IoT Security - Cyberspeak 101
Editor's Note: Securing the Internet of Things (IoT) is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.
In Chapter 12 of his book, Internet of Things for Architects, Perry Lea offers a detailed discussion of key fundamentals of IoT security. We present this chapter as a series of installments including:
Adapted from Internet of Things for Architects, by Perry Lea.
Chapter 12. IoT Security
By Perry Lea
Cyber security vernacular
The first chapter of this book revealed the size, growth, and potential of the Internet of Things (IoT). There are currently billions of devices, and the double-digit growth of connecting the analog world to the internet also forms the largest attack surface on Earth. Exploits, damage, and rogue agents have already been developed, deployed, and spread globally, disrupting countless businesses, networks, and lives. As architects, we are responsible for understanding the IoT stack of technologies and securing them. As we place devices that have never been connected to the internet, as good citizens, we are accountable for designing them.
This has been particularly difficult for many IoT deployments with security often being thought of last. Often, systems are so constrained that building enterprise-level security that modern web and PC systems enjoy is difficult if not impossible on simple IoT sensors. This book also talks about security after all other technologies have been understood. However, every chapter has touched on the provisions of security at each level.
This chapter will explore some particularly heinous IoT focused attacks and give thought to how weak security is in IoT and how much damage can be done. Later, we discuss the security provisions at each level of the stack: physical devices, communication systems, and networks. We then address software-defined perimeters and blockchains used to secure value in IoT data. The chapter wraps up by examining the United States Cybersecurity Improvement Act of 2017 and what it could mean for IoT devices.
The most important thing in security is to use it at all levels from the sensor to the communication system, router, and cloud.
Cyber security vernacular
Cybersecurity has an associated set of definitions describing different types of attacks and provisions. This section briefly covers the jargon of the industry as presented in the rest of this chapter.
Attack and threat terms
The following are the terms and definitions of different attacks or malevolent cyber threats:
Amplification attack: Magnifies the bandwidth sent to a victim. Often an attacker will use a legitimate service such as NTP, Steam, or DNS to reflect the attack upon a victim. NTP can amplify 556x and DNS amplification can escalate the bandwidth by 179x.
ARP spoof: A type of attack that sends a falsified ARP message resulting in linking the attacker's MAC address with the IP of a legitimate system.
Banner scans: A technique typically used to take inventory of systems on a network that can also be used by an attacker to gain information about a potential attack target by performing HTTP requests and inspecting the returned information of the OS and computer (for example, nc www.target.com 80).
Botnets: Internet-connected devices infected and compromised by malware working collectively by common control, mostly used in unison to generate massive DDoS attacks from multiple clients. Other attacks include email spamming and spyware.
Brute force: A trial and error method to gain access to a system or bypass encryption.
Buffer overflow: Exploits a bug or defect in running software that simply overruns a buffer or memory block with more data than allocated. This overrun can write over other data in adjacent memory addresses. An attacker can lay malicious code in that area and force the instruction pointer to execute from there. Compiled languages such as C and C++ are particularly susceptible to buffer overflow attacks since they lack internal protection. Most overflow bugs are the result of poorly constructed software that does not check the bounds of input values.
C2: Command and control server that marshals commands to botnets.
Correlation power analysis attack: Allows one to discover secret encryption keys stored in a device through four steps. First, examine a target's dynamic power consumption and record it for each phase of the normal encryption process. Next, force the target to encrypt several plaintext objects and record their power usage. Next, attack small parts of the key (subkeys) by considering every possible combination and calculating the Pearson correlation coefficient between the modeled and actual power. Finally, put together the best subkey to obtain the full key.
Dictionary attack: A method of gaining entry to a network system by systematically entering words from a dictionary file containing the username and password pairs.
Distributed Denial of Service (DDoS): An attack attempting to disrupt or make an online service unavailable by overwhelming it from multiple (distributed) sources.
Fuzzing: A fuzzing attack consists of sending malformed or non-standard data to a device and observing how the device reacts. For example, if a device performs poorly or shows adverse effects, the fuzz attack may have exposed a weakness.
Man-in-the-Middle Attack (MITM): A common form of attack that places a device in the middle of a communication stream between two unsuspecting parties. The device listens, filters, and appropriates information from the transmitter and retransmits selected information to the receiver. A MITM may be in the loop acting as a repeater or can be sideband listening to the transmission without intercepting the data.
NOP sleds: A sequence of injected NOP assembly instructions used to "slide" a CPU's instruction pointer to the desired area of malicious code. Usually part of a buffer overflow attack.
Replay attack (also known as a playback attack): A network attack where data is maliciously repeated or replayed by the originator or an adversary who intercepts the data, stores the data, and transmits it at will.
RCE exploit: Remote code execution that enables an attacker to execute arbitrary code. This usually comes in the form of a buffer overflow attack over HTTP or other network protocols that injects malware code.