Basics Of IoT Security Threat Modelling

⦁ Basic of IoT Security Threat Modelling
The Internet of Things or IoT as we call it can be treated as to be interrupting the interruption. IoT where all the non humans are both clients as well as servers is said to be on the edge of widely interrupting the most famous, Internet. There was very less security at the start of Internet that led and still leads to loop holes which can be exploited by attackers leading us to think that there must not be any stone left unturned when it comes to designing security for IoT.
Now, IoT can’t be just taken lightly and dismissed believing that it is only a consumer security problem where there is mass selling of front-door cameras, exercise trackers, etc. to the general populace. IoT security is also crucial for sectors like; Government, Industry and Enterprise. When it comes to security the most commonly asked questions involve;
⦁ Consumers asking, “We’re using IoT devices. Is it even safe?”
⦁ Enterprises and Industries asking, “We’re deploying IoT devices into our environment. What are our risks?”
⦁ Developers asking, “We’re building IoT systems. What should we worry about?”
So, all these concerns can be brought to a stop when there is a list informing the stakeholders about all the loop holes and what steps should be adopted so as to bring all the insecurities discovered to a close. This leads to the concept of threat modelling that would help translate the whole of IoT environment into a more secure and safe one. So, threat modelling is more of a process that helps reason about any system whose security is of the utmost importance along with a clear understanding of the various attack surfaces that the system might possess.
Threat model helps understand the system under consideration, avoid introduction of vulnerabilities and identify the vulnerabilities prevalent in existing systems. This concept helps take steps to proactively identify all the potential issues and thereby address all of them during design process. It also provides quite a structured approach to view the systems which helps provide consistency in assessments. As and when the IoT environments are gaining complexity, it’s important for each one of them to be undergoing threat modelling. The threat modelling concept encompasses;
⦁ Deciding on scope
⦁ Building data-flow diagrams
⦁ Enumerating threats
⦁ Deciding on migrations
Now, for carrying out threat modelling of a system, first the system needs to be decomposed into series of data flows and processes with explicit identification of threat boundaries. Then it’s about identifying threats from the data flow. For this the concept of STRIDE comes up which can be treated as the expansion of common CIA (confidentiality, integrity and availability) threat types with its each letter denoted as;
⦁ Spoofing Identity
⦁ Tampering with Data
⦁ Repudiation
⦁ Information Disclosure
⦁ Denial of Service
⦁ Elevation of Privilege

Local IoT Gateway
3rd Party Web Services
Mobile Client
IoT Device

IoT Vendor
Web Client
IoT Support Services
IoT User Site

Example of Consumer IoT Threat Model
Then mapping of threats to data flow asset types is done such that each of the threat type in STRIDE is mapped with asset types namely; external interactor, process, data flow and data store. After doing this we would get a list of things that needs to be worried about and from what threats. Then it all comes down to the countermeasures that would include;
⦁ Doing nothing
⦁ Removing the feature
⦁ Turning off that specific feature
⦁ Warning the user
⦁ Countering the threat with operations like;
⦁ Accountability
⦁ Separation of Duties
⦁ Countering the threat with technology like;
⦁ Change in Design
⦁ Change in Implementation
⦁ Having no presence of “catch all” countermeasure
Some cases to keep a watch might involve initial provisioning and deployment, configuration updates, integration into enterprise AuthX infrastructure and software updates. The safety concerns surrounding every scenario possible is the confidentiality breach of regulated information and especially in Industrial IoT it is the integrity and availability breach impacting kinetic environment.
It is not necessary to have a threat modelling done for a finished product or system or when it is put for operation only. Threat modelling can still be involved when the system is in the design phase and is found to have an exposure of some kind resulting into a threat later. So, to sum it all up the concept of threat modelling helps decision making around security to be performed rationally with all accurate information laid down on the table.

⦁ Vulnerabilities and Attack Vectors in IoT
There is a wide range of vulnerabilities that exist due to use of IoT on the multiple attack surface layers that it bears. They can be described as follows;
⦁ Username Enumeration having attack surfaces as Administrative Interface, Device Web Interface, Cloud Interface and Mobile Application.

⦁ Weak Passwords with attack surfaces as Administrative Interface, Device Web Interface, Cloud Interface and Mobile Application.

⦁ Account Lockout with attack surfaces as Administrative Interface, Device Web Interface, Cloud Interface and Mobile Application.

⦁ Unencrypted Services having attack surface as Device Network Services.

⦁ Lack of two-factor authentication mechanism having attack surfaces as Administrative Interface, Cloud Web Interface and Mobile Application.

⦁ Poorly implemented encryption with attack surface as Device Network Services.

⦁ Transmitting updates without encryption with attack surface as Update Mechanism.

⦁ Update Location Writable with attack surface as Update Mechanism.

⦁ Denial of Service having attack surface as Device Network Services.

⦁ Removal of Storage Media with attack surface as Device Physical Interfaces.

⦁ No Manual Update Mechanism with attack surfaces as Update Mechanism.

⦁ Missing Update Mechanism with attack surfaces as Update Mechanism.

⦁ Absence of Firmware Version Display and/or Last Update Date Display having attack surface as Device Firmware.

⦁ Information exposure or extraction within Firmware with attack surfaces as JTAG / SWD interface, ⦁ In-Situ dumping, Intercepting an OTA update, Downloading from the manufacturers’ web page, ⦁ eMMC tapping and Unsoldering the SPI Flash / eMMC chip and reading it in an adapter.

⦁ Manipulating code execution flow of the device with attack surfaces as JTAG / SWD interface and ⦁ Side channel attacks like glitching.

⦁ Obtaining console access having attack surface as Serial interfaces (SPI / UART).

⦁ Insecure 3rd party components having attack surface as software.

Besides all these there can be three more attack vectors that could be born from IoT namely;
⦁ IoT Request Forgery
Any attacker would not want to crack through all layers of enterprise wide security just to steal data. He/she would always go for the path offering least resistance and so, IoT devices tend to fulfil this need of an attacker. The attackers would keep on sending some or the other bogus requests to any of the vulnerable devices until they finally find something worthwhile to steal.

⦁ Wearable Malware
When smart phones or maybe tablets, etc were introduced within the market, a small number of people thought of all these devices being affected by malicious software. Now fast forwarding and seeing the scenario at the present, there exists at least one phone in large organizations that has been contaminated by malware. This moves the thought ahead about the security of the wearable devices too. Even a fitness tracking watch or maybe a pair of smart glasses can easily be considered as point of easy entry for many savvy attackers.

⦁ Behemoth Botnets
Due to the poorly designed security in IoT devices, botnets tend to grow much larger and smarter. Example can be the botnet, Mirai which took down the servers across US East Coast at end of 2016 and categorized as the largest and the most complex one. There are more than enough evidences and chances to prove that botnets would be far bigger threat or an attack vector than imagined.
The concept social engineering can also be treated as a means of attack where victims can be targeted to unknowingly leak out information or give up passwords leading to malware installation thereby leading to control over the system by the attackers. The man-in-the-middle attacks can also be considered as dangerous due to cases relating to hacked smart refrigerators, smart TVs, garage door openers and many more.

The attacks on IoT devices can be categorized as under;
⦁ Physical attacks
⦁ Micro-probing
⦁ Reverse engineering, etc

⦁ Side Channel attacks
⦁ Timing Analysis
⦁ Power Analysis
⦁ Fault Analysis
⦁ Electromagnetic Analysis

⦁ Environmental attacks
⦁ Earthquake
⦁ Hurricane
⦁ Flood, etc

⦁ Cryptanalysis attack
⦁ Ciphertext-only attack
⦁ Known-plaintext attack
⦁ Chosen-plaintext attack
⦁ Man-in-the-middle attack

⦁ Software attacks
⦁ Virus
⦁ Trojan Horse
⦁ Logic Bombs
⦁ Worms
⦁ Denial of Service

⦁ Network attacks
⦁ Monitor and Eavesdropping
⦁ Traffic Analysis
⦁ Camouflage
⦁ DOS attacks
⦁ Node Subversion, Node Malfunction
⦁ Node Capture, Node Outage
⦁ Message corruption, False Node
⦁ Replication attacks, Routing attacks

⦁ Why is IoT Vulnerable?
Though protecting and securing IoT has become a major concern but the ability to address all those concerns are not evolving at the rate expected when compared to those of the products themselves as well as the concerns related to them. All this can be because the products are getting invented much faster than it can be vetted, also due to the reason that the concerned personnel are not able to vet the devices or maybe because of the fact that there exists a lot many ways to connect to the IoT devices which even the techniques used in thorough vetting with regards to security can’t necessarily prepare one for.
There are IoT products being developed as well as deployed with open source components with the only reason to release the product as soon as possible in the market having no proper or appropriate updates in place giving rise to loopholes or vulnerabilities which the security teams need to remediate as quickly as possible. Leaving aside the speed with which the products need to be put into market and the large number of devices that would lead to the loopholes, it also takes into consideration the regular ignorance and carelessness on part of manufacturers as well as the end users. All-in-all businesses have been overlooking such vulnerabilities with the exchange for keeping the promise of having accelerated business as well as market differentiation in place.
The vulnerabilities are as simple as use of default configuration settings and passwords to take out huge number of devices via simple attacks. Besides just the default configurations, the inability of the concerned personnel to update along with ridiculous amount of devices floating in the wild leads to vulnerabilities coming in from a varied range of hidden areas that includes; stretched to the limit IT security teams, stretched to the limit budgets, lack of education and awareness among non-IT employees and poor encryption in place. Now, although there are devices that come with security measures right from the manufacturing plant, but it poses no such guarantees that they would last forever or rather are not equipped enough with the appropriate security architecture that would hold off the threats for decades at a stretch. To top it all up there are consumers who are least interested and not aware of the varied security threats as well as demands for much better and improved security standards.
In addition to all other things described above, there also exists vulnerabilities due to the fact that the IoT devices are always inevitably online thereby rapidly increasing the exposure to all sorts of potential threats, which aren’t normally compatible with patching and the anti-virus software that has been created for laptops, PCs and smart phones. Even the devices once installed are rarely or may be sometimes never checked for any loopholes by the manufacturers as well as the network provider.
In fact there were beliefs among engineers that IoT devices would not be exposed as targets by the hackers resulting in absence or lack of security updates within the concerned devices. The use of passwords instead of reliable technique such as biometrics poses another very strong reason as to why IoT is and would be vulnerable. Also, the IoT devices are equipped with diversity as well as complexity with almost no in-built or in-device security related products such as; anti-virus installed. Even the removal of malware from the IoT devices is quite a challenging task in itself leading to issuance of more vulnerability. Regularly or periodically updating not just the software but also the operating system is also helpful. Not just that, even having connections made via Internet is a major loophole which needs to be taken care of by making use of LAN connections at times when necessary instead of Internet. Above all of these mentioned concerns there are no hard-coded legislations or policies in place to guide the concerned personnel on protecting the security of the vulnerable IoT devices or binding the manufacturers to follow the much required protocols while producing vulnerable IoT devices in the first place.

⦁ Technical Preventive Methods for IoT Vulnerabilities
The concept of IoT is the evident future but it’s not quite ready yet due to the prevalence of vulnerabilities across disparate IoT devices and network. Researchers and IoT developers reacted to the need of the hour by trying to answer the question, “What should we worry about while building an IoT system?” This lead to the first step: Risk Assessment and thus resulted in the second step: Vulnerability Identification. We have discussed about a wide range of vulnerabilities in our previous blogs. To tackle these pressing flaws in IoT devices and networks, we would explore a spectrum of technical countermeasures with respect to specific vulnerability which would assist the developers to build a robust IoT system.
⦁ Insecure Web, Mobile& Cloud Interface: The most subtle way to engage a user with an IoT device is either to help the user establish a link between the device and his/her smart phone or to directly provide an interface embedded within the device. But with an interface comes a list of vulnerabilities that the developer should take care off while building the device. Few of the major issues are namely; weak default credentials, username enumeration, credentials exposed in network traffic, SQL-injection, session management, cross-site scripting, weak account lockout settings, and so on. So, some of the simple yet important countermeasures to these above mentioned weakness could be:

⦁ Changing the default passwords and usernames during initial setup
⦁ Password recovery mechanisms must be robust and do not facilitate any sensitive information related to a valid account to an attacker
⦁ Ensuring web interface is not susceptible to XSS or CSRF by embedding built-in sanitization & escaping functions into the interface
⦁ Ensuring credentials are not exposed in internal or external network traffic by integrating the network with a firewall

⦁ Insufficient Authentication/Authorisation: IoT devices focus more on the functionality and usage of the device resulting in ineffective authentication mechanism to IoT user Interface. These poor authorisation techniques may lead the user to gain higher levels of access than allowed. This vulnerability exists due to lack of elements like two factor authentication, role based access control, insecure password recovery, etc. Some of the countermeasures are:

⦁ Granular access control must be implemented
⦁ Credentials are to be properly protected
⦁ Two factor authentication can be implemented like; RSA tokens
⦁ Proper logs should be maintained for each login and their respective activities
⦁ Password recovery mechanisms have to be secure. Instead of sending a temporary password to a mentioned email address, the original password can be sent to the authorised user directly.

⦁ Insecure Network Services: Services can be exploited using buffer overflow mechanisms, open ports via UPnP, UDP services or by denial-of-service attack via network device fuzzing, misconfigured or poor implementation of SSL/TLS, use of unencrypted services via Internet, etc. Suggested below are some countermeasures to protect against the threats mentioned:

⦁ Only the necessary ports are to be exposed and available
⦁ Services can be protected against buffer overflow and fuzzing attacks by using bound checking mechanism which ensures that memory allocated for storing data cannot contain executable code
⦁ Protection against DoS attacks can be established by white listing IP addresses that can connect to the IoT device, developers can write python scripts to filter out bad traffic, ISP and Cloud providers can provide DDoS mitigation mechanism on the network
⦁ Ensuring network ports or services are not exposed to the internet via UPnP
⦁ Standardised encrypted protocols must be used while transmitting data in any network

⦁ Insecure Software/Firmware: The device should have specific and customizable protocols to get updated to latest versions. These update patches are generally created by the developers of the IoT devices who ensure to update the device to tackle any new attack vectors, add a new feature or to fix any existing vulnerability in the IoT system. Failing to update may lead to exposure of sensitive data on successful execution of an attack. Some countermeasures to avoid these scenarios are mentioned bellow:

⦁ Enable your device for IoT Patch deployment with Firmware-over-the-air updates
⦁ ‘Deploy now, Update later’ mechanism helps the user to understand the functionality of the update and how the update will support the user’s device before installing it.

⦁ Poor Physical Security: Physical security is often missed out when it comes to IoT devices. As these devices are usually portable, small and used in a known environment, the user is usually not concerned about the physical security of the device. But there is a list of IoT devices which are used in rough physical conditions. Therefore, the user should be concerned about the physical security and access to the device and anticipate countermeasures accordingly. IoT devices have USB and other external ports which can be exploited to transfer any stored sensitive data. If the device is not properly stored in a secured environment, the attacker can disassemble the device to gain access to the device’s media storage. Thus, these attacks could eventually lead to the unauthorised access to user’s device or data.

⦁ Ensuring data storage medium cannot be easily removed
⦁ Ensuring that the stored data is aptly encrypted during rest
⦁ Ensuring that the USB ports or maybe other external ports can’t be made to use in order to maliciously access device
⦁ Ensuring that the device can’t be easily disassembled
⦁ Ensuring the product has the ability to limit administrative capabilities

⦁ Design Preventive Methods for IoT Vulnerabilities
Designing countermeasures forms an integral pedestal of making IoT devices and systems secure. It is the prerequisite step of establishing technical countermeasures as it defines the architecture as well as the direction in which all the preventive steps have to be taken before or during any crisis. We shall discuss the factors which would assist a developer while designing the countermeasures.
⦁ Ability of the IoT device: Understand the purpose and capability of the IoT device. Comprehend the in-built level of security measures and find room for improvement.

⦁ Update and Patch Management: Establish clearly defined protocols for all the elements in connection to the IoT system. Set up a safe channel to distribute official software updates and patches using a P2P network approach across thousands of devices across disparate geographies. The authorized manufacturing company needs to embed proper security certificates within the IoT device before deploying the device into any usable environment.

⦁ Be aware of what’s on your network and use a secure connection: Firstly, we need to make sure that the ISP is providing a secure connection from their end. Next, we should be aware about the connection making capability of the IoT device, and if those connections are secure or not.

⦁ Be conscious of cloud security: We not only have to take precaution of the data stored within the device but we need to focus what data are being stored by the device in the cloud.

⦁ Conduct penetration testing: Conduct routine penetration tests on the IoT system and its environment to simulate a scenario and assess the outcome.

⦁ Data encryption: Implement standard encryption methods on the incoming and outgoing data of the IoT system.

⦁ Protect the network: Create new IT policies as well as strengthen the existing ones. Deploy the appropriate technology to neutralize any potential attack on the network.

⦁ Firewalls: Use a robust in-built firewall in the IoT device along with the network and the database on which it resides. We can also embed third party firewall within the IoT device firmware.

⦁ Universal Plug and Play: Disabling the universal plug and play feature on the routers and IoT devices connected to the network can foil a possible attack.

⦁ One password, one device: To avoid the domino effect on the network in the event of an attack. We must not use the same password for more than one device.

⦁ Create a ‘guest’ network to protect the ‘home’ network: If devices with known vulnerabilities are being used, we must create a guest network first. This method will protect our home network along with the devices connected to it by quarantining and detaching the network which is compromised due to any attack.

Related Post