Application Security IT Security

IoT Security

What are the Security Threats to IoT Devices?

The Internet of Things (IoT) is the interconnection and communication between internet-enabled physical devices. The growth of such devices has been explosive, as smart devices such as wearables, sensors, phones, cars, appliances, and household gadgets are becoming increasingly prevalent in more and more aspects of daily living. While these devices may serve to add convenience and entertainment to our lives, this paradigm shift has also added plentiful concerns for security, privacy, and the protection of resources. The proliferation of these devices has outpaced the security science, leaving organizations and individuals vulnerable, as they lack formal guidance on securing these systems, and best practices have not yet been established. To this end, a 2020 study1 has endeavored to outline five areas of possible threats and attacks, and then proposes requirements to provide sufficient security to protect against those threats.

Communications. Threats to the connections between users and devices can broadly be categorized into routing attacks, active data attacks, passive data attacks, and flooding. In a routing attack, routing protocols and network traffic flow is targeted by either disrupting the flow of information or redirecting to an insecure destination. This attack does not seek to alter or extract information. In an active data attack, however, attackers alter or delete information by targeting valid data packets by channel jamming or data tampering. Passive data attacks such as eavesdropping and traffic analysis seek to gain information without altering the information. Lastly, flooding attacks introduce new packets into the network in an effort to overwhelm and destabilize a network, possibly leading to disclosures of sensitive data.

Device/Services. Threats to the devices and services of an IoT system can be categorized into physical attacks, device subversion attacks, device data access, and device degradation. In a physical attack, an attacker damages and/or disconnects devices that are out in the open, such as mobile phones, computers, appliances, etc. In a device subversion attack, an attacker takes control of a device causing it to malfunction or fail. The attacker could take control of a single device or several devices, possibly disrupting services and operations. A device data access attack is characterized as an attack where an attacker infects one or more IoT devices to obtain sensitive data; the device appears to be functioning normally which allows the breach to go undetected. Device degradation is a form of DoS attack intended to prevent access to a service by overwhelming the network traffic, causing connected devices to malfunction.

Users. Threats to users of IoT devices can be categorized into trust, confidentiality, identity management, and behavioral threats. Trust related attacks include things recommending things with malicious intent though self-promotion, bad mouthing, or good mouthing. Confidentiality of extremely sensitive personal data such as age, address, and medical data is a serious threat as attackers can use, manipulate, or disclose this data, or impersonate the user. Phishing attacks are also threats to confidentiality. Identity management is a concern as users often maintain multiple identities, multiplying their vulnerabilities. Behavioral threats exist in personal and social domains where users are tricked into sharing information or downloading malicious software.

Mobility. Threats to mobility can be categorized into dynamic, topology/infrastructure, tracking and location privacy, and multiple jurisdictions. Dynamic threats exist as users move about, their devices entering and leaving network environments, dynamically modifying network topology (how various devices and connections on networks are physically or logically arranged in relation to each other). The threat to topology/infrastructure is the challenge posed by attacks on interdependencies such as networked vehicles, election medical devices, etc. to end users, and could evolve to attack the network topology itself, disrupting traffic flow and allowing access to user data in real-time. Smart IoT devices could disclose location and tracking data, compromising privacy such as user routines and activities. A threat by multiple jurisdictions is possible as several disparate interconnected things could have mismatches in technologies, policy settings, and identity management which could compromise sensitive data being transmitted across several devices and/or jurisdictions, posing both legal and technical challenges.

Integration of Resources. Threats to integration of resources can be categorized into cross domain administration, cascading resources, and interoperability. With many households using insecure networks, default passwords, and public hotspots, IoT devices can be both vulnerable and also performing networking functions in decentralized network, where attacks can exploit mismatches in policies, identity management, or security technology. Threats of cascading resources exist as a breach of one low-level thing can provide access for attackers to make modifications to higher-level services. An example could be an attacker using a mobile phone to deactivate a security system. Interoperability threats relate to attacks of multiple systems that need to operate together, such as cloud computing, social networks, and industrial networks. As data is moved between components, this creates many points across many networks where sensitive data could be breached.

Pal, et al.’s proposed requirements suggest continuing to use existing security methods such as confidentiality, authentication, access control, etc., but also propose a set of security requirements with IoT, front of mind. Security for the IoT is a critical concern for individuals and organizations, and proper threat assessments are essential in order to make comprehensive plans for protection. This requires the discerning eye of network cybersecurity professionals who see your IoT devices more completely than you might. Your IoT toaster really could be the next big threat to cybersecurity.

1 Pal, et al., 2020, Sensors, “Security Requirements for the Internet of Things: A Systematic Approach”