framework to analyze the vulnerabilities in iot - p17.pdf2. classification of the hack as a...

12th ANNUAL SYMPOSIUM ON INFORMATION ASSURANCE (ASIA '17), JUNE 7-8, 2017, ALBANY, NY

ASIA '17 93

Framework to analyze the vulnerabilities in IOT Pavankumar Mulgund1, Manish Gupta1, Suvir Singh1, Siddharth Walia1, Raj Sharman1 1School of Management, University at Buffalo, The State University of New York, Buffalo, New York

Abstract—The buzzword ‘Internet of things’ (IOT) presents

a lot of excitement and promise for businesses and society around us. With more than a billion connected devices and machines in use, the opportunity for IOT-enabled transformation has been progressively increasing in the last couple of years. Not only the existing large organizations but also the emerging startups are seeing measurable benefits from the Internet of Things. IOT has the potential to grow exponentially as pointed by most research organizations such as Gartner, McKinsey and IDC.

Keywords – Internet of things, OWASP, security breaches,

vulnerability identification, vulnerability analysis, security hacking, security controls

Not everything is as red and rosy for Internet of things. Concerns

over privacy and security of data and applications that surround IOT has the potential seriously limit its growth. Consumers and employees are increasingly concerned about how the exposed data might be used besides the risk of criminals stealing their data and identity during a breach. IoT applications continuously demand data security improvements. According to the Privacy Rights Clearinghouse, there have been 215 publicly disclosed security breaches in 2014, exposing over 8.5 million personal records. Devices in the Internet of Things (IoT) generate, process, and exchange vast amounts of security and safety-critical data including sensitive private information, and hence are appealing targets of various attacks. As IOT becomes more integrated into the daily fabrics of our lives and of the industry at large, the society will increasingly depend on the functioning of IOT. Any interruptions to the proper functioning of IOT could have a tremendous disruptive effect on our lives. Apart from malfunctioning, a major cause for IOT failure of performance from a functional and data security perspective could come from data breaches and security violations. Hence there is a need for increased research in this area.

In this paper, we analyze security violations and breaches that

have occurred in the world of IOT thus far. Using this information. We have developed a framework to classify the IOT security vulnerabilities. Further, we perform a trend analysis of various vulnerabilities and point out the need for more work in this emerging space.

I. INTRODUCTION

According to Gartner [2], the IoT will grow to 26 billion units installed in 2020 representing an almost 30-fold increase from 0.9 billion in 2009.12. According to Cisco report [5], the number of connected devices will reach 50 billion mark by 2020. International Data Corporation (IDC) estimates that the worldwide IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020. Devices, connectivity, and IT services will likely make up two-thirds of the IoT market in 2020, with devices (modules/ sensors) alone representing more than 30 percent of the total. Morgan Stanley, however, projects 75

billion networked devices by 2020. McKinsey Global Institute suggests that the financial impact of IoT on the global economy may be as much as $3.9 to $11.1 trillion by 2025. Looking out further and raising the stakes higher, Huawei forecasts 100 billion IoT connections by 2025[3][4].

II. DEFINITION

The Internet of Things is the network of physical objects that contains embedded technologies to communicate and sense or interact with their internal states or the external environment. - The Internet of Things, Gartner. IoT is not new: Although IoT is a hot topic today, it’s not a new concept. The phrase “Internet of Things” was coined by Kevin Ashton in 1999; the concept was relatively simple, but powerful. According to the researcher, we had computers that knew everything there was to know about things — using data they gathered without any help from us — we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. [6]

“The Internet of Things has the potential to change the world, just as the Internet did. Maybe even more so.” - Kevin Ashton [7].

Billions of people are connected to the internet today by connected devices, and this number is expected to exceed 50 billion by the year 2020. Clearly the digital transformation of the physical world has the potential to affect every single person and every business regardless of its type and size.

Futurists believe that in a very short span of time IoT will have sensing, analytics and visualization tools which can be used by anyone and anywhere. This accessibility can be at a personal level, community, society or at a national level. The flexibility to provide services to all sectors ranging from home automations to connected cars, smart retails to smart cities, will help in building and enabling an environment that will suit everyone [8].

When physical assets, equipped with sensors, give an information system the ability to capture, communicate, and process data—and even, in a sense, to collaborate—they create game-changing opportunities: production efficiency, distribution, and innovation all stand to benefit immensely. - McKinsey Quarterly 2015[9]

Profiles based upon the trustworthiness of the device will increase the complexities of the system. To amplify the problem in hand, the interconnected nature of IoT devices means that every poorly secured device that is connected online will potentially affect the security and resilience of the


ASIA '17 93


ASIA '17 94

Internet globally, hence there are alarming bells all around IoT[17][18][19].

A problem dogging this space is a lack of in-depth knowledge which makes prediction for the threat vectors and new threat agents difficult. In the leading IoT security reports [15][16][21] from Verizon, EY and OWASP top ten IoT Vulnerabilities, indicate that the vulnerability assessments were based on a HPE fortify report which conducted tests on 10 IoT tests in 2014 and predicted future vulnerabilities in this space[20].

The current security reports of 2016 still refer to the same HPE report and make predictions for vulnerabilities in IoT devices for 2020. Clearly the industry has moved on, and new devices, new businesses, new verticals have emerged creating a need for more contemporary research.

III. A LITTLE INSIGHT ABOUT OWASP

OWASP (Open Web Application Security Project): The Open Web Application Security Project is an open-source project for application security. It also focuses on analyzing and identifying security vulnerabilities in Internet of things. The OWASP Internet of Things Project (Figure 1) is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

Fig. 1. OWASP top ten Internet of Things Vulnerabilities[21]

IV. BLUEPRINT OF THE RESEARCH WORK

Fig. 2. Research Blueprint

V. METHODOLOGY AND DATA COLLECTION We started looking at innovative companies and got an insight of how things are changing in these companies because of this new disruption. We conducted a qualitative analysis with 50+ subject matter experts and saw that security was a big concern as new startups and even mid-size. Companies do not know what they are up against. The threat vectors have changed, the assets are inter-related that the vulnerabilities can be exposed from anywhere, not just from your own controlled environment but from any other device which had an exposed vulnerability. Also the SME’s were worried about the impact of these security flaws as there is a potential impact on physical environment. This may cause fatal injuries to an individual as well. We analyzed of all the previous hacks, looked into the IoT hacking blogs, read the news articles for last 4 years and marked out 40 breaches and the hacking attempts made by the hackers or even by the research institutes which exposed a lot of information for us to conduct our research.

We collected data from January 1st, 2012 to February 26th, 2016 and covered 40 breaches/hack attempts in this entire spanData had to be pruned to remove overlapping information between the news information and the hacking public disclosures. Data collection involved all of the obtainable information for all of the hacks that were made open on the public forum. We got partial information for the company name, date of the hack, when the fix was done, cost of the product, hacking steps etc. as shown in the blueprint below.


ASIA '17 94


ASIA '17 95

The one thing that was consistent was the vulnerabilities, and one product hack was having more than one vulnerability. Hence, we thought of going forward with product vulnerabilities as the target variable and started the process of cleaning and standardizing the data. This data was then fed and compared with the data from OWASP which has proposed ten classes of vulnerabilities and had several examples of vulnerabilities that goes into each of these classes. We compared and matched our findings to the ones proposed by OWASP. In this process we also found that there are several new vulnerabilities that have not been covered by OWASP and hence we created a new class for the unmapped OWASP vulnerabilities. Figure 2 provides an overview of the approach adopted for this study. To summarize following steps were performed as part of the research methodology: 1. Search was conducted in social media, websites, blogs andresearch institutes to find out of the potential breach or the hack of an IoT device. 2. Classification of the hack as a potential IoT hack wasperformed.3. A standard template was created capturing all the relevantinformation from several sources of every IoT hack. 4. Parameters like cost, brand, date of hack, date of fix,vulnerabilities, hacking steps, impact, remedial steps taken etc were captured 5. Missing data was not ignored. It was captured and recordedas ‘missing’. 6. OWASP top 10 vulnerability classes for IoT was segregatedinto 41 examples and compared with the findings.7. Vulnerabilities of the hacks were mapped with OWASPexamples (for IoT) and unmapped ones were captured in anew class.8. Verticals were borrowed as standard from HBR and placedin the data sheet

VI. DATA ANALYSIS

Documented in 2014, OWASP identified 10 major categories [22] of vulnerabilities for Internet of things in IoT Top 10which are summarized below. Table in each section, below,shows results from our analysis of IoT breaches with regardsto that specific vulnerability.

1. Insecure Web Interfaces: An insecure web interfacecan be present when issues such as accountenumeration, lack of account lockout or weakcredentials are present. Insecure web interfaces areprevalent as the intent is to have these interfacesexposed only on internal networks, however threatsfrom the internal users can be just as significant asthreats from external users.

Insecure Web Interface Count S no of Product (Refer to Appendix A)

Account Enumeration 0 NA Weak Default Credentials 17 3,4,5,7,9,11,12,13,14,1

6,17,18,22,24,29,35,36 Credentials Exposed in Network Traffic

5 2,11,19,26,38

Cross-site Scripting (XSS) 0 NA SQL-Injection 2 14,34 Session Management 0 NA Account Lockout 0 NA

Table 1: Attacks due to Insecure Web Interface

2. Insufficient Authentication / Authorization:Authentication may not be sufficient when weakpasswords are used or are poorly protected.Insufficient authentication/authorization is prevalentas it is assumed that interfaces will only be exposedto users on internal networks and not to external userson other networks.

Insufficient Authentication/Authorizati

on

Count Sno of Product (Refer to Appendix A)

Lack of Password Complexity

5 4,31,33,34,35

Poorly Protected Credentials

7 4,11,14,19,20,33,38

Lack of Two Factor Authentication

3 36,39,40

Insecure Password Recovery

0 NA

Privilege Escalation 0 NA Lack of Role Based Access Control

2 29,38

Table 2: Attacks due to poor authorization and authentication

3. Insecure Network Services: This class deals withinsecure network services which may be susceptibleto buffer overflow attacks or attacks that create adenial of service condition leaving the deviceinaccessible to the user. Denial of service attacksagainst other users may also be facilitated wheninsecure network services are available. Insecurenetwork services can often be detected by automatedtools such as port scanners and fuzzers.

Insecure Network Services


Vulnerable Services 0 NA Buffer Overflow 2 6,19 Open Ports via UPnP

4 12,13,16,38

Exploitable UDP Services

1 24

Denial-of-Service 1 7 DoS via Network Device Fuzzing

1 34

Table 3: Insecure Network Services

4. Lack of Transport Encryption: Lack of encryption atthe transport layer allows data to be viewed as ittravels over local networks or the internet. Lack oftransport encryption is prevalent on local networks as


ASIA '17 95

it is easy to assume that local network traffic will not be widely visible, however in the case of a local wireless network, misconfiguration of that wireless network can make traffic visible to anyone within range of that wireless network.

Lack of Transport Encryption


Unencrypted Services via the Internet

14 4,2,3,15,16,23,27,29,31,32,33,34,35,39

Unencrypted Services via the Local Network

1 1

Poorly Implemented SSL/TLS

7 1,8,10,16,21,23,34

Misconfigured SSL/TLS

1 27

Table 4: Attacks due to lack of transport encryption

5. Privacy Concerns: Concerns over the privacy aregenerated by the collection of personal data inaddition to the lack of proper protection of that datais prevalent.

Privacy Concerns Count Sno of Product (Refer to Appendix A)

Collection of Unnecessary Personal Information

3 10,27,29

Table 5: Attacks due to privacy concerns

6. Insecure Cloud Interface: An insecure cloud interfaceis present when easy to guess credentials are used oraccount enumeration is possible.

Insecure Cloud Interface


Account Enumeration 0 NA No Account Lockout 0 NA Credentials Exposed in Network Traffic

0 NA

Table 6: Attacks due to insecure cloud interface

7. Insecure Mobile Interface: An insecure mobileinterface is present when easy to guess credentials areused or account enumeration is possible. Insecuremobile interfaces are easy to discover by simplyreviewing the connection to the wireless networksand identifying if SSL is in use or by using thepassword reset mechanism to identify valid accountswhich can lead to account enumeration.

Insecure Mobile Interface


Account Enumeration 1 14 No Account Lockout 0 NA Credentials Exposed in Network Traffic

1 24

Table 7: Attacks due to insecure mobile interface

8. Insufficient Security Configurability: Lack ofpermitted security configurations is present when

users of the device have limited or no ability to alter its security controls.

Insufficient Security

Configurability


Lack of Granular Permission Model

3 15,17,20

Lack of Password Security Options

2 4,15

No Security Monitoring

0 NA

No Security Logging

0 NA

Table 8: Attacks due to insufficient security configurability

9. Insecure Software/Firmware: The lack of ability for adevice to be updated presents a security weakness onits own. Software/Firmware can also be insecure ifthey contain hardcoded sensitive data such ascredentials.

Insecure Software/Firmware


Encryption Not Used to Fetch Updates

1 5

Update File not Encrypted

3 6,19,29

Update Not Verified before Upload

5 9,15,16,18,23

Firmware Contains Sensitive Information

2 6,23

No Obvious Update Functionality

2 12,29

Table 9: Attacks due to insecure software/firmware

10. Poor Physical Security: Physical security weaknessesare present when an attacker can disassemble adevice to easily access the storage medium and anydata stored on that medium.

Poor Physical Security


Access to Software via USB Ports

1 29

Removal of Storage Media

2 18,29

Table 10: Poor physical security

11. New Unmapped Vulnerabilities: 24 vulnerabilitieshave been found that are not mapped against anyOWASP defined classes.

New Class Count Sno of Product (Refer to Appendix A)

Poor Physical Design

2 1,20


ASIA '17 96

Lack of technical support for products from 3rd Party sellers

1 5

Lack of secured re-authetication

3 11,25,32

Taking device down in presence of fake strong signal (Disassociation)

1 11

OS Command Injection

2 18,19

Authentication By-Pass

4 18,19,21,37

XML Injection 1 23 Reverse Engineering and Code Modification

5 24,30,31,34,35

Fail unsecure 1 25 Not able to turn off feature

1 28

Vulnerable and unrestricted API

3 28,39,37

Table 11: Attacks due to new class of vulnerabilities

VII. RESULTS FROM THE RESEARCH

As the race between Time to Market and Security Controls gets more intense, it is important to understand what exactly the security concerns are and in which a company should be investing its resources the most. For this the past experience or the history of hacks among the IoT devices play its crucial role. It’s hard to ignore the public findings. Also as we read that the industry security papers and models are based on a report that covered just ten devices, hence we should take into account the movement that has happened in the last two years and develop capabilities to handle new vulnerabilities and prioritize according to the time and money a company wants to spend on the security.

Fig. 3. OWASP Vulnerabilities Classes for IoT and research findings

In the Figure 3 we can see that various classes of OWASP has different examples of vulnerabilities associated to it. We can clearly see that some of the examples are far more common

than the others. If an organization covers the weak default credentials and unencrypted services via the internet, they can cover over 30% of the vulnerabilities stated by OWASP. We see a lot of startups focusing on base level security controls as they do not want to delay in the production. Though we strongly believe that security has to be involved in the entire IoT ecosystem, these startups can prioritize their efforts based on the image shown above.

Fig. 4. New vulnerabilities

In the process of aligning the found vulnerabilities from the findings of 40 IoT devices, we saw that many of them do not belong to any of the defined OWASP class. Hence we created a new class (Figure 4) and collected these unmapped findings into it. There are almost 20% vulnerabilities, which are not covered by OWASP in its 2014 Top 10 Internet of Things Vulnerabilities class. Hence a business should not just blindly create a security model based on the defined classes, but in fact it should cater to these new findings as well. Therefore we propose to redefine the security models based on the findings of this report. Figure 5 shows how many IoT breaches were due to each of the OWASP vulnerabilities.

Fig. 5. Summarized findings against each OWASP vulnerability class

Summarizing, we see in Figure 6 that not all the classes of OWASP have been equally mapped in the recent hacks of the IoT devices. Some of the vulnerabilities have been exploited a lot in the recent time. This gives a clear image where the focus should be and helps to redefine development of IoT products in a different way. The following bubble chart highlights the seriousness of the problem and serve as a starting point for the discussion on the state of the security at present and what the focus area should be for companies in future. Clearly figure 6 highlights that the area of the few classes like – Insufficient


ASIA '17 97


ASIA '17 98

Authentication/Authorization, Insecure Web Interface, Lack of transport encryption and new class of vulnerabilities account for the majority of the findings.

Fig. 6. Bubble chart highlighting focus area

As the data collected has other variables too, hence we can play around with it, to gather more findings, like the one shown below. We see a lot of hacks were done on the connected home appliances. 84 vulnerabilities were found in this vertical, where some of them mapped to the existing OWASP classes, some of them were put in the new vulnerability class which does not map to any of the existing classes. A lot of interesting findings came out in this analysis as shown in Figure 7, 24% of the connected home vulnerabilities were associated to the new class. The image shown below tells us the distribution of this vertical with this new vulnerability (unmapped) class. As we can see, a lot of connected home devices were exposed to reverse engineering and code modification vulnerability.

Fig. 7. Connected homes having new vulnerabilities not covered by OWASP

This gives a clear picture that not only the existing OWASP classes needs to be revised but also a new category needs to be created. A reassessment of the standardized vulnerabilities should be done and with every new hack, we get new learnings and these learnings have to be added in the standards. As the number of organizations across all domains like healthcare, smart appliances, industrial automation, logistics, manufacturing, energy, insurance, vehicles etc. gear up for this third wave of Internet, they should now what they are fighting against in terms of security issues. A latest report of the security breaches or even hacks from the research institutes give a lot of information on product development strategy.

New businesses should revamp their security models based on the above mentioned report. Also a genuine effort should be made to make the security issues available in public so that the research organizations can do the analysis and come up with new numbers which can help not only the business but also the society as a whole.

VIII. ASSUMPTIONS AND LIMITATIONS

We assume that the knowledge shared in the public forum by the news websites, hackers and the research institutes is reliable and does not have any invalid information. Any decisions taken on the basis of this report must take the reasonable amount of risk of the reliability of information available in public domain into the consideration. The numbers of hacks can be more in this span, and may cater to different vulnerabilities; but the ones we have found in our six months of research are taken into consideration in this report. The vulnerability mapping from the text and to the OWASP classes have been done very carefully and tried to standardize to make it possible for the researchers to work on this report and create new security models.


ASIA '17 98


ASIA '17 99

All data and percentages for this study were drawn from the available public information on IoT breaches happened during this period. While there could be certainly large numbers of IoT breaches in the market, and that number continues to move upwards on a daily basis, we believe that the similarity in results of this subset provides a good snapshot of where the market currently stands with respect to security in the internet of things.

REFERNCES

[1] Source: Verizon: State of the Market THE INTERNET OF THINGS 2015 http://www.verizonenterprise.com/resources/reports/rp_state-of-market- the-market-the-internet-of-things-2015_en_xg.pdf

[2] Gartner August 2015 http://www.gartner.com/newsroom/id/3114217 [3] International Data Corporation, “IDC’s Worldwide Internet of Things

Taxonomy,2015 [4] http://www.internetsociety.org/sites/default/files/ISOC-IoT-Overview-

20151022.pdf [5] Internet of Things – From Research and Innovation to Market

Deployment, Chapter 2 ©2014 River Publishers. All rights reserved [6] http://www.gartner.com/it-glossary/internet-of-things [7] Kevin Ashton, “That ‘Internet of Things’ Thing,” RFID Journal, July 22,

1999 [8] EY Cyber-Security and the Internet of Things

http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the- internet-of-things/$FILE/EY-cybersecurity-and-the-internet-of- things.pdf

[9] An executive’s guide to the Internet of Things - Jacques Bughin, Michael Chui, and James Manyika (McKinsey Quarterly 2015)

[10] Internet of Things – From Research and Innovation to Market Deployment, Chapter 2 2014 River Publishers. All rights reserved.

[11] Internet of Things (IoT): A vision, architectural elements, and future directions - Jayavardhana Gubbi, Rajkumar Buyya, Slaven Marusic, Marimuthu Palaniswami

[12] Internet of Things – From Research and Innovation to Market Deployment, Chapter 2

[13] https://hbr.org/2014/10/the-sectors-where-the-internet-of-things-really- matters/

[14] http://www.digitalservicecloud.com/verticals.html [15] Verizon: Data breach investigation report 2015

http://www.verizonenterprise.com/resources/reports/rp_state-of-market- the-market-the-internet-of-things-2015_en_xg.pdf ]

[16] EY Cyber-Security and the Internet of Things http://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-and-the- internet-of-things/$FILE/EY-cybersecurity-and-the-internet-of- things.pdf

[17] White Paper: The Internet of Things: A CISO and Network Security Perspective http://www.cisco.com/c/dam/en_us/solutions/industries/docs/energy/net work-security-perspective.pdf

[18] Security and privacy challenges in industrial internet of things, Ahmad- Reza Sadeghi1 , Christian Wachsmann2 , Michael Waidner1,3 1Technische Universität Darmstadt, Germany

[19] The Internet of Things: An Overview, Internet Society (internetsociety.org)

[20] HP security report: IoT breaches 2014 [ http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5- 4759ENW&cc=us&lc=en

[21] OWASP top 10 IoT vulnerabilities: https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014 -OWASP.pdf

[22] https://www.owasp.org/images/7/71/Internet_of_Things_Top_Ten_2014 -OWASP.pdf


ASIA '17 99

framework to analyze the vulnerabilities in iot - p17.pdf2. classification of the hack as a...

Documents