Editor's Note: Securing the Internet of Things (IoT) is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.
In Chapter 12 of his book, Internet of Things for Architects, Perry Lea offers a detailed discussion of key fundamentals of IoT security. We present this chapter as a series of installments including:
Adapted from Internet of Things for Architects, by Perry Lea.
Chapter 12. IoT Security
By Perry Lea
Cyber security vernacular
The first chapter of this book revealed the size, growth, and potential of the Internet of Things (IoT ). There are currently billions of devices, and the double-digit growth of connecting the analog world to the internet also forms the largest attack surface on Earth. Exploits, damage, and rogue agents have already been developed, deployed, and spread globally, disrupting countless businesses, networks, and lives. As architects, we are responsible for understanding the IoT stack of technologies and securing them. As we place devices that have never been connected to the internet, as good citizens, we are accountable for designing them.
This has been particularly difficult for many IoT deployments with security often being thought of last. Often, systems are so constrained that building enterprise-level security that modern web and PC systems enjoy is difficult if not impossible on simple IoT sensors. This book also talks about security after all other technologies have been understood. However, every chapter has touched on the provisions of security at each level.
This chapter will explore some particularly heinous IoT focused attacks and give thought to how weak security is in IoT and how much damage can be done. Later, we discuss the security provisions at each level of the stack: physical devices, communication systems, and networks. We then address software-defined perimeters and blockchains used to secure value in IoT data. The chapter wraps up by examining the United States Cybersecurity Improvement Act of 2017 and what it could mean for IoT devices.
The most important thing in security is to use it at all levels from the sensor to the communication system, router, and cloud.
Cyber security vernacular
Cybersecurity has an associated set of definitions describing different types of attacks and provisions. This section briefly covers the jargon of the industry as presented in the rest of this chapter.
Attack and threat terms
The following are the terms and definitions of different attacks or malevolent cyber threats:
Amplification attack : Magnifies the bandwidth sent to a victim. Often an attacker will use a legitimate service such as NTP, Steam, or DNS to reflect the attack upon a victim. NTP can amplify 556x and DNS amplification can escalate the bandwidth by 179x.
ARP spoof : A type of attack that sends a falsified ARP message resulting in linking the attacker's MAC address with the IP of a legitimate system.
Banner scans : A technique typically used to take inventory of systems on a network that can also be used by an attacker to gain information about a potential attack target by performing HTTP requests and inspecting the returned information of the OS and computer (for example, nc www.target.com 80).
Botnets : Internet-connected devices infected and compromised by malware working collectively by common control, mostly used in unison to generate massive DDoS attacks from multiple clients. Other attacks include email spamming and spyware.
Brute force : A trial and error method to gain access to a system or bypass encryption.
Buffer overflow : Exploits a bug or defect in running software that simply overruns a buffer or memory block with more data than allocated. This overrun can write over other data in adjacent memory addresses. An attacker can lay malicious code in that area and force the instruction pointer to execute from there. Compiled languages such as C and C++ are particularly susceptible to buffer overflow attacks since they lack internal protection. Most overflow bugs are the result of poorly constructed software that does not check the bounds of input values.
C2 : Command and control server that marshals commands to botnets.
Correlation power analysis attack : Allows one to discover secret encryption keys stored in a device through four steps. First, examine a target's dynamic power consumption and record it for each phase of the normal encryption process. Next, force the target to encrypt several plaintext objects and record their power usage. Next, attack small parts of the key (subkeys) by considering every possible combination and calculating the Pearson correlation coefficient between the modeled and actual power. Finally, put together the best subkey to obtain the full key.
Dictionary attack: A method of gaining entry to a network system by systematically entering words from a dictionary file containing the username and password pairs.
Distributed Denial of Service (DDoS) : An attack attempting to disrupt or make an online service unavailable by overwhelming it from multiple (distributed) sources.
Fuzzing: A fuzzing attack consists of sending malformed or non-standard data to a device and observing how the device reacts. For example, if a device performs poorly or shows adverse effects, the fuzz attack may have exposed a weakness.
Man-in-the-Middle Attack (MITM) : A common form of attack that places a device in the middle of a communication stream between two unsuspecting parties. The device listens, filters, and appropriates information from the transmitter and retransmits selected information to the receiver. A MITM may be in the loop acting as a repeater or can be sideband listening to the transmission without intercepting the data.
NOP sleds : A sequence of injected NOP assembly instructions used to “slide” a CPU's instruction pointer to the desired area of malicious code. Usually part of a buffer overflow attack.
Replay attack (also known as a playback attack) : A network attack where data is maliciously repeated or replayed by the originator or an adversary who intercepts the data, stores the data, and transmits it at will.
RCE exploit : Remote code execution that enables an attacker to execute arbitrary code. This usually comes in the form of a buffer overflow attack over HTTP or other network protocols that injects malware code.
Return-Oriented Programming (ROP Attack) : This is a difficult security exploit an attacker may use to potentially subvert protections with non-executing memory or executing code from read-only memory. If an attacker gains control of a process stack through a buffer overflow or some other means, they may jump to legitimate and unchanged sequences of instructions already present. The attacker looks for sequences of instructions to call gadgets that can be pieced together to form a malevolent attack.
Return-to-libc : A type of attack that starts with a buffer overflow where the attacker injects jumps to libc or other popularly used libraries in the processes' memory space in an attempt to call system routines directly. Bypasses the protection offered by non-executable memory and guard bands. This is a specific form of ROP attack.
Rootkit: Typically malicious software (although often used to unlock smartphones) used to enable other software payloads to be undetectable. Rootkits use several targeted techniques such as buffer overflows to attack kernel services, hypervisors, and user mode programs.
Side Channel Attack : An attack used to gain information from a victim's system by observing the secondary effects of the physical system rather than find runtime exploits or zero-day exploits. Examples of side channel attacks include correlation power analysis, acoustic analysis, and reading data residue after it has been deleted from memory.
Spoofing: Malicious party or device impersonates another device or user on a network.
SYN flood: Occurs when a host sends a TCP:SYN packet which a rogue agent will spoof and forge. This will cause the host to create half-open connections to many non-existent addresses causing the host to exhaust all resources.
Zero-Day exploits: Security defects or bugs in commercial or production software unknown to the designer or manufacturer.
The following are the terms and definitions of different cyber defense mechanisms and technologies:
Address Space Layout Randomization : Also known as ASLR , this defense mechanism protects memory and thwarts buffer overflow attacks by randomizing where an executable is loaded in memory. A buffer overflow injecting malware can not predict where it will be loaded in memory, thus manipulating the instruction pointer will becomes extremely challenging. Protects against return-to-libc attacks.
Black hole (sinkhole) : After detecting a DDoS attack, routes are established from the affected DNS server or IP address to force rogue data to a black hole or a non- existent endpoint. Sinkholes perform further analysis to filter out good data.
Data Execution Prevention (DEP) : Marks an area as executable or non- executable. This prevents an attacker from running code maliciously injected into such a region via a buffer overflow attack. The result is a system error or exception.
Deep Packet Inspection (DPI) : A method of inspecting each packet (data and possibly header information) in a data stream to isolate intrusions, viruses, spam, and other criteria being filtered.
Firewall : A network security construct that grants or rejects network access to packet streams between an untrusted zone and a trusted zone. Traffic can be controlled and managed through access control lists (ACL ) on routers. Firewalls can perform stateful filtering and provide rules based on destination ports and traffic state.
Guard bands and non-executable memory : Protects regions of memory that are writeable and not executable. Protects against NOP sleds. Intel: NX bit, ARM XN bit.
Honeypots : Security tool to detect, deflect, or reverse engineer malicious attacks. Honeypots appear as legitimate websites or accessible nodes in a network but are actually isolated and monitored. Data and interactions with the device are logged.
Instruction-Based Memory Access Control : A technique to separate the data portion of a stack from the return address portion. This technique helps protect against ROP attacks and is particularly useful in constrained IoT systems.
Intrusion Detection System (IDS) : A network construct to detect threats in a network through the out-of-band analysis of the packet stream therefore not in- line with the source and destination so as to affect real-time response.
Intrusion Prevention System : Blocks threats to a network via true in-line analysis and statistical or signature detection of threats.
Milkers : A defensive tool that emulates an infected botnet device and attaches to its malevolent host allowing one to understand and “milk” the malware commands being sent to the controlled botnet.
Port scanning : A method to find an open and accessible port on a local network.
Public Key Infrastructure (PKI) : Provides a definition of hierarchies of verifiers to guarantee the origin of a public key. A certificate is signed by certificate authorities.
Public key : A public key is generated with a private key and is accessible to external entities. A public key can be used to decrypt hashes.
Private key : A private key is generated with a public key, never released externally, and stored securely. It is used to encrypt hashes.
Root of Trust (RoT) : Starts execution on a cold booting device from an immutable trusted source of memory (such as ROM). If early boot software/BIOS can be changed without control, then no Root of Trust exists. The Root of Trust is usually the first phase in a multi-phase secure boot.
Secure Boot : A series of boot steps for a device that starts at a Root of Trust and proceeds through OS and application loading where each component signature is verified as authentic. Verification is performed through public keys loaded at previous trusted boot stages.
Stack canaries : Guards process stack space from stack overruns and prevents the execution of code from a stack.
Trusted Execution Environment : A secure area of a processor that ensures code and data residing within this zone is protected. This is usually an execution environment on the main processor core where the code for secure booting, monetary transfers, or private key handling will be executed with a higher level of security than the majority of the code.
The next article in this series will examine the anatomy of IoT cyber attacks.
Reprinted with permission from Packt Publishing. Copyright © 2018 Packt Publishing
Perry Lea is a 27-year veteran in the technology industry with extensive experience as a technologist, strategist, business developer, entrepreneur, researcher and inventor. Besides writing the book, Internet of Things for Architects, he holds more than 50 patents. He served as Chief Architect at Hewlett Packard, where he architected and steered the design of more than 60 product lines. He holds three engineering degrees and a post graduate degree from Columbia University.