The Internet of Things (IoT) refers to a large number of interconnected devices that can interact with the physical world. There are amazing benefits to having IoT devices for individuals and enterprises as they provide a new level of features and an ability to gather data that was not possible before. IoT devices are the foundation on which to build smart cities and smart homes. An example of this is smart doorbells which provides new features such as alerting whenever someone is at the door, answering and unlocking the door remotely from your phone. Another example is smart energy meters which allow for the measurement and monitoring energy consumption remotely.
 
IoT plays an important role that allows enterprises to go through digital transformation. However, in many cases organizations start to become aware that they do already have a large number of IoT devices which were introduced gradually over the years. One of the main concerns that an organizations face when dealing with IoT is managing risks involved in increasing number of IoT devices. Because of their ability to interact with the physical world, there are safety and privacy concerns when it comes to the security of IoT devices.
 
This paper provides an overview of IoT components, followed by risks and sample attacks. Finally, a list of current and prospective future security solutions is discussed.
 

2. IOT components

IoT devices components include the following:
  • Sensors allow IoT devices to provide a reading from the physical world such as room temperature or motion sensors.
  • Actuators allow to control a physical component such as moving an object on the device or unlocking the door.
  • Network Communication to send and receive data from other devices and systems. This also includes application programming interface (API) that allows interaction with other programs or devices.
  • User Interface provides a mechanism for the end user to interact with the device such as voice control or touch screens.
  • Management Interface that can be used to configure the device and modify the settings including security settings.
 

3. IOT risks

A. IOT RISKS COMPARED TO TYPICAL IT SYSTEMS
There are a number of unique characteristics of IoT that makes securing them more challenging than typical enterprise IT systems.
  • IoT devices interact with the physical world which makes protecting these devices more important. A compromised device may allow remote monitoring through security cameras or changing the room temperature for instance.
  • IoT devices come in much larger numbers compared to normal IT systems which makes scalability an issue for normal processes such as asset management. In addition, IoT devices come in various types and from diverse vendors with each device having different protocols and requirements .
  • Another important factor to consider is that many IoT devices cannot be centrally managed and configured. Some devices are treated as black boxes and do not provide the status of their software or firmware level so it would be difficult to follow normal vulnerability management practices.
  • IoT devices have much lower memory and computational capabilities compared to normal IT systems. Therefore, it would be difficult to employ standard IT security solutions which normally require high computational power such as encryption services.
B. ATTACK SURFACE
IoT devices can be attacked in multiple ways including the following:
  • Application: some attacks target the application that is used to interact with the IoT device. These applications are used to access and configure the IoT device and gaining access to these applications presents a significant risk.
  • Hardware: since IoT devices are designed to be located in public areas, attackers can gain physical access relatively easily. Therefore, hardware attacks are an important vector to consider.
  • Network: IoT devices are prone to typical network attacks. Eavesdropping attacks can be a real threat considering that a lot of IoT vendors may use weak encryption ciphers for communication or no encryption at all due to limited computing resources on the IoT device.
  • Platform: A lot of IoT devices communicate through a platform such as cloud. This opens an indirect attack channel.
C. SAMPLE IOT ATTACKS
A number of research papers have shown that IoT devices are vulnerable to a variety of typical attacks including hardware attacks, ID modification, Denial of service (DOS), signal jamming, spoofing, reply attacks, malware and ransomware attacks. Below are sample attacks performed on real life IoT devices.
 
1) SMART HOME SENSOR READER
A research team from the university of central Florida analyzed a smart home device that reads from sensors within a home such as smoke detectors and door sensors. The team first analyzed the hardware of the device and were able to make a physical serial connection that was used to access an emulator. Using the emulator, the researchers were able to modify the boot sequence allowing them access to a root shell. Once a root shell was obtained, root account password hash was cracked due to weak encryption method being used by the device.
 
After that, the team was able to access the device remotely using the root account since it supported telnet authentication.
 
2) SMART ENERGY METER
The smart meter was preconfigured to prevent write access to the memory at a hardware level. However, after analyzing the hardware, the research team had enabled write access for on-chip memory. After this, the team was able to identify the memory location where the device ID was stored and then were able to modify it. By modifying the device ID, the smart meter can present itself as a different smart meter which will give misleading information about the energy consumption.
 
3) SMART LIGHT BULB
Smart light bulb allows customers to control light settings from their phone such as turning light bulb off or changing the light color. It can also adjust light based social media feeds. The light bulbs are controlled through a bridge. By analyzing the traffic to the bridge, the research team discovered that the bridge uses a list of white-list users that are allowed to control the lights with no authentication employed. Since the communication between the bridge and the mobile is not encrypted, it is possible to sniff whitelisted users. An unauthorized attacker can then use a white listed user to take control of the lights.
 
4) IOT HOME DEVICES
A research team demonstrated that it was possible to launch web based attacks against IoT home devices even if they are not connected directly to the internet.
 
The attacks rely on compromising the target user web browser through phishing attacks. Once the research team compromised the web browser of a target, they were able to identify IoT devices that are only connected to the internal home network. Furthermore, the research team were also able to use DNS rebinding attack to launch further attacks such as denial of service (DOS), shut devices down and play certain videos on smart TVs.
 

4. IOT SECRUITY STRATEGY AND SOLUTIONS

Due to challenges in section 3.1, many conventional IT security solutions are not compatible with IoT. Below are a number of solutions that can improve the security of IoT devices. Also, many researchers have proposed using new ways to secure IoT devices such as Blockchain and Machine Learning (ML). Following is an overview of available and potential solutions.
 
A. VLANs
Since typical IT security solutions are not well-suited, IoT devices require a more secure isolated network design. A paper by Salah A. Alabady in 2018 proposed a secure network design that utilizes Virtual Local Area Network (VLAN), firewalls and routers. By properly isolating IoT devices, it is possible to lower the associated risk. Furthermore, many security solutions available today such as Intrusion Prevention Systems (IPS) rely on having IoT devices grouped in one network since this makes it easier to identify the IoT network traffic.
 
B. SDN
Many papers by Do Sinh in 2018Ángel Leonardo Valdivieso Caraguay in 2014 and Peter Bull in 2016 have proposed using Software Defined Network (SDN) for IoT devices. Using SDN allows organizations to control and isolate the traffic between different IoT services which provides a network side security. Furthermore, if a compromised service was detected, the service could be blocked promptly. However, there are a lot of challenges related to the SDN implementation that are open for more research such as performance since the number of IoT device is huge.
 
C. IPS
There are a lot of Intrusion Prevention System (IPS) solutions currently available that are designed specifically for IoT. However, most of these solutions are designed to work where IoT devices are deployed in a separate network segment which makes it easy to identify IoT traffic.
 
Also, Noy Hadar in 2017 designed an IPS like solution that can be aware of vulnerabilities on specific IoT devices. The solution can then detect malicious traffic which targeting known vulnerabilities on specific IoT types and block that traffic effectively.
 
D. MIDDLEWARE
IoT is a heterogeneous environment with many different types of devices from various vendors. Furthermore, each vendor has implemented different communication protocols and different API languages. This leads to the idea of having a middleware layer that enforces policies and security configurations for all types of devices that would make it easier to manage IoT security at a large scale.
 
Currently, many companies offer cloud based middleware solutions that allow for easier management of diverse IoT devices.
 
E. BLOCKCHAIN
Blockchain could arguably be a good fit since IoT devices are very lightweight and low energy while Blockchain is naturally distributed, private and secure. However, this area is still open for more research before it can be implemented well.
 
One challenge is that Blockchain requires high computational power which is something that IoT devices lack. To overcome this challenge, researchers have proposed a new Blockchain implementation that could be more suitable for IoT. The proposed implementation utilizes a hierarchical structure and distributed trust. The structure is built by forming clusters of IoT devices. Each cluster can have a cluster head that manages the cluster Blockchain transactions in addition to a local storage to help with keeping transaction records.
 
F. ARTIFICIAL INTELLIGENCE
Machine learning (ML) was proposed by multiple researchers to improve IoT security in areas such as protecting against different types of attacks and detecting IoT devices on the local enterprise network.
 
Different ML techniques can be employed for different types of attacks. A research team attempted to match different ML techniques with challenges in authentication, access control, secure IoT offloading and malware detection. Supervised learning technique was proposed to implement intrusion and malware detection as well as spoofing attacks. Unsupervised learning was found to be suitable to protect against Denial of Service (DOS) attacks. Also, reinforcement learning was suggested to improve malware detection and anti-jamming transmission.
 
Another paper demonstrated that supervised ML can be used to accurately identify and categorize IoT devices on the local enterprise network based on network traffic.
 
There are a few challenges that could hinder using ML for IoT security such as energy consumption, detection accuracy and performance. To address these challenges, specific ML techniques that require low energy and performance were proposed such as Frank-Wolf dFW. In addition, the research team proposed to have backup non-ML security solutions to provide another layer of protection in case the ML solutions failed to detect malicious events especially at the beginning of the learning curve.
 

Risks need to be addressed 

As organizations start to adapt more IoT devices, a number of security and privacy risks will have to be addressed. Due to risks and challenges highlighted in section 3, IoT require a different approach to cyber security compared to typical IT systems. Organizations can start to adopt a segmented network design especially for IoT devices with the addition of network based security solutions such as IPS which does not add much overhead for IoT devices. Also, middleware solutions could be used to secure the configurations of IoT devices from different manufacturers in a scalable manner. Finally, extensive research in using Machine Learning and Blockchain technologies could provide a starting point for future solutions that will hopefully improve IoT security in a reliable manner.