1) The document discusses vulnerabilities found in IoT devices, including a lack of strong passwords, encryption of communications and updates, and other security issues.
2) The author analyzed 50 smart home devices and found major issues with all of them, such as none enforcing strong passwords or using mutual authentication.
3) The document provides examples of potential attacks on IoT devices when an attacker has access to the local network, such as intercepting unencrypted traffic or reprogramming devices by spoofing firmware updates.
Internet of Things Security is becoming a big challenge and one of the hurdle in success of IOT among the general consumers. This presentation highlights generics of security. It is based on tech talk at null/owasp chandigarh chapter by Rishabh Sharma. Twitter @rishabhgarian.
An overview of security and privacy challenges that must be faced and solved when creating new Things for the Internet of Things. We discussed why are Things inherently insecure together with examples of attack vectors and learned some risk mitigation strategies. We realized why should users be wary of Things violating their privacy and gained awareness of upcoming EU privacy legislation that affects providers of IoT-based solutions. Talk given at Pixels Camp 2017, Lisbon.
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
We've all heard the continuing news about or been victims of hacked passwords, data breaches, identity theft and lost privacy, because our heavy reliance on Internet connectivity. Our digital world necessitates ever improving security. But now we're on the cusp of a major revolution where our appliances, cars, clothes and the very fabric of our lives (no pun intended) are also connected. Software and silicon designers must take active design measures for ensuring user data. In this talk, Amit Rohatgi, president of the prpl Foundation, will outline the market and technical challenges as well as the essential measures in the design phase for securing our ever-more-connected digital world. He will also discuss why open-source is appropriately suited for addressing theses challenge and how the prpl Foundation is tackling this from the ground-up.
This talk revisits the 2016 Mirai attack which targeted IoT devices including IP cameras, WiFi-connected refrigerators, home routers, and more. The resulting botnet was used to attack Dyn’s DNS platform, which affected many websites including Twitter, SoundCloud, Airbnb, and Spotify.
You will learn and discuss the answers to these questions and more:
• What is the current state of Mirai and Mirai variants?
• What Distributed Denial of Service (DDoS) defenses do you have in place?
• How can you prepare to detect and defend against them botnet malware?
• What is recommended in the September 2018 NISTIR Draft,
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
Internet of Things Security is becoming a big challenge and one of the hurdle in success of IOT among the general consumers. This presentation highlights generics of security. It is based on tech talk at null/owasp chandigarh chapter by Rishabh Sharma. Twitter @rishabhgarian.
An overview of security and privacy challenges that must be faced and solved when creating new Things for the Internet of Things. We discussed why are Things inherently insecure together with examples of attack vectors and learned some risk mitigation strategies. We realized why should users be wary of Things violating their privacy and gained awareness of upcoming EU privacy legislation that affects providers of IoT-based solutions. Talk given at Pixels Camp 2017, Lisbon.
IoT Security Imperative: Stop your Fridge from Sending you SpamAmit Rohatgi
We've all heard the continuing news about or been victims of hacked passwords, data breaches, identity theft and lost privacy, because our heavy reliance on Internet connectivity. Our digital world necessitates ever improving security. But now we're on the cusp of a major revolution where our appliances, cars, clothes and the very fabric of our lives (no pun intended) are also connected. Software and silicon designers must take active design measures for ensuring user data. In this talk, Amit Rohatgi, president of the prpl Foundation, will outline the market and technical challenges as well as the essential measures in the design phase for securing our ever-more-connected digital world. He will also discuss why open-source is appropriately suited for addressing theses challenge and how the prpl Foundation is tackling this from the ground-up.
This talk revisits the 2016 Mirai attack which targeted IoT devices including IP cameras, WiFi-connected refrigerators, home routers, and more. The resulting botnet was used to attack Dyn’s DNS platform, which affected many websites including Twitter, SoundCloud, Airbnb, and Spotify.
You will learn and discuss the answers to these questions and more:
• What is the current state of Mirai and Mirai variants?
• What Distributed Denial of Service (DDoS) defenses do you have in place?
• How can you prepare to detect and defend against them botnet malware?
• What is recommended in the September 2018 NISTIR Draft,
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT SecurityCableLabs
Join Shawn Henry as he discusses his vision of IoT Security. What will be the impact of insecured IoT devices for consumers in the home, smart cities and other industrial and critical infrastructures? Looking forward five years, what is the landscape to consider?
Shawn Henry
President, CrowdStrike Services & CSO
https://www.cablelabs.com/informed/
IoT stands for Internet of Things.The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
IoT Security Training covers The Internet of Things security and examines IoT conventions, potential dangers, vulnerabilities, misuse, information breaks, security system and alleviation. IoT security training, Internet of Things (IoT) devices Include: manufacturers, retailers in customer hardware, social insurance, processing plant production network stockrooms, transportation offices and numerous others.
Learn about:
IoT Principles: The Internet of Things Overview
Principles for Connected Devices
IoT Design Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoT Software Weaknesses
IoT Security Verification, Validation and Testing
IoT Security Assessment on IoT devices
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface
Vulnerabilities and exploiting the vulnerabilities
Course Topics Include:
Overview and analysis of IoT devices and IoT implementation use cases
IoT Architecture
IoT Architectural and Design Requirements
IoT Security Fundamentals
IoT Security Standards
NIST Framework: Cyber Physical Systems
IoT Governance and Risk Management
IoT Security Compliance and Audit
IoT Encryption and Key Management
IoT Identity and Access Management IoT Security Challenges
IoT Security in Critical Infrastructure
IoT Security in Personal infrastructure
IoT Vulnerabilities
Wireless Security applied to IoT
ZigBee and Bluetooth Security
LTE and Mobile Security
Cloud-based web interface security
Call us today at +1-972-665-9786. Learn more about this course audience, objectives, outlines, seminars, pricing , any other information. Visit our website link below.
IoT SecurityTraining, IoT Security Awareness 2019
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
Embedded computing is everywhere. It is in our car engines, refrigerators, and even in the singing greeting cards we send. With improvements in wireless technology, these systems are starting to talk with each other, and they are appearing in places like our shoes and wrists to monitor our athletic activity or health. This emerging Internet of Everything (IoE) has tremendous potential to improve our lives. But like any powerful technology, it also has a dark side: it will observe and implement many of our actions. Security in the IoE is likely to be even more critical than general Internet security. After reviewing some of the challenges in creating a secure IoE, Horowitz will describe a new research program at Stanford to address this issue.
IOT Security. Internet of Things impact is everywhere from your bedroom to office. Everyone should be aware about iot security to run it without any hassle and security risk.
Why you should take IOT security training course ?
Learn about risks of unsecured enterprise and home IoT devices connecting to the Internet and able to share the information they generate.
Iot security training covers these topics :
Device and platform vulnerabilities,
Authentication and authorization,
Web interface and software,
Transport encryption,
Management issues,
Privacy and security enhancements and other iot issues
Iot and security risks :
Most serious IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.
In a phishing attack, for example, Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions.
Learn about:
IoT Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoT Software Weaknesses
IoT Security Verification, Validation
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface, vulnerabilities and exploiting the vulnerabilities
Request more information.
Visit tonex.com for iot security training course and workshop detail.
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
Presented at Internet of Things Stream Conference 2015 in San Francisco by Mark Benson on April 2nd, 2015.
ABSTRACT: The growth of IoT is occurring at an incredible rate, justly raising alarms about security and privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the world’s most well known OEMs to deploy connected product fleets.
Internet of Things (IoT) is an emerging platform for human interaction. As such it needs enough security and privacy guarantees to make it an attractive platform for people to come onboard.
Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
In developing for IoT, security is not often the highest priority: APIs exposed without care and devices deployed with default passwords become gateways to your network and your data. Many best practices can be used to thwart attacks on your devices, but they have to be thought through from the first architectural design. This session covers many recent IoT attacks, their consequences, and how they could have been prevented. It also explores the many security levels one device can have, from totally exposed to completely secured against physical tampering and identity theft.
We did not predict the Internet, the Web, social networking, Facebook, Twitter, millions of apps for smart-phones, etc. New research problems arise due to the large scale of devices, the connection of the physical and cyber worlds, the openness of the systems of systems, and continuing problems of privacy and security. It is hoped that there is more cooperation between the research communities in order to solve the myriad of problems sooner as well as to avoid re-inventing the wheel when a particular community solves a problem.
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
Internet Society (ISOC) aims are:
make security an integrated function of connected objects and encourages IoT device and service providers for consumers to adopt the Online Trust Alliance (OTA) security and privacy principles ;
increase the consumer demand for security and privacy in the IoT devices they purchase;
create government policies and regulations that promote better security and privacy features in IoT devices.
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
In this webinar we will discuss the state of security for IoT devices, the threats that exists for IoT devices and the challenges for building secure IoT devices. We will also discuss the technologies available to ensure your IoT device is secure.
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
The Internet of Things (IoT) is thriving network of smart objects where one physical object can exchange information with another physical object. In today’s Internet of Things (IoT) the interest is the concealment and security of data in a network. The obtrusion into Internet of Things (IoT) exposes the extent with which the internet of things is vulnerable to attacks and how such attack can be detected to prevent extreme damage. It emphasises on threats, vulnerability, attacks and possible methods of detecting intruders to stop the system from further destruction, this paper proposes a way out of the impending security situation of Internet of things using IPV6 Low -power wireless personal Area Network.
"The State of IoT Security" Keynote by Shawn Henry at Inform[ED] IoT SecurityCableLabs
Join Shawn Henry as he discusses his vision of IoT Security. What will be the impact of insecured IoT devices for consumers in the home, smart cities and other industrial and critical infrastructures? Looking forward five years, what is the landscape to consider?
Shawn Henry
President, CrowdStrike Services & CSO
https://www.cablelabs.com/informed/
IoT stands for Internet of Things.The internet of things, or IoT, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
IoT Security Training covers The Internet of Things security and examines IoT conventions, potential dangers, vulnerabilities, misuse, information breaks, security system and alleviation. IoT security training, Internet of Things (IoT) devices Include: manufacturers, retailers in customer hardware, social insurance, processing plant production network stockrooms, transportation offices and numerous others.
Learn about:
IoT Principles: The Internet of Things Overview
Principles for Connected Devices
IoT Design Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoT Software Weaknesses
IoT Security Verification, Validation and Testing
IoT Security Assessment on IoT devices
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface
Vulnerabilities and exploiting the vulnerabilities
Course Topics Include:
Overview and analysis of IoT devices and IoT implementation use cases
IoT Architecture
IoT Architectural and Design Requirements
IoT Security Fundamentals
IoT Security Standards
NIST Framework: Cyber Physical Systems
IoT Governance and Risk Management
IoT Security Compliance and Audit
IoT Encryption and Key Management
IoT Identity and Access Management IoT Security Challenges
IoT Security in Critical Infrastructure
IoT Security in Personal infrastructure
IoT Vulnerabilities
Wireless Security applied to IoT
ZigBee and Bluetooth Security
LTE and Mobile Security
Cloud-based web interface security
Call us today at +1-972-665-9786. Learn more about this course audience, objectives, outlines, seminars, pricing , any other information. Visit our website link below.
IoT SecurityTraining, IoT Security Awareness 2019
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
Embedded computing is everywhere. It is in our car engines, refrigerators, and even in the singing greeting cards we send. With improvements in wireless technology, these systems are starting to talk with each other, and they are appearing in places like our shoes and wrists to monitor our athletic activity or health. This emerging Internet of Everything (IoE) has tremendous potential to improve our lives. But like any powerful technology, it also has a dark side: it will observe and implement many of our actions. Security in the IoE is likely to be even more critical than general Internet security. After reviewing some of the challenges in creating a secure IoE, Horowitz will describe a new research program at Stanford to address this issue.
IOT Security. Internet of Things impact is everywhere from your bedroom to office. Everyone should be aware about iot security to run it without any hassle and security risk.
Why you should take IOT security training course ?
Learn about risks of unsecured enterprise and home IoT devices connecting to the Internet and able to share the information they generate.
Iot security training covers these topics :
Device and platform vulnerabilities,
Authentication and authorization,
Web interface and software,
Transport encryption,
Management issues,
Privacy and security enhancements and other iot issues
Iot and security risks :
Most serious IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.
In a phishing attack, for example, Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions.
Learn about:
IoT Principles
Principles of IoT Security
IoT Attack Areas
IoT Vulnerabilities
IoT Firmware Analysis
IoT Software Weaknesses
IoT Security Verification, Validation
Assessing IoT devices attack surfaces
Evaluation of IoT device firmware analysis, attack surface, vulnerabilities and exploiting the vulnerabilities
Request more information.
Visit tonex.com for iot security training course and workshop detail.
https://www.tonex.com/training-courses/iot-security-training-iot-security-awareness/
Presented at Internet of Things Stream Conference 2015 in San Francisco by Mark Benson on April 2nd, 2015.
ABSTRACT: The growth of IoT is occurring at an incredible rate, justly raising alarms about security and privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the world’s most well known OEMs to deploy connected product fleets.
Internet of Things (IoT) is an emerging platform for human interaction. As such it needs enough security and privacy guarantees to make it an attractive platform for people to come onboard.
Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
In developing for IoT, security is not often the highest priority: APIs exposed without care and devices deployed with default passwords become gateways to your network and your data. Many best practices can be used to thwart attacks on your devices, but they have to be thought through from the first architectural design. This session covers many recent IoT attacks, their consequences, and how they could have been prevented. It also explores the many security levels one device can have, from totally exposed to completely secured against physical tampering and identity theft.
We did not predict the Internet, the Web, social networking, Facebook, Twitter, millions of apps for smart-phones, etc. New research problems arise due to the large scale of devices, the connection of the physical and cyber worlds, the openness of the systems of systems, and continuing problems of privacy and security. It is hoped that there is more cooperation between the research communities in order to solve the myriad of problems sooner as well as to avoid re-inventing the wheel when a particular community solves a problem.
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
Internet Society (ISOC) aims are:
make security an integrated function of connected objects and encourages IoT device and service providers for consumers to adopt the Online Trust Alliance (OTA) security and privacy principles ;
increase the consumer demand for security and privacy in the IoT devices they purchase;
create government policies and regulations that promote better security and privacy features in IoT devices.
Security Fundamental for IoT Devices; Creating the Internet of Secure ThingsDesign World
In this webinar we will discuss the state of security for IoT devices, the threats that exists for IoT devices and the challenges for building secure IoT devices. We will also discuss the technologies available to ensure your IoT device is secure.
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
This presentation discusses about IoT, challenges associated with it, common threats to IoT. It also briefs about how OWASP introduces Vulnerabilities in IoT.
The Internet of Things (IoT) is thriving network of smart objects where one physical object can exchange information with another physical object. In today’s Internet of Things (IoT) the interest is the concealment and security of data in a network. The obtrusion into Internet of Things (IoT) exposes the extent with which the internet of things is vulnerable to attacks and how such attack can be detected to prevent extreme damage. It emphasises on threats, vulnerability, attacks and possible methods of detecting intruders to stop the system from further destruction, this paper proposes a way out of the impending security situation of Internet of things using IPV6 Low -power wireless personal Area Network.
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, however, some challenges that are unique to IoT.
1. Embedded Passwords. Embedding passwords in IoT devices make it easy for remote support technicians to access devices for troubleshooting and simplifies the installation of multiple devices. Of course, it also simplifies access to devices for malicious purposes.
2. Lack of device authentication. Allowing IoT devices access to the network without authenticating opens the network to unknown and unauthorized devices. Rogue devices can serve as an entry point for attacks or even as a source of attacks.
3. Patching and upgrading. Some IoT devices do not provide a simple (or any) means to patch or upgrade software. This results in many IoT devices with vulnerabilities continuing to be in use.
4. Physical hardening. Physical access to IoT devices can introduce risk if those devices are not hardened against physical attack. Such an attack may not be intended to damage the device, but rather to extract information. Simply removing a microSD memory card to read its contents can give an attacker private data, as well as information such as embedded passwords that may allow access to other devices.
5. Outdated components. When vulnerabilities are discovered in hardware or software components of IoT devices, it can be difficult and expensive for manufacturers or users to update or replace them. As with patches, this results in many IoT devices with vulnerabilities continuing to be used.
6. Device monitoring and management. IoT devices do not always have a unique identifier that facilitates asset tracking, monitoring, and management. IT personnel do not necessarily consider IoT devices among the hosts that they monitor and manage. Asset tracking systems sometimes neglect to include IoT devices, so they sit on the network without being managed or monitored.
Most of these issues can be attributed to security being an afterthought (if a thought at all) in the design and manufacturing of IoT devices. Even tho ...
Final Research Project - Securing IoT Devices What are the Challe.docxvoversbyobersby
Final Research Project - Securing IoT Devices: What are the Challenges?
Internet security, in general, is a challenge that we have been dealing with for decades. It is a regular topic of discussion and concern, but a relatively new segment of internet security is getting most attention—internet of things (IoT). So why is internet of things security so important?
The high growth rate of IoT should get the attention of cybersecurity professionals. The rate at which new technology goes to market is inversely proportional to the amount of security that gets designed into the product. According to IHS Markit, “The number of connected IoT devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030.”
IoT devices are quite a bit different from other internet-connected devices such as laptops and servers. They are designed with a single purpose in mind, usually running minimal software with minimal resources to serve that purpose. Adding the capability to run and update security software is often not taken into consideration.
Due to the lack of security integrated into IoT devices, they present significant risks that must be addressed. IoT security is the practice of understanding and mitigating these risks. Let’s consider the challenges of IoT security and how we can address them.
Some security practitioners suggest that key IoT security steps include:
1. Make people aware that there is a threat to security;
2. Design a technical solution to reduce security vulnerabilities;
3. Align the legal and regulatory frameworks; and
4. Develop a workforce with the skills to handle IoT security.
Final Assignment - Project Plan (Deliverables):
1) Address each of the FOURIoT security steps listed above in terms of IoT devices.
2) Explain in detail, in a step-by-step guide, how to make people more aware of the problems associated with the use of IoT devices.
Bottom of Form
Top of Form
Bottom of Form
I have to create a matrix with unique pointers and do the following :
1.Matrix a, b
2.Matrix c(b)
3.Matrix d=a
4.Matrix e=a+b
Every element from matrix is a unique pointer. First, I have to create a class matrix with constructor destructor(rule of 5 if it is possible).
At first in main, I have to create 2 object a, b, Matrix type.
At 2.I have to create another object c that have as constructor the object b
3.to copy all element from matrix a to d
4.To add Matrix a with Matrix b and the sum to be copy in Matrix e
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20G ...
Internet of things (IoT) Architecture Security AnalysisDaksh Raj Chopra
This Document Briefly summarizes the Security and Privacy Concern Evaluation of Internet of Things (IoT)’s Three Domain Architecture. The Security implementation challenges faced
by IoT devices are addressed along with newly Added Requirement for these devices. The Architecture which we will be using throughout our analysis is explained so as to a novice
user. We will summarize the possible attacks and countermeasures for each and every domain followed by a developer friendly checklist to be followed for security.
Yesterday Pierluigi Paganini, CISO Bit4Id and founder Security Affairs, presented at the ISACA Roma & OWASP Italy conference the state of the art for the Internet of Things paradigm. The presentation highlights the security and privacy issues for the Internet of Things, a technology that is changing user’s perception of the technology.
Final Research Project - Securing IoT Devices What are the Challe.docxtjane3
Final Research Project - Securing IoT Devices: What are the Challenges?
Internet security, in general, is a challenge that we have been dealing with for decades. It is a regular topic of discussion and concern, but a relatively new segment of internet security is getting most attention—internet of things (IoT). So why is internet of things security so important?
The high growth rate of IoT should get the attention of cybersecurity professionals. The rate at which new technology goes to market is inversely proportional to the amount of security that gets designed into the product. According to IHS Markit, “The number of connected IoT devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030.”
IoT devices are quite a bit different from other internet-connected devices such as laptops and servers. They are designed with a single purpose in mind, usually running minimal software with minimal resources to serve that purpose. Adding the capability to run and update security software is often not taken into consideration.
Due to the lack of security integrated into IoT devices, they present significant risks that must be addressed. IoT security is the practice of understanding and mitigating these risks. Let’s consider the challenges of IoT security and how we can address them.
Some security practitioners suggest that key IoT security steps include:
1. Make people aware that there is a threat to security;
2. Design a technical solution to reduce security vulnerabilities;
3. Align the legal and regulatory frameworks; and
4. Develop a workforce with the skills to handle IoT security.
Final Assignment - Project Plan (Deliverables):
1) Address each of the FOURIoT security steps listed above in terms of IoT devices.
2) Explain in detail, in a step-by-step guide, how to make people more aware of the problems associated with the use of IoT devices.
Bottom of Form
Top of Form
Bottom of Form
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, howe.
Final Research Project - Securing IoT Devices What are the Challe.docxlmelaine
Final Research Project - Securing IoT Devices: What are the Challenges?
Internet security, in general, is a challenge that we have been dealing with for decades. It is a regular topic of discussion and concern, but a relatively new segment of internet security is getting most attention—internet of things (IoT). So why is internet of things security so important?
The high growth rate of IoT should get the attention of cybersecurity professionals. The rate at which new technology goes to market is inversely proportional to the amount of security that gets designed into the product. According to IHS Markit, “The number of connected IoT devices worldwide will jump 12 percent on average annually, from nearly 27 billion in 2017 to 125 billion in 2030.”
IoT devices are quite a bit different from other internet-connected devices such as laptops and servers. They are designed with a single purpose in mind, usually running minimal software with minimal resources to serve that purpose. Adding the capability to run and update security software is often not taken into consideration.
Due to the lack of security integrated into IoT devices, they present significant risks that must be addressed. IoT security is the practice of understanding and mitigating these risks. Let’s consider the challenges of IoT security and how we can address them.
Some security practitioners suggest that key IoT security steps include:
1. Make people aware that there is a threat to security;
2. Design a technical solution to reduce security vulnerabilities;
3. Align the legal and regulatory frameworks; and
4. Develop a workforce with the skills to handle IoT security.
Final Assignment - Project Plan (Deliverables):
1) Address each of the FOURIoT security steps listed above in terms of IoT devices.
2) Explain in detail, in a step-by-step guide, how to make people more aware of the problems associated with the use of IoT devices.
Bottom of Form
Top of Form
Bottom of Form
IoT References:
https://www.techrepublic.com/article/how-to-secure-your-iot-devices-from-botnets-and-other-threats/
https://www.peerbits.com/blog/biggest-iot-security-challenges.html
https://www.bankinfosecurity.asia/securing-iot-devices-challenges-a-11138
https://www.sumologic.com/blog/iot-security/
https://news.ihsmarkit.com/press-release/number-connected-iot-devices-will-surge-125-billion-2030-ihs-markit-says
https://cdn.ihs.com/www/pdf/IoT_ebook.pdf
https://go.armis.com/hubfs/Buyers%E2%80%99%20Guide%20to%20IoT%20Security%20-Final.pdf
https://www.techrepublic.com/article/smart-farming-how-iot-robotics-and-ai-are-tackling-one-of-the-biggest-problems-of-the-century/
Video Resources:What is the Internet of Things (IoT) and how can we secure it?
https://www.youtube.com/watch?v=H_X6IP1-NDc
What is the problem with IoT security? - Gary explains
https://www.youtube.com/watch?v=D3yrk4TaIQQ
What are the Challenges of IoT Security?
IoT has many of the same security challenges that other systems have. There are, howe ...
WHITE PAPER▶ Insecurity in the Internet of ThingsSymantec
The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance available. However, despite its increasing acceptance by consumers, recent studies of IoT devices seem to agree that “security” is not a word that gets associated with this category of devices, leaving consumers potentially exposed.
To find out for ourselves how IoT devices fare when it comes to security, we analyzed 50 smart home devices that are available today. We found that none of the devices enforced strong passwords, used mutual authentication, or protected accounts against brute-force attacks. Almost two out of ten of the mobile apps used to control the tested IoT devices did not use Secure Sockets Layer (SSL) to encrypt communications to the cloud. The tested IoT technology also contained many common vulnerabilities.
All of the potential weaknesses that could afflict IoT systems, such as authentication and traffic encryption, are already well known to the security industry, but despite this, known mitigation techniques are often neglected on these devices. IoT vendors need to do a better job on security before their devices become ubiquitous in every home, leaving millions of people at risk of cyberattacks
An Internet of Things Reference Architecture Symantec
The Internet of Things (IoT) already helps billions of people. Thousands of smart, connected devices deliver new experiences to people throughout the world, lowering costs, sometimes by billions of dollars. Examples include connected cars, robotic manufacturing, smarter medical equipment, smart grid, and countless industrial control systems. Unfortunately, this growth in connected devices brings increased security risks. Threats quickly evolve to target this rich and vulnerable landscape. Serious risks include physical harm to people, prolonged downtime, and damage to equipment such as pipelines, blast furnaces, and power generation facilities. As several such facilities and IoT systems have already been attacked and materially damaged, security must now be an essential consideration for anyone making or operating IoT devices or systems, particularly for the industrial Internet.
Thought Leadership Webinar - Internet of things (IoT): The Next Cyber Securit...ClicTest
We are in the age of Cybercrimes and just getting started with Internet of Things. There will be a huge demand for IoT as 50 billion connected devices will be deployed across the globe by 2020. These devices will communicate with each other where the web and the physical world will meet with different set of internet infrastructure and protocols. This in turn, will not only help us in saving money, but also provide us with more options.
Discussion Topics:
• The importance of IoT
• How will they impact in our everyday lives?
• Is Internet of Things Secure?
• Securing Internet of Things
But, the Tech buzz is all about: Security of Things (Security in the Internet of Things). How far these Internet of Things can be trusted? Can these IoT devices be hacked? How they have become the Next Cyber Security Target for hackers? How can we secure Internet of Things?
For more details, please visit www.clictest.com or drop us an email to info@clictest.com
What is artificial intelligence,Hill Climbing Procedure,Hill Climbing Procedure,State Space Representation and Search,classify problems in AI,AO* ALGORITHM
Introduction of GPRS
QoS in GPRS
GPRS Network Architecture
GPRS Network Operation
Data Service,
Application,
Limitation In GPRS
Billing and Charging In GPRS
Global system for mobile communication(GSM)Jay Nagar
~Introduction
~GSM Architecture
~GSM Entities
~SMS Service In GSM
~Call Routing In GSM
~PLMN Interfaces
~GSM Addresses and Identifiers
~Network aspects in GSM
~Handover
~Mobility Management
~GSM Frequency Allocation
~Authentication and Security In GSM
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
IoT Vulnerability Analysis and IOT In security Controls
1. GURUGRAM CYBER CRIME CELL
INTERNSHIP PROGRAM2017
RESEARCH PAPER
ON
Jay Nagar
Information security researcher
Email: nagarjay007@gmail.co
Cell:+91-9601957620
Website : www.jaynagarblog.wordpress.com
Research By:
Er. Jay Nagar
Saffrony InstituteOf Technology
IoT Vulnerability Analysis and IOT Insecurity Controls
2. OVERVIEW
The Internet of Things (IoT) markethas begun to take off. Consumers can buy
connected versions of nearly every household appliance available. However,
despite its increasing acceptance by consumers, recentstudies of IoTdevices
seem to agree that “security” is not a word that gets associated with this category
of devices, leaving consumers potentially exposed. To find out for ourselves how
IoTdevices fare when it comes to security, we analyzed 50 smarthome devices
that are available today. We found that none of the devices, enforced strong
passwords, used mutualauthentication, or protected accounts against brute-
forceattacks. Almosttwo out of ten of the mobile apps used to control the tested
IoTdevices did not useSecure Sockets Layer (SSL) to encryptcommunications to
the cloud. The tested IoTtechnology also contained many common
vulnerabilities. All of the potential weaknesses thatcould afflict IoTsystems, such
as authentication and traffic encryption, arealready well known to the security
industry, butdespite this, known mitigation techniques are often neglected on
these devices. IoTvendors need to do a better job on security before their devices
become ubiquitous in every home, leaving millions of people at risk of
cyberattacks.
3. INTRODUCTION
“The use of weakpasswordsisa securityissue thathasrepeatedlybeenseeninIoTdevices.”
Our IoTdevices were analyzed and threats due to malware of IoT devices were investigated.First is analyzing
Telnet-based scans in Darknet(usingunused IP addresses),we recognized that the attacks (scans) on Telnet had
dramatically increased since2014.Moreover, by grabbingTelnet banners and web contents of the attackers,a
majority of the attacks were indeed from IoT devices.Motivated by this,we proposed IoTPOT, a novel honeypot to
emulate Telnet services of various its devices to analyses ongoingattacks in depth with backend high interaction
virtual environments called IoTBOX (sandbox analysisfor IoTdevices) for different CPU architectures.Over 39 days
of experimental operation, we observed 76,605 download attempts of malwarebinaries from16,934 visitingIPs.
We also confirmed thatnone of these binaries could havebeen captured by existinghoneypots that handled
Telnet protocol such as honey and telnet password honeypot becausethey were not ableto handledifferent
incomingcommands sent by the attackers.Combiningthe observations results of IoTPOTand the sandbox analysis
by IoTBOX,
We confirmed that
I) There were at leastfour distinct malwarefamilies spreadingvia Telnet,
ii) There common behavior was performing DDoS and further propagation over Telnet,
iii) Some families evolved quickly,updatingfrequently and shippingbinaries for a variety of CPU architectures,
even in the limited observation period of 39 days.
Based on the work on the vulnerableIoT devices which were owned by individualswithoutany management, we
propose a method to implement security controls for the less-controlled IoTdevices.The security controls should
be provided from three different angles.
1) Security guidelines should beprovided to improve IoTdevice owners’ awareness such as promotingthe use of
appropriateIDs and Passwords,
2) Proper shippingof IoTdevices by IoT vendors for the initial settingof a more secure use of the Internet (e.g.
closeport 23)
3) Removing malwares from infected IoT, or stoppingthe activation of malwares (deletion of registry,exe, or
scheduler).
It is importantto consider a time-line of IoT devices,that is,a) most of the vulnerableIoT devices are already in the
market and in use (already shipped),b) IoT devices are goingto be shipped by IoT vendors,and c) future types of
IoT devices of which we arestill notableto for see the characteristics.The above security control 1) could be
applicablefor all a)-c),however, security control 2) is for b) and security control 3) is basically for a).
Furthermore, in connection with the security control 3), the implementation of an appropriatesoftware/firmware
update function was significantly importantfor IoT devices in all time-lines (a)-c)).In this paper,consideration is
given to this update function for IoT software/firmware based on the ITS secure update procedure. Finally,a listof
research topics for the IoT environment is provided for future collaborativeresearch.
4. Key findings
Duringour research,we foundissuessuchasthe following:
• Around19 percentof all testedmobile appsthatare usedtocontrol IoTdevicesdidnotuse Secure
SocketLayer(SSL) connectionstothe cloud
• None of the analyzeddevicesprovidedmutual authenticationbetweenthe clientandthe server
• Some devicesofferednoenforcementandoftennopossibilityof strongpasswords
• Some IoTcloudinterfacesdidnotsupporttwo-factorauthentication(2FA)
• Many IoT servicesdidnothave lock-outordelayingmeasurestoprotectusers’accountsagainst brute-
force attacks
• Some devicesdidnotimplementprotectionsagainstaccountharvesting
• Many of the IoT cloudplatformsincludedcommonwebapplicationvulnerabilities
• We foundtensecurityissuesinfifteenwebportalsusedtocontrol IoTdeviceswithoutperformingany
deeptests.Six of themwere seriousissues,allowingunauthorizedaccesstothe backendsystems.
• Most of the IoT servicesdidnotprovide signedorencryptedfirmware updates,if updateswere
providedatall IntroductionRecent Gartnerresearchpredictsthatthere will be more than2.9 billion
connectedIoTdevicesinconsumersmarthome environmentsin20151 . These connecteddevicescould
provide amuch largersurface for attackersto targethome networks.Currently,mostproposedIoT
attacks are proof-of-conceptsandhave yettogenerate anyprofitforattackers.Thisdoesnot meanthat
attackerswon’ttarget IoTdevicesinfuture,evenif itisjusttomisuse the technologyorhave a
persistentanchorina home network.The use of weakpasswordsisasecurityissue thathas repeatedly
beenseeninIoTdevices.These devicesoftendonothave a keyboard,soconfigurationhastobe done
remotely.Unfortunately,notall vendorsforce the usertochange the devices’defaultpasswordsand
manyhave unnecessaryrestrictionswhichmake the implementationof long,complex passwords
impossible.The OpenWebApplicationSecurityProject’s(OWASP) Listof TopTenInternetof Things
Vulnerabilitiessumsupmostof the concernsand attack vectorssurroundingthiscategoryof devices:
• Insecure webinterface
• Insufficientauthentication/authorization
• Insecure networkservices
• Lack of transportencryption
• Privacyconcerns
• Insecure cloudinterface
• Insecure mobile interface
• Insufficientsecurityconfigurability
• Insecure software/firmware
5. CONNECTED HOMEDEVICES
“With the Internetof Things(IoT) findingitswayintothe homes,there are lotsof new devicesthatcan
connectto the same network.”
Connectedhome devices there are manydifferentsmarthome devicesavailable onthe markettoday,
and the numberissteadilyincreasing.Forthispaper,we lookedat50 differentdevicesfromthe
followingcategories:
• Smartthermostats
• Smartlocks
• Smartlightbulbs
• Smartsmoke detectors
• Smartenergymanagementdevices
• Smarthubs
Our findings could also apply to other IoT devices and smart home products, such as:
• Securityalarms
• Surveillance IPcameras
• Entertainmentsystems(smartTV,TV set-topboxes,etc.)
• Broadbandrouters
• Networkattachedstorage (NAS) devicesSmarthome devicesmayalsouse a back-endcloudservice to
monitorusage or allowuserstoremotelycontrol these systems.Userscanaccessthisdata or control
theirdevice throughamobile applicationorwebportal.
Home network topology
Today’shome networksare typicallymade upof a broadbandrouterofferinginternetaccesstodevices
throughWi-Fi andEthernetconnections.Mostof the devicesthatconnectto these home networks
include laptops,desktopcomputers,andmobiledevices,suchasphonesandtablets.Everythingis
connectedinthe local networkandcan communicate freelywithone another.Connectionstothe
internetare directedthroughthe central router,whichmaycontainbasicfirewallfilteringfunctionality.
Withthe Internetof Things(IoT) findingitswayintothe homes,there are lotsof new devicesthatcan
connectto the same network.These devicescanbe classifiedintwobasiccategories.One category,
whichincludesTV set-topboxes,usesalready-existingnetworkingtechnologiessuchasWi-Fi and
Ethernetconnections.The othercategory,whichincludessensors,mayuse differentwireless
technologiesthatbettersuitsome of the devices’needs,suchaslower energyconsumptionorad-hoc
networkcoverage.There iscurrentlynosingle standardprotocol inIoT.
6. As a result,we have seenIoT
devicesthatsupportsome of
the followingcommunication
methods:
• Z-Wave
• Zigbee
• Powerline
• Bluetooth4.0
• Otherradiofrequency(RF)
protocols
Z-Wave,Zigbee andPowerline
are the mostcommon protocols
usedbyhome automation
manufacturersatthe moment.
There are some hybridsolutions
that use bothPowerline and
customRF protocols.Amongthe smart hubdevicesthatwe tested,66 percentofferedZ-Waveand48
percentofferedZigBee connectivity.
Figure 1. The smart home ecosystem
Devicesthatuse a single wirelessconnectivityprotocoloftenrelyonacentral hubdevice tohandle the
coordinationof the communication.Thiscould,forexample,be asmart lightbulbthatcan be switched
on or off througha webportal runningon a local hub.The usercan access the webportal throughtheir
webbrowserandcontrol lightbulbsconnectedtothe hub.Due to IoT’sneedto use simple integrations
and the broad use of the IEEE 802.11 wirelessstandards,manynew deviceshave switchedtoregular
Wi-Fi forcommunicationwhere possible.
Some classesof devicestrytoprovide everypossible optionforconnection.Outof all of the deviceswe
lookedat,58 percentsupportedWi-Fi connectivity.Table.FeaturesofferedinanalyzedIoTdevices
Home device featuresNumberof analyzeddevicesthatsupportfeature Percentage of analyzeddevices
that supportfeature SupportsWi-Fi connections.
7. EXAMPLE ATTACKS:
“For our test,we usedthe preconditionthatthe attackerhassuccessfullycrackedthe Wi-Fi password
and has accessto the local network.”
In order to showhow simple, itistoconduct an attack againstconnectedhome devices,we will
describe twoof the attack scenariosthatwe performedduringourtests.We usedthe LightwaveRFand
BelkinWeMosmart hubsinthese examples,thoughsimilarattacksare possible againstotherdevices.
For our test,we usedthe preconditionthatthe attackerhassuccessfullycrackedthe Wi-Fi passwordand
has accessto the local network.We believethatthisisa reasonable assumptiontomake,giventhat
manypeople use weakpasswordstoprotecttheirwirelessnetworkathome.
By usinga networksniffersuchasWiresharktoanalyze the networktraffic,we noticedthatthe
LightwaveRFsmarthubgeneratescertainnetworktrafficeachtime itrestartsandevery15 minutesto
checkfor firmware updates.The devicesendsthistraffictoa remote Trivial File TransferProtocol (TFTP)
serveronthe Internet.Since thisconnectionisneitherencryptednorauthenticated,itcaneasilybe
targetedbyan attacker withaccessto the network,allowingthemtoconducta man-in-the-middle
(MITM) attack.
In our tests,we chose touse AddressResolutionProtocol (ARP)poisoningtoredirectthe smarthub’s
requesttoour ownTFTP server.Since the firmware update isanunsignedblobinaraw format,it iseasy
to unpackand modifyit.Once the modifiedfirmware updateisservedtothe device andinstalled,the
attackergets full control overthe smarthub device andcouldstartattackingotherconnecteddevices
fromthere.
In additiontothis,attackerscan sniff the RFlinkfor commandpacketsandreplaythem.Witha smart
hubthat just turnsdevicesonandoff,itonlyreceivesasmall numberof differentcommandpackets.As
8. a result,the attackersdon’tneedtoworry aboutbreakinganypairingif theyare close enoughtothe
device toinjectspoofedpackets.Thiscanallow themtotake control of the targeteddevice.
Anotherattackexample focusesonthe BelkinWeMoconnectedswitch.Inthiscase,we analyzedthe
networktrafficthatwas sentfromthe device’scontrollerapplication.The device didnotrequire the
userto provide authenticationinordertoconnectto it.If the attackeris onthe same networkasthe
device,theycansendanycommandstheywantto the connectedswitch.
Researchershave createdpubliclyavailablemodulesforthe penetrationframeworkMetasploitthat
couldgive attackersa way to injectcode inthe BelkinWeMoconnectedswitch.Thiscouldallow themto
run commandsas the root useron the switch.Alongwiththis,the switch’s firmware isencryptedwith
GNU PrivacyGuard (GPG),but the private keyhasbeenextractedandsharedonthe internet.Attackers
couldtarget bothof these issuesandcompletelyreprogramthe s witch.Researchersdiscoveredfurther
vulnerabilitiesinthe switchlastyear,whichhave since beenfixedbythe vendor.
Attack surface
Attackerscan interceptorchange the behaviorof smarthome devicesinmanyways.Some methods
require physical accesstothe device,makinganattackmore difficulttoconduct.Otherattackscan be
carriedout overthe internetfroma remote location.The followingsectionslistthe differentattack
scenariosbasedonthe access level thatthe attackermayhave.
Physical access
An attackercan gain the highestlevel of accessto the smart home device if theygetphysical accesstoit.
Althoughthismightseemlikeanimprobableattackvector,itisstill a plausiblethreat.Yourfriendscould
gainphysical accessto yourIoT device toplaya prankwhile visitingyou.Anex-boyfriendorgirlfriend
couldattemptto reconfigure some of the deviceswhile theystill have accesstothe home.Forsome
devices,suchassecuritycamera,an attackercouldsimplycutthe cablestoturn themoff.
Anotherplausible physical accessattackscenariotakesadvantage of the marketforsecond-handIoT
devices.Some usersmightbuyauseddevice off the internetinordertosave some money,butcould
endup witha device thathasbeencompromisedtospyon people.
Smart home devicescouldalsobe compromisedthroughsupplychainhacks.Inthisscenario,attackers
compromise asuppliercompany’snetworkandTrojanize theirsoftware updates,allowingthe threatto
spreadto any device thatavailsof the poisonedupdate.Thisisnota new scenario;we have seenattack
groupsconduct supply-chainattackstospreadtheirmalware totraditional computersmanytimes
before,suchasduringsome of the HiddenLynx attackers’campaigns.Unfortunately,thereiscurrently
no easywayto verifythatan IoT device hasnotbeentamperedwith.
Havingphysical accessto the device allowsthe attackertoalterconfigurationsettings.These could
include issuinganewdevice pairingrequest,resettingthe devicetofactorysettingsandconfiguringa
newpassword,orinstallingcustomSSLcertificatesandredirectingtraffictoa servercontrolledbythe
attacker.
9. Physical accessmayalsoallowa skilledattackertoreadthe device’sinternal memoryanditsfirmware.
Theycould do thisby accessingprogrammaticinterfacesleftonthe circuitboard,suchas JTAG and
RS232 serial connectors.Some microcontrollersmayhave disabledthese interfaces,butcouldstill allow
directreadsfrom the attachedmemorychipsif the attackersoldersonnew connectionpins.
Readingthe internal memoryandreversingthe firmwareallowsanattackerto betterunderstandhowa
device works,allowingthemtofindvulnerabilities,cryptographickeymaterials,backdoors,ordesign
flawsthatcouldbe usedtoperformfurtherattacks.If the attackergainsa full understandingof the
firmware,theycoulduse thisknowledgetocreate theirownmaliciousversionof the firmwareand
uploaditto the device.Thiscouldgive the attackerfull control overthe device.Thisactof re-flashing
the device maybe conductedthroughthe JTAG or RS232 connection.
Most newdevicesofferwaysforuserstoupdate the firmware throughoutthe lifecycle of the device.
These updatescouldarrive throughaUSB connection,an SD card, or overthe network.The majorityof
testeddevicesdidnotuse encryptednordigitallysignedtheirfirmware updates,makingiteasyforan
attackerto generate a valid,maliciousfirmwareupdate thatcouldbe installed.
Local attacks over Wi-Fi/Ethernet
An attackerwithaccessto the local home network,eitherwirelesslyorthroughanEthernetconnection,
isable to performvariousattacksagainstsmart home devices.There are generallytwocommonmodes
of forsmart home devices:cloudpollinganddirectconnection.Dependingonthe function,the device
may use eitherof these methodstoreceivecommands.
Cloud polling
In the case of cloudpolling,the smarthome device isinconstantcommunicationwiththe cloud.The
device checksthe cloudservertosee if there are any commandsto be executedandthenuploadsits
currentstatus.The device mayuse thismethodif itwantsto keeppollingthe cloudservertocheckif
there isa newfirmware versionavailablethatneedstobe downloadedandinstalled.
Attackersmayneedto performanMITM attack to targetsuch an implementation.Forthistosucceed,
the attackerscan try andredirectnetworktrafficwithnetwork-level attacks,suchasARPpoisoningor
by modifyingthe domainname system(DNS)settings.A self-signedcertificate ortoolssuchasSSLstrip
can helpattackersinterceptHTTPSconnections.
Unfortunately,some of the testeddevicesdonotverifyif the certificate istrustedandbelongstothe
vendorat all−theyapprove of the connectionaslongasit’sdone overHTTPS. To make mattersworse,
none of the testeddevicesperformamutual SSLauthentication,where bothsidesauthenticate with
one anotherinsteadof justthe serverauthenticatingwiththe client.Mostdevicescompletelyignore
certificate revocationlists,allowinganattackerto use keysthatwere obtainedthroughadata breach
withoutanyproblem.
10. Direct connection
Some devicesuse directconnectionstocommunicate withahubor applicationinthe same network.
For example,amobile appmaybe able toscan the local networkfornew devicesandlocate themby
probingeveryIPaddressfora specificport.Anothermethodistouse the Simple Service Discovery
Protocol/Universal PlugandPlay(SSDP/UPNP) protocol todiscover the devices.Thismeansthatany
attackercould dothe same to easilyfindthesedevices.
A commonmistake thatwe’ve seeninthese devicesisthe use of unencryptednetwork
communications.Almosttwooutof ten(19 percent) of the testeddevicescommunicate totheirback-
endcloudservice orapplicationwithoutencryption,suchasSSL. For communicationsinthe local
network,the numberof unencryptedconnectionsisevenhigher.The lackof encryptionraisesamajor
privacyconcern.Devicesmaypasspersonal data,logincredentials,ortokensincleartext,lettingan
attackerinterceptthem.
The most commonmethodforusersto interactwithan IoT device isthroughawebbrowseror a
smartphone app.More powerful devicesrunasmall webserverandallow the userto use a web-based
GUI to sendcommands.Otherdevicesoffertheirownapplication programminginterface (API) thatthe
usercan interactwith.If the userwantsto remotelycontrol the deviceswhenthey’re notathome,then
theyneedtobe able toopenan inboundportat the router.This maybe done througha UPNPrequest
or may be manuallyimplementedbythe user.
Many of these interfaceshave beenfoundtobe vulnerable tocommonandknowntypesof
vulnerabilities,includingthe following:
• Use of unauthenticatedrequeststoperformactions(forexample,reconfiguration,dataretrieval,
managementfunctions,etc.)
• Abilitytoperformunrequestedfirmware upgrades
• Commandinjections
• Buffer/heapoverflows
• OWASP’sListof the Top Ten WebVulnerabilities:
• Infectionflaws
• Brokenauthentication
• Cross-site scripting(XSS)
• Insecure directobjectreferences
• Securitymisconfiguration
• Sensitive dataexposure
• Missingfunction-level accesscontrol
• Cross-site requestforgery(CSRF)
11. Malware
Malicioussoftware installedonanydevice connectedtothe home networkcouldhave the abilityto
interactwithsmart home devicesandletthe attackerperformthe attacksas previouslydescribed.Most
likely,acompromisedsmartphoneorcomputercouldbe usedtoattack otherdevices.One of the
biggestconcernsisthat an infectedIoTdevice wouldremaincompromisedforaverylongtime,asthere
iscurrentlyno integratedsecuritysoftware thatcoulddetectitandnouser interface thatcouldinform
the userof any issues.
Fortunately,asof now,we have notseenwidespreadmalware attacksagainstIoTdevices.The news
reportabout spam-sendingfridgesturnedouttobe untrue,buttechnically,itispossible.Proof-of-
conceptmalware hasbeendevelopedforIoTdevices,suchassmart TVs.Furthermore,we have seen
malware attackingrouters,NAS,andsimilardevicesforawhile now.
It isjust a matterof time until attackersfindawayto profitfromattackingIoT devices.Thismayleadto
connectedtoastersthatmine cryptocurrenciesorsmartTVsthat are heldransombymalware.
Unfortunately,the currentstate of IoTsecuritydoesnotmake it difficultforattackersto compromise
these devicesonce theysee the benefitof doingso.
Cloud infrastructureattacks
A smart home device mayinclude aback-endcloudservice,dependingonthe categoryof the device.In
our tests,68 percentof the devicesofferedacloudservice.Suchaservice couldbe usedforstatistical
purposes,suchas loggingthe home’selectricityusage orCO2 levelsoveranumberof months.Other
cloudsystemsallowthe remote managementof IoTdevices,suchaslightbulbsor heating.Some
vendorsevenforce the usertoconnectto theircloudback-endsystemanddonot provide userswith
the optionof locallymanagingtheirdevices.The companieseitherprovideaccesstothe cloudservice
througha smartphone applicationorawebportal,where userscan login.
Unfortunately, nearlyall of the testedIoTcloudservicesallow the usertochoose weakpasswords,such
as “1234”. Evenworse,manyservicespreventthe userfromusingstrongpasswordswithasufficient
level of complexity,due tounreasonable restrictions.One service,forexample,restrictedthe usertoa
PIN code witha maximum lengthof fournumbers.Thismakesiteasyforany attackerthat knowsthe
user’semail addresstobrute-force theirPIN code andtake overtheiraccount.
Most of the analyzedservicesdon’tlockusersoutof theiraccountsafter a numberof failedlogin
attempts,furtherallowingattackerstobrute-force accounts.None of the analyzedback-endcloud
servicesprovidedthe optionof two-factorauthentication(2FA).
Some of the cloudinterfaceshave anunsecure passwordrecoverymethodorreveal toomuch
informationduringthe recoveryprocess,suchasdisplayingthe validityof anaccount. Thiscouldleadto
account-harvestingattacks,whichmayallow the attackerstotake control of the IoT devicesandgather
the users’personal data.
All of the testedcloudmanagementconsolesusedSSLencryptionforcommunications.The serverswere
patchedagainstthe OpenSSLMan in the Middle SecurityBypassVulnerability(CVE-2014-0224), more
commonlyknownasthe Heartbleedbug.Unfortunately,some of the serviceswere still vulnerableto
12. the SSL Man In The Middle InformationDisclosure Vulnerability (CVE-2014-3566),also knownasthe
Poodle bug,andallowedthe use of weakerciphermethods.
Some cloudserviceshave logical errors,whichcouldallow anattackerto obtainsensitive customer
informationoraccessdeviceswithoutauthentication.These servicesalsocontainedcommon
managementconsole vulnerabilities,includingthose listedinOWASP’sListof the TopTen Web
Vulnerabilities.While observingnetworktraffic for15 applications,we foundandreportedten
vulnerabilitiesrelatedtocross-site scripting(XSS),pathtraversal,unrestrictedfileuploading(remote
code execution),andSQLinjection.One of the testedcloudconsolewasforsmartlocks,so this
vulnerabilitycouldhave allowedanyonetoremotelyopenthe locks.
For example,we foundthatone cloudmanagementconsole wassusceptibletoa blindSQLinjection
attack. Thisallowsanattacker to readthe console’sdatabase,whichcontainedthe logincredentialsfor
otherusers.Once the attackers obtainthe credentials,theycoulduse themaspartof a simple script
that sendsrequeststoturnoff connecteddevicesordelete entire accountsaltogether.We informedthe
vendorandthe issue hasnowbeenpatched.The mostconcerningpartisthat these webmanagement
platformsare accessible toeveryoneoverthe internet.Attackerscouldgainunauthorizedaccessto
these serviceswithoutneedinglocal accesstothe home network.Ourresearchinthisarea has only
scratchedthe surface,the relevantcloudservice vendorswouldneedtoconductfull webapplication
testsinorder to findall of the potential issuesintheirdevicesandservices.
Mitigation:
Unfortunately,itisdifficultforauserto secure theirIoT devicesthemselves,asmostdevicesdonot
provide asecure mode of operation.Nonetheless,usersshouldadhere tothe followingadvice toensure
that theyreduce the riskof these attacks:
• Use strong passwordsfordevice accountsandWi-Fi networks
• Change defaultpasswords
• Use a strongerencryptionmethodwhensettingupWi-Fi networkssuchasWPA2
• Disable orprotectremote accessto IoT deviceswhennotneeded
• Use wiredconnectionsinsteadof wirelesswhere possible
• Be careful whenbuyingusedIoTdevices,astheycouldhave beentamperedwith
• Researchthe vendor’sdevice securitymeasures
• Modifythe privacyandsecuritysettingsof the device toyourneeds
• Disable featuresthatare not beingused
• Install updateswhentheybecome available
• Use devicesonseparate home networkwhenpossible
13. • Ensure that an outage,forexample due tojammingora networkfailure,doesnotresultinaunsecure
state of the installation
• Verifyif the smartfeaturesare reallyrequiredorif a normal device wouldbe sufficient
Manufacturersof smart homedevices shouldensure that they implementbasicsecurity standardsat
the very least:
• Use SSL/TLS-encryptedconnectionsforcommunication
• Mutuallycheckthe SSL certificate andthe certificate revocationlist
• Allowandencourage the use of strongpasswords
• Require the usertochange defaultpasswords
• Do notuse hard-codedpasswords
• Provide asimple andsecure update processwithachainof trust
• Provide astandalone optionthatworkswithoutinternetandcloudconnections
• Preventbrute-force attacksatthe loginstage throughaccount lockoutmeasures
• Secure anywebinterface andAPIfrombugslistedinthe OWASPListof Top Ten Webvulnerabilities
• Implementasmart fail-safemechanismwhenconnectionorpowerislostor jammed
• Where possible,lockthe devicesdowntopreventattacksfromsucceeding
• Remove unusedtoolsanduse whitelistingtoonlyallow trustedapplicationstorun
• Use secure boot chainto verifyall software thatisexecutedonthe device
• Where applicable,securityanalyticsfeaturesshouldbe providedinthe devicemanagementstrategy
14. My Analysis
We analysisand investigateIoT devices We found the many loop holes and the threat of vulnerableIoT devices
which is compromised by malware by means of the proposed IoTPOT (honey) and IoTBOX (sandbox). The
vulnerableIoTdevices which are owned by individualswithoutany management, we proposetwo types
(approaches) of security controls for the less-controlled IoTdevices.Recognizing the current situation where many
vulnerableIoTdevices arealready infected by several types of malware, the firstapproach proposes a security
solution to remove malwarefrom infected IoT devices, or to stop the activation of malware(deletion of registry,
exe, or scheduler).In the second approach,in order to develop general security controls which arecommonly
applicable,the development of a security function for updating software/firmwaremodules located in IoT devices
is proposed.This security solution provides an initial securesoftware/firmwareupdate procedure based on the
secure software update procedure for ECUs (Electronic Control Units) in an ITS (IntelligentTransportation System)
which has been developed in an ITU-T (International Standardization Body) as proposed by authors of this paper.
Finally,a listof research topics for the IoT environment is provided for future collaborativeresearch.
Introduction
Methods:
Accordingto the current use-cases of IoT devices,we have recognized two major uses of IoT devices as follows:
Use-case-1: IoT devices are used and well controlled under the IoT based “services”such as lighting, parking,home
networking and so on. In this case,the owner of the IoTdevices is the serviceprovider and security controls should
be considered by the provider;
Use-case-2: IoT devices are purchased by individualsfor their own purposes such as health-care,home-network,
security-monitoring,and so on. In this case,the device owner is the individual who has basic responsibility for the
security.
In this paper, we basically focus on the Use-case-2. In addition to these use-cases above, we need to consider the
time-line of IoT devices in use as follows:
Time-line-a: IoT devices that are already in the market and in use (already shipped) and there aremany vulnerable
devices observed based on our previous findings [1];
Time-line-b: IoT devices that are going to be shipped by IoT vendors and in this case,there islittleroomto
implement security controls before shipping;
Time-line-c: the new types of IoT devices which are expected to be availablein about3 years.In this case,we will
not be ableto anticipatehow to use the IoT devices.
Based on the above use-cases of IoT devices (Use-case-1 and 2) and the Time-lines (a-c), the followingtwo
practical research approaches can beidentified in this paper:
Approach-1: By means of usingour previous work on IoT POT and IoT BOX, we firstly conductthe processes of
“Monitoring IoT devices”and “Analyzing IoT behaviors”.These two processes arecovered by the previous work
[1]. The next process can be identified as the “Execution of IoT security controls”for vulnera bleIoT devices and the
lastprocess is “Sharingknowledgeof IoT intelligence”to be utilized for future security management. In this paper,
we concentrate on the third process of the “Execution of IoT security controls”for IoT vulnerabledevices for Use-
case-2 and Time-line-a.
15. Approach-2: In order to develop general security controls which areapplicableto all in common, one example
could be the development of a security function for updatingsoftware/firmware modules located in the IoT
devices. This approach could beapplicablefor Use-case-2 (even for Use-case-1) and for Time-line-b and c. In this
paper, the security function of updating software/firmwarefor IoT devices is considered based on a similar
function developed for the ITS (IntelligentTransportation System) environment.
Results and discussion
Approach-1
Recognizing the current status where many vulnerableIoT devices arealready infected by several types of
malwares,methods to remove malwares from infected IoT devices,or to stop the activation of malwares (deletion
of registry,exe, or scheduler) areconsiderablesolutions in this approach.
More specifically,after identifying the “infected IoT device” by means of IoTPOT (Honey) and getting its IoTfinger-
printabout the infected IoT, the IoT finger-printinformation can then be forwarded from IoTPOT (Honey) to IoT
devices vendors or IoTintegrated maintenance centers as shown in Figure 1.
Figure 1. Scheme for curing IoT devices
In the scheme illustrated in Figure1, we basically consider a new entity of IoT devices vendors or IoTintegrated
maintenance centers. Becauseof the “illegal access protection law”established in many countries,the IoTPOT
never directly accesses theinfected IoT devices without permission obtained fromthe owner of the IoTdevices. It
is sometimes hard to obtain the permission of the IoT device owner who is an individual,becausethe device owner
sometimes has very poor awareness of the IoT device and poor security knowledge. IoT devices vendors can cure
the infected IoT devices for the purposeof maintenance of their own products (IoT devices). Furthermore, if the
device vendors don’t have the capability to cure the devices (e.g. because of the expense), then the IoT integrated
maintenance centers can be another solution to totally cover many types of IoT devices for the purposeof curing
the infected devices under contract with the IoT device vendors.
Consideringthe above scheme, we have started the testing to cure infected devices from remote in our own
experimental environment equipped with several types of IoT devices that are the same products observed by
IoTPOT. Accordingto current experimental results,itwas difficult to remove malwares in the infected IoT devices
without havingan agent software likeanti-virus-software,butit was possibleto stop activatingthe target
malwares by deleting the registry,the exe. File,or its scheduler and so on. As it was not feasiblefor IoT devices
16. vendors to deploy anti-virus-softwarein the IoT devices, therefore, curingthe IoT devices from the vendors or IoT
integrated maintenance centers was the feasiblesolution for this security control.
Approach-2
It is remarkablethat the number of IoT devices have been dramatically increasingand thus,hundreds of security
threats have been detected every day includingvulnerability identification for general ICTenvironments. It is
anticipated that the next market target of cyber-attacks (security threats) could be IoT environments. Considering
the above circumstances,the function of secure remote updating software and/or firmware insideIoTdevices
should be a major consideration in IoTmarkets.
In the ITS (IntelligentTransportation System), the above secure remote updatingfunction for ECUs (Electronic
Control Unit) in the vehiclewhich were similar to IoTdevices in terms of ITS environments have been understudy
and are being standardized on an international level.
In the context of the remote updatingfunction at the ITU-T (International Telecommunication Union –
Technology), the followingscopes of standards (Recommendation) have been identified [4]:
In the context of updates of software modules in the electric devices of vehicles in the intelligenttransportation
system (ITS) communication environment, this Recommendation aims to providea procedure of secure software
updatingfor ITS communication devices for the application layer in order to prevent threats such as tamperingof
and malicious intrusion to communication devices on vehicles.This includes a bas icmodel of software update, its
threat and risk analysis,security requirements and controls for software updates and a specification of abstract
data format of the update software module.
The procedure is intended to be applied to communication devices on ITS vehicles under vehicle-to-infrastructure
(V2I) communication by means of the Internet and/or ITS dedicated networks. The procedure can be practically
utilized by car manufacturers and ITS-related industries as a setof standard secureprocedures and security
controls.
Figure 2. Basic components for secure software updates
17. In this paper, as an initial consideration,wetried to apply the secure procedure developed by ITU-T for ECUs in the
ITS environment for the IoT software/firmware updating function. As shown in Figure2, the basic components for
the secure software update of ECUs in vehicles were “update server includinglogDB”, “Vehicle MobileGateway
(VMG, called Head Unit)” and a series of ECUs. Update information stored in the update servicewas provided by
the “Supplier of ECUs”.
In the caseof software/firmwareupdates for IoT devices,“IoT integrated maintenance centers and IoT devices
vendors” would have similar roles for the “Update service/Suppler of ECUs” in order to cure IoT devi ces in
Approach-1. “IoT devices” would be the same target component as for “ECUs”. At this point, it was not clear
whether the Gateway component for the IoT updating function was needed. Which was similarto “VMG” in the
caseof ITS.
Figure 3. Software update procedure for ITS
Before consideringthe IoT software/firmware update function, the ITS software update procedure (function)
needs to be learned in Figure 3 with the followingdescriptionsof each Steps.
1. At the firststep of the process,an update module is provided by an automotive component supplier,which
occurs asynchronously with the following
2. As the initiation of the update procedure starts,a vehiclemobile gateway (VMG) requests ECUs to submittheir
software list.
3. An ECU checks its software status,generates a listof software modules and reports it to the VMG.
4. The VMG submits the collected listto the update server to check whether any update for the vehicleexists.
5. The update server sends back a receipt of the submitted listto the VMG.
6. Accordingto the list,the update server inspects the status of the installed softwareof the vehicleand
determines the necessary software updates for the ECUs.
18. 7. Since this inspection may take a longtime, VMG periodically checks the necessity of the updates for the vehicle.
8. If there is any update, the update server sends an access uniformresourcelocators (URLs) for the updates;
otherwise, itsends back only an acknowledgement message.
9. If there is any update for the vehicle, the VMG connects to the update server to download the update modules
for the vehicle.
10. Before applyingthe updates to the ECUs, the VMG notifies the driver to confirmthe application of the updates.
11. The driver confirms and accepts to apply the updates.
12. VMG delivers the update files to the correspondingECUs and requests them to apply the updates (See 6.2.3).
13. Each ECU applies theupdate and reports the application resultto the vehiclemobilegateway.
14. The vehiclemobile gateway submits a report of the application results to the update server.
15. Finally theupdate server sends back a
• Receipt of the update information.If the
• Application of the update has failed or
• Some remainingupdate is found, the update
• Server retries the procedure from step 6 to
• 14 until the application has succeeded.
As the basic assumption for investigatingtheIoT software update procedure (function), the “IoT update handler”
in IoT devices should be basically implemented by IoT devices vendors in order to provide update functions for the
IoT devices. Based on the above software update procedure for the ITS environment,
we propose the followingsoftwareupdate procedure which can be simplified and adaptablefor IoTdevices as
follows:1. At the firststep of the process,an update module should be provided by an IoT devices vendor, and be
stored in the IoT integrated maintenance center/IoT devices vendors. The update occurs asynchronously with the
followingsteps.
2. We can eliminatestep-2 of the ITS for IoT update.
3. We can eliminatestep-3 of the ITS for IoT update.
4. The IoT device submits a status information concerningthe software/firmware implemented in the IoT device
to the “IoT integrated maintenance center/IoT devices vendors” askingto check whether any update for the IoT
device exists.
5. The “IoT integrated maintenance center/IoT devices vendors” sends back a receipt of the submitted status
information to the IoT device.
6. Accordingto the status information,the “IoT integrated maintenance center/IoT devices vendor” inspects the
status of the installed softwareof the IoT device and determines the necessary softwareupdates for the IoT
device.
7. We can eliminatestep-7 of the ITS for the IoT update.
8. If there is any update, the “IoT integrated maintenance center/IoT devices vendor” sends an access uniform
resourcelocators (URLs) for the updates; otherwise, itsends back only an acknowledgement message.
19. 9. If there is any update for the IoT device, the IoT device connects to the “IoT integrated maintenance center/ IoT
devices vendor” to download the update modules for the IoT device.
10. We can eliminatestep-10 of the ITS for the IoT updat 11. We can eliminatestep-11 of the ITS for the IoT
update.
12. We can eliminatestep-12 of the ITS for the IoT update.
13. The IoT device applies the update and reports the application resultto the “IoT integrated maintenance
center/IoT devices vendor”.
14. We can eliminatestep-14 of the IT’S for the IoT update.
15. Finally the“IoT integrated maintenance center/IoT devices vendor” sends back a receipt of the update
information.If the application of the update has failed or some remainingupdate is found, the “IoT integrated
maintenance center/IoT devices vendor” retries the procedure from step 6 to 13 until the application has
succeeded. It should be noted that number of retries should be defined in the policy statement provided by the IoT
device vendor.
Mobile ApplicationInterface
Thisdomaincoversdirectcommunicationbetweenmobile applicationsandadevice (e.g.,overWi-Fi or
Bluetooth).Thisdoesnotcoverindirectcommunications,suchasthose througha back-endservice.
1. Sensitive Data SecuredTest: Is all sensitive datasentbetweenthe device andmobileapplications
encrypted?
Impact: Withoutadequate protection,sensitivedatacan be monitoredbyattackerswiththe capability
to observe local networktraffic.
Thisattack can be avoidedwiththe use of encryptionorthe absence of messagesthatinclude sensitive
data.
2. TLS Certificate ValidationTest: If mobile applicationsemployTLS/SSL,dothose applicationsfollow
bestpracticesand properlyvalidatethe device’sTLScertificate (e.g.,throughcertificatepinning)?
Impact: The impropervalidationof certificatesallowsattackerswiththe capabilitytoperformaman-in-
the-middle attack,whichcouldgive themaccesstoall data sentbetweenthe applicationandthe
service.
20. Discussion and future research topics
Approaches-1 and -2 only providesecurity controls for reducingthe impactagainstinfected malwarein IoT devices
and for providinginitial updatesolution for the IoT device software/firmware update. However, the two
approaches do not cover the rest of security issues for IoTenvironments.
The followingfurther studies arerequired in connection with the two approaches in this paper:
A) Cyber-security information captured by our IoTPOT (honey) should be correctly and appropriately shared with
the right stakeholders includingresearchers for activecollaboration on IoTvulnerability analysis;
B) Remote curingmethod should be further investigated includingevaluation under the text-bed environment;
C) IoT software/firmware update function and procedures should be further practically evaluated through
experimental environments;
D) IoT security guidelines should bedeveloped and standardized for IoT device owners, IoT serviceproviders and
IoT device vendors. Furthermore, in addition to the above issues,the followingresearch topics should beshared
and investigated among researchers and experts:
E) Developing a generic IoT system model and reference architecture and investigatingthe management/
measurement of IoT security includingtheIoT risk assessmentmethod;
F) Another detection method of malwares,malfunctions and/or intrusionsfor IoTdevices (rather than using
IoTPOT);
G) Study of a light-weight crypto mechanismfor data confidentiality of IoT communications;
H) Appropriate Authentication and Access control utilized for IoT environments in a light-weight manner;
I) Incident handlingschemes for IoT environments includingthreats information sharing;
J) Depending on the generic IoT model, the roleof the Gateway function should be investigated includingGateway
security;
K) Issues related to Privacy and BigData under the IoT environment should be studied;
L) A secure design of application for IoTsystems should be also investigated.
The research topics listed aboveare the initial candidates of research for IoTdevices, IoT systems and IoT
environments in order to kick-off the research discussion regardingIoTissues.Themethod ofuse of IoT devices
and IoT system may differ in different regions such as in EU, US and Asia,however, the above research topics can
be generally applicablefor many regions with cross-region collaboration.
21. References
Pa Pa, YM, Suzuki, S, Yoshioka,K,Matsumoto, T, Kasama,T and Rossow,C 2015, ‘IoTPOT: Analysingthe Riseof IoT
Compromises’, 9th USENIX Workshop on Offensive Technologies (USENIX WOOT 2015)
Yoshioka,K 2016 IoT Security - Research Center for Information and Physical Security,Yokohama National
University,viewed 1 May 2016,<http://ipsr.ynu.ac.jp/iot/index.html>
Eto, M, Inoue, D, Song, J, Nakazato, Ohtaka, K and Nakao, K 2011,‘nicter: a large-scalenetwork incidentanalysis
system: casestudies for understandingthreat landscape’,BADGERS 11 Proc.FirstWorkshop Build.Anal.Datasets
Gather. Exp. Returns Secure
Eto, M and Nakao, K 2016 ‘Secure software update capability for intelligenttransportation systemcommunication
devices’ ITU-T draftRecommendation