IAF: IoT Attack Framework and Unique Taxonomy

by Dr. Akashdeep Bhardwaj

Professor & Director Centre for Cybersecurity, UPES, Dehradun

CEO Global Cybersecurity Association (GCA), India

Abstract

In early 2000s, the Internet meant being able to connect different communication devices, whereas the focus  in the last few years is on connecting ‘things’ to the Internet. Although there is no distinct classification for these devices and things on the Internet, the Internet of Things (IoT) ecosystem primarily consists of a complex network of devices, sensors, and things. These ‘things’ are controlled by humans and utilize the existing cloud infrastructure. These devices provide facilities and benefits to make our lives comfortable. IoT domains include smart homes, healthcare, manufacturing, smart wearables, smart cities, smart grids, industrial IoT, connected vehicles, and smart retail. Different IoT models involve human-to-IoT, IoT-to-IoT, IoT-to-traditional systems architectures. In most scenarios, the architecture ends-up connecting to the unsecured Internet.

This has thrown open several critical issues leading to cybersecurity attacks on IoT devices. IoT communications, protocols, or architecture has never been conceptualized to handle the new age cybersecurity attacks. IoT devices have limited compute, storage, network, or memory. In this research, the authors present a unique IoT attack framework named IAF focusing on the impact of IoT attacks on IoT applications and service levels. The authors also proposed an all-inclusive attack taxonomy classifying various attacks on IoT ecosystems.

IoT Attack Taxonomy

Based on the collected IoT attack details, the authors have proposed an all-inclusive IoT attack taxonomy and identified five main categories of IoT attacks, including internal and external threat sources on IoT ecosystems. Figure 1 illustrates the proposed IoT Attack Taxonomy.

The first category includes threats and attacks at the application level. These include the IoT services and features, web and API access, and the device admin interface. Maximum cyberattacks involve this threat vector forcing many IoT applications to remain susceptible. IoT manufacturers do not necessarily focus on quality penetration testing and vulnerability analysis. New age attacks involve code level and app-level attacks, malicious code and database injections, cross-site scripting, exploiting weak implementations, and misconfigurations. Pre- shared key attacks on CoAP protocol involve data exposure, data loss, data manipulation, data leakage, account hijacking, distributed denial of service attacks, targeted exploits, virtual machine hoping, and malicious creation.

The second category considers attacks on networks, specifically wired and wireless connectivity. The first group relates to wired cables connected to copper, fiber, and HDMI ports. The second group involves wireless communications and attacks in the background of insecure Internet threats. The third group involves RFID technology vulnerabilities. Compared to Internet systems where one IP stack works for different OS systems and network devices, IoT networks include different protocols for different devices. These include data at rest and data in motion.

The third category relates to IoT Protocol, most of which are lightweight stack designed for dedicated IoT devices. Near Field Communications issues and Bluetooth attacks like Bluejacking, Bluebugging, and Bluesnarfing. This relates to low power and lossy communication issues as well. These also involve environment discovery of other IoT devices based on TCP-UDP attacks like port scans, fragmentation, SYN-ACK Flooding, TCP/UDP Floods, and denial of service attacks.

The fourth category focuses on Physical attacks targeting IoT assets for hardware and components along with cables connecting the edge devices of the IoT ecosystem. Other physical attacks include theft, damage, and device impairment. RFID Readers/Tags, sensor nodes, actuators, micro-controllers are few examples. Such critical weaknesses allow attackers to impersonate paired devices to establish malicious secure connections.

The fifth category includes the IoT operating system and firmware attacks. These include malwares such as Viruses, Worms, and Trojans, Backdoors, and attacks like Bruteforce, including Phishing attempts on the IoT device owners. Firmware attacks include hardware attacks based on IoT firmware attacks, which comprise of reverse engineering, control hijacking, and eavesdropping. IoT devices running in smart homes and commercial environments have Bluetooth protocol vulnerabilities.Bluetooth chips from vendors like Intel, Apple, Qualcomm and Broadcom among others are vulnerable to impersonation attacks via Bluetooth enabled devices from attackers' smartphones and laptops to the insecure, vulnerable IoT devices. This type of Bluetooth vulnerabilities allows attackers to insert rogue devices between two legitimate Bluetooth paired devices and then assume the identity of them. To execute this, attackers exploit IoT authentication weakness by passively gathering the victim's ID/name, IP address and few exploitable services and features of the victim device. There is no need for physical proximity, as the attackers require maximum range of around 250 meters with the IoT target, so the likelihood of loud or mass attacks using networks has low probability, hence often end up undetected.

Experimental Results

The authors configured Kali Linux version 2019 OS (192.168.10.10) with IoT vulnerability scanning and exploit deployment tools as presented in Figure 2 for performing attacks on the device (192.168.1.1). IoT vulnerability and exploit tool utilizes information gathered from NMAP scan, running auto pawn mode to scanning known and unknown vulnerabilities.

Figure 3 illustrates scanning after the initial NMAP tool against the IoT device 192.168.1.1 as the target. Few incrementing details about the IoT device being compromised have been hidden for privacy purposes.

Vuln-Exploit tool runs internal threads to check for known vulnerabilities with multiple inspections for various IoT device exposures as illustrated in Figure 4. Assuming, the IoT device model or manufacturer is known, using specific exploits against that model is straightforward, and specific modules are executed. However, if the exact model and make of the IoT is not known, then the exploit scanner executes auto pawn threads for all known and unknown vulnerabilities.

Exploit threads, which do not link or return any known or unknown vulnerabilities, are terminated while those threads that confirm links to vulnerabilities display list of exploits and modules as illustrated in Figure 5.

Figure 6 illustrates a list of custom exploits available for the IoT device, e.g. HTTP Service for RCE and Information disclosure, which confirms the IoT device is vulnerable and can be compromised. The tool also performs credential harvesting for open ports and services, e.g. Telnet service on port 23 has default credentials, which are exploited

Compromised IoT devices can reveal the password as MD5 Hash, remote command execution, directory path traversal,

Compromised IoT devices can reveal the password as MD5 Hash, remote command execution, directory path traversal, or changing admin settings and device configuration, which can lead to subsequent and advanced persistent attacks. The author successfully executed custom exploits to compromise the target IoT device having MIPSBE architecture. Two payloads namely bind tcp (creates bind shell) and reverse tcp (creates tcp reverse shell) is illustrated in Figure 7.r changing admin settings and device configuration, which can lead to subsequent and advanced persistent attacks. The author successfully executed custom exploits to compromise the target IoT device having MIPSBE architecture. Two payloads namely bind tcp (creates bind shell) and reverse tcp (creates tcp reverse shell) is illustrated in Figure 7.

Payloads executed from the attacker’s system 192.168.1.10, successfully connect bind and tcp reverse shell connections on IoT device 192.168.1.1as illustrated in Figure 8. These exploits allow shell access and admin access of the IoT to change the configuration settings. This allows the firmware to overwrite with backdoor compromised embedded IOS that allows the attacker to implement the following:

• Control the IoT device for wired and wireless traffic.

• Block Internet connection and redirect log traffic to the attacker’s C&C server.

• Stay undetected and perform passive or active man-in- middle attacks.

• IoT ecosystem involved in this research involves sensors.

Each sensor device is programmed to wake up at regular intervals (every 1 hour), connects to the IoT network, sends air quality data, which includes humidity and temperature readings to the cloud server, and then stops the data gathering process. These logs involve device metrics of traffic throughput, bandwidth utilized, CPU and memory utilization, application and service response as well as the ICMP latency as illustrated in Figure 8 for Bandwidth, CPU and Memory utilization, App and Service response and Latency prior, during, and post attacks and analyzed.

Conclusion

This research presented the ease with which IoT devices can be attacked and compromised. There are several exploits and payloads available that can render IoT services offline, deploy firmware and IOS changes. The authors gathered metrics before attacks, during the attacks and post attacks. Network scans have subtle impacts on IoT services and metrics. As the attacks intensify, the devices display loss of optimal service response as illustrated in the datasets gathered and analyzed. The authors also propose new IoT attack taxonomy based on five main IoT attack categories including internal and external threat sources on IoT ecosystems. As a summary, this research would be useful for industry and academics engaged in the design of secure IoT devices by observing various attacks.

being close and similar. For the two-sample t-test for unpaired data, application response and service response datasets are considered. The authors test the hypothesis that the two dataset means are equal for the two samples. For this, the authors assume the variances for the two datasets are equal, and a null hypothesis is assumed, i.e., if datasets violate the assumptions, then type 1 error is committed and the null hypothesis is true, i.e.

H0 : µ1 = µ2

Ha : µ1 ƒ= µ2

With reference to NIST for two sample T-Test of equal means, the Test Statistic (T) is calculated as follows:

Test statistic: T =  Y1 −Y2

s2/N1 +s2/N2

1          2