Encryption Standard), which has been superseded by AES (Advanced Encryption Standard). Since DES has known security vulnerabilities, AES is generally recommended for symmetric encryption implementations.
The RSA standard is the most commonly used asymmetric key cryptographic schema. This schema is essentially based on the difficulty in prime number integer factorization for large numbers. An alternative approach promoted by Certicom (a Blackberry Company) is based on Elliptical Curve Cryptography (ECC). ECC leverages the algebraic structure of elliptic curves over finite fields, where it is difficult to identify the discrete logarithm of a random elliptic curve element that is related to a publicly known base point.
The robustness of an encryption algorithm is determined by the cypher schema and its block size. Exhibit 1 compares the relative block sizes of AES, RSA and ECC to achieve approximately the same level of security for each of the schemes. Symmetric schemes are widely used for IoT sensors because they are significantly more efficient than the commonly used RSA schemes. However, symmetric encryption creates key management challenges since the secret keys are stored on the IoT end-points. Many of the attack surfaces discussed later in this report capitalize on the ability to compromise these secret keys. As an alternative, Certicom has been promoting its ECC scheme for IoT because it does not require secret key distribution to IoT end-points and is significantly more efficient in terms of its block size requirements relative to RSA. Currently Certicom reports that it has issued certificates to over 80 million IoT devices, 60 million of which are for ZigBee devices that are used for smart metering and energy management.
Exhibit 1: Equivalent security for AES, RSA and ECC key sizes
Source: NSA 2009
Given the importance of encryption, there is currently tremendous research activity aimed at improving the robustness and manageability of the techniques that are used. For example, researchers at companies like Alcatel-Lucent, Corning, Mitsubishi, Nokia, SK Telecom and Toshiba have been developing Quantum cryptography, which essentially uses the quantum characteristics of photons for an optically based cryptographic framework. Once the technology matures, quantum cryptography might be applied to future IoT systems where optical connections are used, such as contact-less transactions. Other researchers at organizations and institutions like Alcatel-Lucent, Ericsson, Fujitsu, IBM, MIT, Nokia and Stanford University have been researching homomorphic encryption techniques, which enable processes to be conducted on encrypted data without the need for it to decrypted first. Currently the processing requirements for homomorphic encryption applications are prohibit its use for typical IoT applications, but might prove fruitful if future schemas that have lower processing requirements are developed.
The SSL/TLS and IPsec standards are widely used by the conventional Internet and IP networking for end-to-end security. IPsec is a network layer protocol suite which enables secure Internet Protocol (IP) communications with mechanisms to authenticate and encrypt each IP packet of a communication session. While conventional IPsec benefits from being application agnostic it is not well suited to many IoT solutions, particularly those solutions that have short burst data activity. As a result, modifications have been made to create a variety of “lightweight” IPsec solutions that can be applied to IoT. For example, the key exchange protocols like IKEv2 (Internet Key Exchange) which is used for IPsec can be replaced with alternative lightweight key exchange protocols, such as minimal-IKEv2 and HIP Diet Exchange (HIP-DEX).
SSL/TLS is a solution developed by the open source community which is widely used for end-to-end application security for web services that operate over TCP networks. Since many IoT solutions use UDP as opposed to TCP, the DTLS variant of SSL/TLS is normally required. SSL/TLS has been subject to a variety of high profile security vulnerabilities, such as “HeartBleed”, “Beast”, “Poodle”, and “Crime” and given its widespread use, we believe that additional vulnerabilities will be identified in the future. However, SSL/TLS benefits from a large open source community to address these vulnerabilities as they emerge. For IoT systems to remain secure, it is crucial that they are updated with software patches to address vulnerabilities as they are addressed. We believe that many of the IoT solutions that use DTLS have not been patched to address known vulnerabilities and lack end-point device management schemes for this purpose.
IoT solutions use a variety of wireless networking technologies depending on the application. These include cellular, 3G, LTE, and Wi-Fi for wide and local area coverage, and short range wireless technologies like ZigBee, Z-Wave, 6LoWPAN and Bluetooth. ZigBee, Z-Wave and 6LoWPAN use mesh networking to enable low powered IoT end-point devices. ZigBee is a standard that builds on the IEEE 802.15.4 stack, while Z-Wave is proprietary. 6LoWPAN is similar to ZigBee in the sense that it is built on IEEE 802.15.4, but has the added advantage of natively supporting IPv6. Bluetooth has the advantage of being widely deployed in smart-phone and computing devices and is conventionally a peer-to-peer technology that offers higher bandwidth than Zigbee and Z-Wave, albeit at with greater power demands.
In February 2015, the Bluetooth Special Interest Group (SIG) announced plans to incorporate mesh networking capabilities in the standards, with the intention of improving performance.
In response to the growing demand for low cost and efficient IoT end-point devices, the 3GPP has standardized LTE Class 0 and 1 which delivers the cost and energy efficiencies that are needed for IoT applications. The 3GPP plans further enhancements of LTE and with the introduction of 5G with functionality that is specifically targeted towards IoT applications. While the priorities for the standards are rapidly changing, we expect that LTE and 5G enhancements will include features such as multi-hop and mesh functionality so as to eliminate the need for technologies like Zigbee, and simplify wireless network architectures. We believe that this simplification will ease security challenges, particularly those attributable to network boundaries.
IoT ecosystems are typically complicated and pieced together with the support of multiple technology providers and differing security implementations that have varying degrees of robustness. In many cases, IoT systems introduce security features after the system is designed, as opposed to a more prudent approach that integrates security into the IoT design from the outset. Some solutions come with specialized implementations that have evolved from legacy systems which lack the security needed to IoT connectivity.
While IoT systems have unique security challenges created by complex ecosystems, porous network boundaries and computationally constrained end-points, we believe that many of the current vulnerabilities can be addressed with prudent implementations of existing security technologies and techniques. Notable examples include:
In addition to the basic security requirements listed above, it is becoming increasingly necessary that IoT system designers to take an end-to-end approach to security and address vulnerabilities that are attributable to fragmented ecosystems. Furthermore, given the porous and complex nature of IoT systems, a growing number of the security vulnerabilities cannot be addressed with conventional security regimes, but rather call for policy and heuristic approaches that capitalize on the known characteristics and behaviors of particular IoT solutions as a means for identifying potentially malicious attacks. Notable examples include:
To illustrate the security vulnerabilities and attack surfaces that have already been identified, several case studies are analyzed below, including the connected car, autonomous vehicles and intelligent transportation, smart homes and buildings, smart meters and wireless sensor networks used to support large scale commercial and public infrastructure.
Researchers recently demonstrated the security vulnerabilities with connected cars and gained widespread attention when these vulnerabilities were demonstrated on National television, culminating in their demonstration vehicle (a Jeep Cherokee) driving into a ditch after the brake calipers had been remotely disengaged. A modern vehicle has a variety of technologies that might be the target of attacks, including telematics, Internet connectivity, AM/FM/XM radio, Bluetooth, Wi-Fi, remote key entry, tire pressure monitoring and passive anti-theft systems.
In the last couple of decades the vehicles have evolved to essentially incorporate advanced and specialized computer and networking functions. These functions incorporate those needed for the basic operations of the car itself, and a growing variety of infotainment, security and management functions that are continuously evolving to improve driver and passenger experiences. Many of the core functions of a car, such as braking, steering, acceleration are controlled by dedicated electronic controller units (ECU), which connect to periphery inputs such as switches and dials and output functions such as steering, brakes and acceleration and are interconnected via controller area networks (CAN). The CAN allows the ECUs to broadcast state information, such as vehicle speed, so that it can be reported to other ECU devices in the car. The CAN technology used in connected cars was developed by Bosch in the late 1980’s and is an efficient means for enabling low latency and fault tolerant messaging amongst the multitude of ECUs operating in a modern car. While it is efficient for its intended purpose, CANs lack security features needed to protect cars as they become smarter, and interconnected with wireless connectivity. Many of the security breaches that have been demonstrated by security experts capitalize on poor CAN security to launch message injection attacks, which broadcast false messages (such as incorrect vehicle speed) to enable abnormal and potentially dangerous vehicle behavior.
Commonly modern vehicles have multiple CANs and network and computing architectures that vary dramatically, even between the different models from the same manufacturer. The CANs might be isolated from each other, or incorporate gateway functionality to enable inter-CAN connectivity and the ECU configurations vary depending on how the various functions are integrated. As a consequence, security attack vectors are generally designed for specific vehicle models where the vehicle's network configuration has been reverse engineered. Although the design diversity is a deterrent it is by no means a basis for viable security strategies. Exhibit 2 depicts a simplified and generic connected car computing system to illustrate several of the notable characteristics of known security vulnerabilities. In particular, attacks capitalize on:
Exhibit 2: Illustration of computing system for connected cars
Source: Tolaga Research, 2015
In general the ability for a vehicle to be attacked, and the scope and severity of the attack depends on a variety of factors, which include the following:
While traditional security regimes provide some protection for connected vehicles, they are largely insufficient. Fortunately most of the operational activities of connected vehicles are well defined, and many of the attack vectors identified by security experts can be circumvented by effective real time intrusion detection and prevention solutions. These might be implemented as gateway functions within the vehicle itself and by network service providers when wide area network connectivity is used.
Vehicle manufacturers have been responding to reported security vulnerabilities with recalls (at tremendous cost), software upgrades and in collaboration with the mobile service providers that provide the network connectivity. Furthermore, when new vehicles are designed, we expect that increased security will be included using a variety of techniques including gateways to protect the interactivity between network domains, and intrusion detection systems, policy based solutions and heuristics to identify malicious activity.
The connected car is an initial phase in a longer term evolution in vehicular technology. For every mile driven by autonomous vehicles implemented by companies like Google, the automotive industry slowly inches closer towards automated and cooperative driving. As this occurs, cooperative driving will depend on inter-vehicle communications and data sharing, using techniques such as vehicular ad hoc networks (VANET). VANET is a specific category of wireless ad hoc networking, which caters for vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) connectivity for both safety and non-safety applications.
Although VANET have been developed over several years, it is continues to be challenged by security vulnerabilities that create system disruptions, threaten private data integrity and introduce the potential for malicious software, such Botnets to orchestrate denial of service (DoS) attacks. For example, one VANET feature is Cooperative Adaptive Cruise Control (CACC), which uses V2V communications between vehicles traveling in a lane on a highway and beacons on the roadside to manage vehicle spacing. Researchers have identified several security vulnerabilities for CACC, which include beacon message falsification, spoofing attacks where adversaries impersonate and falsify vehicle messages, replay attacks where adversaries receives and stores beacon messages so that they can be played later with malicious intent and eavesdropping attacks, where the adversary extracts valuable information from vehicles as they pass compromised beacons. A variety of well known security measures, including digital signatures, authentication and non-repudiation techniques have been developed to address the types of security threats identified for VANETs. However these security measures are challenged by the scale and dynamics of the VANET environments, and particularly in cases where vehicles and beacons are deemed to be “trusted insiders”. Some researchers have proposed social network security paradigms to improve the security of VANETs by classifying vehicles and beacons in terms of their “trust-worthiness”. The trust-worthiness could be based on the social relationships between vehicle owners and the cataloged reliability of the information provided by the vehicles and beacons to the “vehicle social network”.
Even though smart homes and offices have featured for many years in trade-shows, company presentations and science fiction movies, adoption has been limited to the privileged few. However, smart homes are getting swept up in the IoT fever and benefiting from global initiatives such as those aimed at driving residential energy efficiencies. The smart-home and office IoT solutions that are currently being adopted include smart-metering, security and surveillance, intelligent lighting, and smart entertainment devices. These solutions are being supported by a slew of high profile companies including Cisco, Google, AT&T, Philips, Verizon, SK Telecom, NTT DoCoMo, Samsung, and General Electric.
A variety of the security vulnerabilities have been identified for IoT solutions in smart-homes and buildings, and more can be expected to come with increased adoption. Many of these vulnerabilities capitalize on the ability to snoop sensitive data when it is stored and accessible locally in the IoT devices and when it is sent unencrypted over wireless links. The sensitive data includes identifiers and security credentials, which enable rogue devices to circumvent authentication and non-repudiation mechanisms, with the potential for dire consequences. Furthermore, researchers have identified several smart meter Botnets, which are intended for distributed denial of service (DoS) attacks.
Smart meters are being deployed to monitor and manage electricity, water and gas utilities for households across the globe. The worldwide installed base of smart-meters is approaching 500 million, with nearly 100 million meters having been shipped since 2014. Researchers have identified a variety of security vulnerabilities for smart meters, which include the following:
Given the intended scale of smart-meter deployments and the direct touch points that the meters have with residential, commercial and industrial environments, we believe that improved security measures are needed as new meters are launched, and legacy meters must be upgraded to eliminate known security threats. In particular, the smart meter platforms must be hardened with tamper protection, and encryption keys and IDs must be better protected. In addition to conventional security measures, we believe that real-time and network based heuristics and analytics are needed with particular emphasis towards intrusion detection to identify abnormal network activity.
Every day functions in residential, commercial and public buildings, such as lighting, video surveillance and environmental control are becoming IoT enabled. As this occurs, a variety of security vulnerabilities have been identified, which not only allow for the IoT systems to be hacked, but in many cases create an entry point into adjoining systems and in the case of video surveillance, compromise the security functions that the surveillance system intends to fulfill.
Exhibit 3: Identifying the attack surfaces for residential IoT
Source: Tolaga Research, 2015
A smart-home system that consists of connected lighting, connected infotainment, surveillance and security, and environmental control is illustrated in Exhibit 3. A variety of attack surfaces have been identified, which target the various ecosystem components shown in Exhibit 3. In particular:
Public services and commercial operations are becoming increasingly reliant on IoT functionality for managing critical infrastructure and services, which are served by large wireless sensor networks (WSN). There are a variety of attack surfaces which target the physical, link and network layers of WSNs. These attack surfaces capitalize on the complicated and dynamic networking architectures commonly associated with WSNs, the lack of tamper-resistant hardware to keep node costs low, and the limited storage and computation resources which restrict cryptographic functionality.
The physical layer of WSNs consist of adhoc wireless connections between sensor nodes, which are vulnerable to attacks through wireless jamming techniques and by tampering with the nodes themselves. Wireless jamming is effectively a DOS attack where a jamming signal creates in-band interference to disrupt legitimate wireless connections. There are a variety of jamming techniques that are used, from the simplest case of constant jamming from a single source, to more complicated jamming techniques with the aim of disguise, including “random jamming” where the compromised node, or external source, randomly cycles between jamming and sleep states, “deceptive jamming”, where the compromised node inserts normal packets into the transport without any gaps between them, and “reactive jamming” where the compromised node only jams the channel when it detects that it is occupied by legitimate traffic. A variety of techniques can be used to reduce the susceptibility of WSNs to jamming, including spread spectrum and in some cases interference cancellation techniques, link layer channel surfing, and the isolation and quarantining of affected areas.
Since WSN nodes are commonly deployed in hostile environments, they are vulnerable to physical tampering attacks. The attacks include both invasive and non-invasive techniques. The invasive approaches are generally less common and generally involve sophisticated hardware hacking solutions that capitalize on nodes that are unmanned and not physically supervised. Non-invasive attacks are more common and can evolve a variety of attack vectors. Examples include disrupting the Bootstrap Loader (BSL) so that the attacker has read/write privileges for the micro-controller and external flash/EEPROM memory on the device and attacking the testing ports on the nodes. These vulnerabilities can be mitigated with tamper-resistant architectures, which use techniques to restrict software changes, mask access to symmetric keys and a variety of intrusion detection techniques, such as monitoring interfaces for abnormal activity.
The Link layer in a WSN essentially has three key functions which include, Framing, Error control and Link Management. Framing groups the traffic bit sequences into packet and frame formats. Error Control makes sure the sent bits are legitimized and arrive successfully. Link Management is responsible for link discovery and management.
Notable Link Layer attacks include Collision and Exhaustion attacks. In particular, a Collision attack occurs when an adversary node listens to messages from a legitimate node and then sends its own message to disrupt the legitimate message. When the “collided” message is received it will fail its cyclic redundancy check (CRC) and will be discarded. The protection techniques described above for jamming can also be effective for collision attacks. In cases where the collision attacks only create minor errors in the messages, additional error correction can be used mitigate the effect. Exhaustion attacks are a specific type of Collision Attack, where collisions are introduced towards the end of transmission frames, which can result in the nodes being continuously asked to retransmit, ultimately with the exhaustion of resources. To protect against exhaustion attacks, WSNs use a variety of techniques to limit the admission control rate.
WSNs have unique network layer functionality attributable to the adhoc and mesh networking functionality that is commonly used for scalable and reliable networking. This introduces a variety of attack vectors which aim to disrupt traffic routing through the WSN. Notable examples include:
In general, WSN network vulnerabilities can be attributed to several factors, including the underlying network design, inadequate cryptographic protection, and inadequate tamper-proofing in WSN sensor nodes. Furthermore, given the dynamic nature of WSN network architectures, there is a growing need for heuristic techniques to identify unusual behavior that might indicate that a WSN network has been compromised.
The security protection required by a WSN varies depending on the service that the WSN is fulfilling, and the security requirements of adjacent environments that might be accessible from the WSN. For example, a WSN which is used for non-critical environmental temperature monitoring generally requires less security protection mechanisms than a WSN that consists of seismic sensors to monitor environmental conditions in the vicinity of a nuclear power plant. WSN designers must balance security these requirements relative to the cost and functionality of the systems they implement.
As IoT adoption accelerates, so does its impact on commercial and public infrastructure, and consumer services. To date IoT implementations have lacked security rigor needed to ensure the integrity of the systems that they impact. The security vulnerabilities and attack surfaces that have been identified for many IoT implementations that were studied in this report are relatively rudimentary, particularly in the areas of cryptography, the management of security credentials and security keys, the protection of device software and firmware from malicious tampering, and consideration for legacy system architectures.
Currently IoT lacks the financial rewards to capture the attention of sophisticated hackers. However we expect that this will change as IoT becomes more widely adopted. Furthermore, since IoT solutions have porous and dynamic network boundaries and commonly consist of end-point devices with limited computational capabilities, we believe that future security solutions will require heuristics that monitor and respond to abnormal system activity for particular IoT solutions. An upcoming research report from Tolaga will investigate these demands.;