SECURITY ASSESSMENT OF INTERNET OF THINGS
Table of Content
Ever since its inception, computing has been a dynamic and continuous evolving field due to the insatiable need for a better quality of life. The computer has evolved from the age of mainframes which took acres of space in the late 1950s to the present age of cloud computing and mobile phones which are less than 5 inches long. This journey exposed us to exciting and innovative ideas and devices such as the mobile phones, tablet PCs, laptops and many more. With each emerging generation of computing devices, one very important goal in the sight of the developers was that there was a general improvement on the physical size, ease of use and the capability of these devices.
Human dependency on the use of computers is increasing with each coming day. The needs of human beings has always demanded more and more from computing devices. All of these gave rise to the creation of the term Internet of things. In a nutshell, IoT is the connection of devices usually smart devices so that they can exchange data. Smart devices is a term used to refer to a device that connect and share information with other devices.
Imagine a scenario where you come back from work at the end of a cold day and upon getting home the garage door automatically opens. While u are certain kilometres away from the house your smart watch takes your body temperature via the inbuilt sensors and sends the information to the smart thermostat at home which sets the temperature of the house accordingly. On getting inside the house the lighting comes on and a pot of coffee starting brewing. The bath runs with water at the right temperature. This in its entirety is the beauty of IoT. These chain of events is an example of the application of various IoT devices being linked to each other via a network (in most cases the internet). The thought of all these happening seamlessly an in no time is exciting with the aim. Due to the recent strides in embedded technology which allows devices to communicate with each other and in the speed and ease of accessibility of the internet, IoT is now a reality.
Even though IoT is still pretty much in its infant stages and is picking up pace very fast, a lot of questions are being raised about the security IoT. Because these devices rely on being connected to networks to achieve maximum efficiency and most of the time we have other devices which contain personal information, these could be seen as a security vulnerability. In these times where so much value is being placed on PII (Personal Identifiable Information), the question of how secure these devices are is now being taken more seriously.
My objective with this report is to analyse the state of security with regards to IoT by assessing the controls put in place by manufactures of such devices and then propose how they can improve and also implement new security controls into such devices. I will also look at how government can introduce legislation to make sure that manufacturers comply to set standards which would have been implemented.
Chapter 2 will be a little to history about IoT, from when the concept was first coined to where it is at presently. I will also looks at the direction in which IoT will take in years to come. We will look at the architecture of IoT.
Chapter 3 will be a review on the security of IOT presently. We will assess this using a threat model and we will review of couple of attacks.
In chapter 4, I will propose certain measures which I believe will improve the security of IoT.
This project ends with Chapter 5 the project will conclude with my conclusion and proposition for areas into which more research can be carried out.
The phrase ‘internet of things’ was first mentioned by Kevin Ashton, the co-founder of MIT Auto-ID centre when he wrote ‘That ‘Internet of Things’ Thing’ in RFID Journal.
“I could be wrong, but I’m fairly sure the phrase ‘Internet of Things’ started life as the title of a presentation I made at Procter & Gamble (P&G) in 1999. Linking the new idea of RFID in P&G’s supply chain to the then-red-hot topic of the Internet was more than just a good way to get executive attention. It summed up an important insight—one that 10 years later, after the Internet of Things has become the title of everything from an article in Scientific American to the name of a European Union conference, is still often misunderstood.”
The article spoke about how computers are dependent on the information produced by humans to work efficiently. He also pointed out that there is a limit to the performance of human beings. He then went on to suggest that if we equip computers with sensors and RFID technology they will be able to gather information on their own and make decisions based on the information they collected. He also added that these improvements to make them more efficient and would save cost.
Ashton might have coined the phrase but people had been connecting object to networks long before that. For example in 1993 Dr. Quentin Stafford Fraser and Dr. Paul Jardetzky, set up a camera to monitor a coffee pot.  This is credited to be the first ever webcam. Their main reason for creating the webcam was to save researchers using the lab pointless trips to the room where their coffee pot was located. The webcam took three pictures every minute of the coffee pot and shared it on their local network. These pictures would then serve as a point of reference for anyone who now wanted to get coffee.
I will now proceed to proceed to outline to the important events which are important to the current state of IoT today as well as a few enabling technologies.
We can’t talk about IoT without talking about the internet. The internet is a fundamental part of our lives as we know it today but it wasn’t always so. It started as a defense project for the United States Department of Defense called ARPANET in the 1960s.  Its main objective was to connect several supers computers located around the United States so that in the event of one of them goes down the other ones wouldn’t be affected. The technology continued to grow when two scientists Robert Kahn and Vinton Cerf developed TCP/IP which set the standards for how data would be distributed among multiple networks and was adopted by ARPNET on the 1st of January 1983.  The technology’s popularity soon increased and soon enough other countries joined the network which helped it increase in size hence its name INTERnational NETwork.
By 1990 the first connected thing was born, a toaster which could be turned on and off via the internet.  It was presented at the INTEROP conference by John Romkey who created the device. John Romkey created the toaster as a result of a challenge thrown to him by the then president of the INTEROP, Dan Lynch. There was only one flaw with this device, someone had to be there to physically put the bread in the toaster, but a year this was rectified when a robotic arm was introduced to pick the bread and drop in the toaster.
In 1999 the first machine to machine protocol for IoT was written. The MQTT protocol was written Andy Stanford-Clark of IBM and Arlen Nipper of Arcom, now Cirrus Link.  Their objectives were to create a protocol that lightweight and simple, reduce the use of battery life and bandwidth while ensuring reliability of service.
In 2000, the first connected fridge was created. The Internet Digital DIOS Refrigerator was released by LG electronics.  The unit had a LAN port with allowed internet connectivity. It had the capability perform online shopping activities, make video calls and the camera could be used as scanner to scan the contents of the screen so that they can be monitored. The unit could be programmed to make orders for contents when they are running low on stock. These refrigerators was not very successful on the market as they were very expensive with a unit price $20,000. 
In 2008, a group of companies came together to form the IPSO. The IPSO main objective was to promote the use of IP in the networking of smart objects and enable the internet of things.  The IPSO has of over 50 members companies.
In 2009 Google announced it self-driving car. It was headed by Sebastian Thrun, a Stanford professor.  He is lauded as the founder of the autonomous car. The car made use of sensors, cameras, GPS, lasers and radars to see the word around them. The company believed that their cars had reduced the number of road accidents by half yearly.  2009 was also the year that the Bluetooth SIG announced its version 4.0 of its Bluetooth technology, Bluetooth Low Energy (BLE).  This was the company’s response to the emerging trend of devices which used very low energy which were being rolled out at the time.
In 2011 Nest rolled out the first smart thermostats.  These thermostats could be connected to the Wi-Fi and be controlled through an app on the mobile device. The thermostat had the ability to learn the preferred temperature setting of the owner. The devices were very popular on the market reportedly selling 40,000-50,000 units monthly.  That year also saw the introduction of IPv6.  This was introduced as a result of IPv4 having insufficient IP addresses. IPv4 supports approximately 4.2 billion addresses and this number was predicted to be depleted by the year 2012 but recent advancements such as NAT have pushed this predicted date back.  IPv6 on the other hand supports about 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses exactly which is a significant improvement over the IPv4 and also allow the progression of the IoT.  Aside from the increased address space IPv6 also provides better for mobile devices and has built in authentication and privacy measures.
IoT has improved in terms of the numbers devices being put out there and is becoming increasingly popular and holds a lot of potential. Cisco Systems estimates that approximately 12.1 billion Internet-connected devices were in use in April 2014, and that figure is expected to zoom to above 50 billion by 2020.  While these numbers are astonishing and at the same time exciting, we have to also have to consider other aspects such as privacy of information being shared, security, regulations and standards. A couple of the previously stated talking points which I will address further along the line.
There is no universally agreed IoT architecture and this is due to the fact that the research in this field is still at an infant stage. There are a lot factors which need to be considered when attempting to define the architecture of IoT such as scalability, interoperability, Quality of service and data storage reliability. 
A basic architecture of IoT classifies it into 3 layers: The Perception Layer, Network Layer and Application layer. 
This is the physical layer. Its main function is to collect information from the surrounding environment. It employs the use of technology such as sensors, RFID and barcode scanners.
The network layer is concerned with the transportation of data which has been collected at the perception layer and transporting to the application layer and in turn sending application data back to the perception layer. Technology employed in this layer include Wi-Fi and Bluetooth.
This layer is concerned with delivering applications to users. It explains the ways which IoT can be appliedsmart cities, smart homes, smart cars etc.
The architecture listed defines the basic idea of IoT but is insufficient to describe IoT today due to its fast development. Another architecture was proposed which added two additional layers: the business and the processing layer. 
Also referred to as the middleware layer, is concerned with the storage, analysis and processing of data collected at the perception layer. This layer employs the use of database software, cloud computing and big data processing.
This layer has 3 functions. Firstly it is concerned with managing the whole IoT model and its applications. Secondly, it makes use of data collected from the application layer to build business models and graphs and lastly it provides privacy.
With IoT increasing popularity, the investments towards the advanced of IoT is on the rise as no one wants to be left out of this lucrative opportunity. IBM in 2015 planned to invest 3 billion dollars in its development of IOT.  A lot of other companies have also made huge investments toward the same. For the purpose of this paper we will look at applications of IoT in the the following aspects: automobiles, health care, smart homes
IoT has heavily influence the automobile industry as we know it today. According to a report by BI Intelligence, 381 million connected cars to be on the road by 2020, up from 36 million in 2015.  The two popular methods of connecting cars are by embedding and tethering.
Embedding involves the use of special embedded SIM provided by the car manufacturer to access connect to the cars. The means of connectivity is built into the car and rely on the connectivity and signal coverage of the provider chosen by the car company. The disadvantages of using this type of connectivity include:
- The hardware involved in this type of connection is relatively expensive.
- Changing the operators after the production or during the life time of the vehicle is very difficult.
- The customer will have to use the existing mobile carrier of the car on their mobile phones.
- These systems are not easily modified after production.
An example of this technology can be seen in the Lexus LS-460 which was released in September 2006. 
Tethering the connectivity for the car’s system is provided by an external device separate from the car’s own system (i.e. mobile phone or a modem). The car systems basically shares the IP of the system providing the connectivity. Apple and Google have rolled out applications which will enable mobile devices to connect to the car Apple Car Play and Android Auto respectively. The major flaws with this type of connectivity is that:
- The pairing process is complicated.
- This type of connection leads to consumption of large mobile data which makes this type of connection expensive to run.
The more popular car play and android auto can be found in select models of Audi, Ford, Hyundai and Mercedes. 
It is believed that IoT will make road transport reasonably safer because the voice command which is a vital component in Smart cars would allow the driver focus on the wheel and also allow the driver to perform other tasks. The unified goal is to get to the era where cars would drive themselves which seems like a possibility with each coming day.
Health care is core aspect of the world we live in today and has not been left out of the connected devices transformation. Healthcare isn’t cheap and it is projected that these connected devices will reduce the price of acquiring good healthcare. With the discovery of new diseases and an ever growing population, there comes a point where some patients will need to be monitored constantly. The facilities available at hospitals and health centers are finite and cannot accommodate the individuals that need the constant monitoring. This gave rise to the idea to provide continuous monitoring services to patients without them being physically present in the hospital. This can be done by implementing sensors to track the vitals of the patient and send reports to a system which analyzes the data and alerts medical staff who would have been assigned to the patient. This will help discover medical issues faster and more efficiently. An example of such devices is the activity tracker produced by the Memorial Sloan Kettering Cancer Center and the Cloud Research firm. The trackers are used to monitor the life style of patients being treated for multiple myeloma.  There have also been implementations in remote treating solutions such as remote insulin pumps, connected inhalers and connected contact lenses. 
This is a house/building in which the devices fitted in it have the capability to exchange information between each other and the environment around them. Smart home allow their owners to set their preferred settings and take control of the environment of their homes. There are already a couple of devices which available to build the smart home. Examples of such devices are the Philips Hue, The Air quality egg and the NEST smart thermostat. These individual smart devices are usually connected to a central device which serves as a platform to control these devices. An examples of these device is the Amazon Echo. These devices are usually linked together by a network usually linked together by a LAN. 
This is the most popular application of IoT with the funding of smart home startups currently exceeding $2.5bn. 
CITY WIDE DEVELOPMENTS
There are several instances where IoT have been deployed on a city metropolitan instance to help improve the quality of life of citizens in the city. For examples there are cities which have devices deployed round the city on a largescale which all work together to make up smart cities. These devices provide solutions to waste disposal, traffic, pollution. An example of such deployments is the Bigbelly, a smart waste system which employs the use of bins which automatically notifies the city collection service if a bin is getting full so that it can be scheduled for disposal. 
3.1 THREAT MODEL
Threat modelling is a method which is used to identify enumerate and prioritize potetntial threats from an attacker’s point of view. A threat is a undesirable event which may be malicious or incidental in nature.
3.1.1 SOURCES OF THREATS
In creating a threat model we have to consider the sources of potential threats to IoT. The following are the main sources of threats:
This refers to manufacturer of a device who intentionally introduces flaws in their devices for the sole purpose of accessing data about the user or other IoT devices. The term also covers manufacturers who don’t take into consideration good security practices into consideration when putting devices on the market.
This refers to the owner of an IoT device whose main intention is to carry out attacks on the device and gain access to restricted functionality of the device such as program data, encryption keys etc. When such a user achieves his goal he can sell it to third parties or use the information gathered to carry out attacks on similar devices.
The Outside Attacker
This refers to the individual who has no authorized access to the device but tries to gain access to information related to the user of the IoT device for fraudulent purposes.
3.1.2 Classes of Threats
It is important to classify the attacks to understand the potential risks. I will employ the Microsoft model for classifying threats called STRIDE. It is an acronym for the six categories of threats.
- Spoofing Identity
- Tampering With Data
- Information Disclosure
- Denial of service
- Elevation of privilege
Spoofing is an event where a program or individual masquerades as a legitimate user of a system. An example of such an attack with respect to IoT devices can be seen when attackers impersonated the IP address of the Samsung fridge and used it to acquire the Google credentials of the owner of the fridge. 
Tampering involves the physical of the manipulation of an object. IoT devices are usually very small and once they have been tampered with it is very hard to notice. Once an attacker gets physical access to an IoT device, a number of attacks can be carried out such as firmware manipulation, theft of valuable information stored on the device. An example of device tampering would be when they carried out a ransomware attack on a nest thermostat by introducing malicious data via a SD card. 
Repudiation involves a user denying that they performed an action and there being no means to prove it. If a user accesses a particular system and makes unauthorized changes and there is no evidence to prove the user made those changes the system is said to be.
Repudiation threats are serious areas of concern when attackers of IoT devices are able to carry out malicious attacks without getting caught. An example of such an attack is a smart meter that sends energy consumption data to some energy company’s servers. Without any non-repudiation controls, the attacker can tamper with the device and view the data and through this learn certain behavioural traits about the user of the thermostat which he can then use to carry out further attacks on the user.
Threats in this category are those which occur as a result of parties having access to information which they are not privileged to have. An instance would be if a device is running a manipulated or insecure software. This software could potentially disclose vital information to the public which are supposed to be confidential.
An example of such a scenario would be where IoT devices would send information in the clear without encryption or other security services.
Denial of Service
This occurs when a user with legitimate access is denied access to a program device or service. For example, a CCTV camera which has been disabled by attacker would not provide the monitoring capabilities which the user intended it for.
Elevation of Privilege
This occurs when an illegitimate user get the access rights of a legitimate user to a given device or service. This can be done by placing a bug in a system which will spoof a legitimate user who has legitimate access to a system.
Threats to the computer system isn’t a new concept, from as far back as 1982 when the first PC virus was written  the concept of keeping our cyber environment safe has been an ethical practice. With the emergence of IoT, the scale at which these attacks are carried out have increased while the complexity of the attacks have reduced. This is an alarming turnaround of events. This largely due to the fact that the level of security present in these smart devices are not anywhere near a satisfactory level.
The chapter will be based on notable attacks that have taken place.
A botnet is a network of computers devices which have been infected with a malicious software which is used to control the computers in the network without the knowledge of the user and are majorly used to carry out DDoS attacks. The operators control the botnets using Command and control servers. 
Botnets became popular in 2000 when a Canadian teenager launched a series of DDoS attacks against a couple of high profile websites such as Yahoo, Dell, eBay, Amazon and many others.  The attacker overloaded their servers with junk traffic over a couple of days until their servers crashed.
The botnets consist of devices which are usually internet enabled and are able to transfer data through a network. It is usually easy to spot multiple spam packages sent from a single device because the source address would be the same and a gateway device can easily be programmed to filter away such requests, but it is a lot a harder to detect multiple packages from sent from different packages because it would be difficult to filter the legitimate requests from the malicious ones.
This attack takes place at the network layer. There are two major ways by which an attacker would try tit infect a PC and incorporate them to be a part of a botnet. An attacker can either find a well know site with a vulnerability and exploits it. The attacker then injects his own malicious code and set it up to take advantage of a vulnerability in a popular browser. The code will then redirect the victim’s browser to a site controlled by the attacker where bot code will be downloaded and installed on the victim’s machine. The other method is done via email and is much easier. The attacker sends out a large batch of spam emails that includes an attachment such a pdf, word document which has a malicious code in it or a link to a site that has malicious code loaded on it. The moment the attacker’s code has been installed on the machine, the system becomes part of the botnet.
A good example of a malware used to convert systems to bots is Mirai. The malware targets mainly IoT devices running on Linux such as IP cameras and routers that are running a telnet server. Telnet is an outdated protocol used in the administration of servers. Mirai connects to the system through the telnet server tries to login by trial and error of 60 known credentials. When the malware gains access, the bot software is then installed and at this point the attacker has converted the victim’s system to a bot and has full control of the system. The bot then proceeds to kill processes that would hinder the malware from running successfully such as the telnet and web server. The bot then connects to the control and command server waiting for commands from the attacker. In this state the bot is continuously scanning for other devices which are vulnerable continuously trying to expand its network.
With the increasing number of smart devices being put out for use, many of this devices are left with a high probability of being incorporated into botnets due to the low level of security they possess. Everyday devices such as coffee makers, fridges or thermostats are not getting the same level of security as our phones or laptops therefore they are easy for hackers to break into and be incorporated into botnets.
A man-in-the-middle attack is one where an attacker puts him/herself in the communication line between two parties. The attacker impersonates both parties making them believe that they are communicating securely without their knowledge and in the process gains access to information which was supposed to be confidential between the two parties. The target of this attacks are users of finical applications and other sites where logging is a requirement. The information gotten from this attack could be used in impersonation and fraudulent fund transfers. In very simple terms man in the middle attack is the equivalent of someone eavesdropping on your phone call without your knowledge.
For this attack to occur the attacker has to first be able to sniff packets in the network. Sniffing is the act of grabbing all traffic that passes through your system in a network. There are a number of tools which can enable one sniff traffic. Examples are Wireshark, tcpdump and dsniff. In a network controlled by a hub these tools will be work because in a hub network anyone on the network can see all the traffic exchanged between devices on the network. In a switched environment, it becomes tricky seeing as the traffic has an address (IP or MAC address) attached to it. This means that devices on the network can only see traffic that has been addressed to them. In this situations, the attacker has to employ techniques like ARP Spoofing, IP Spoofing and DNS Spoofing.
IP Spoofing involves an attacker disguising himself as another machine to gain illegitimate access by altering the header of the packet in an IP address.
ARP Spoofing is the process when an attacker sends false ARP messages over a network. The aim of these messages is to link the attackers MAC address with the IP address of the victim. This will lead to message meant for the victim being diverted to the attacker.
DNS Spoofing is the process of corrupting the Domain Name System Resolver cache by introducing corrupt data to direct legitimate traffic away from legitimate destinations and towards ones which have been set by the attacker.
After the attacker has been able to sniff the traffic using any of the above named methods he then has to be able to decrypt the data. A number of methods are available to achieve such as HTTPS spoofing, SSL BEAST, SSL Hijacking and SSL stripping.
HTTPS Spoofing involves sending a fraudulent certificate to the internet browser of the victim which appears like it was sent from the legitimate source. The victim’s browser then authorizes this certificate and adds it to its list of trusted certificates. This enables the attacker view any information sent by the victim.
SSL BEAST targeted the vulnerability of cipher block chaining in the version 1.0 of TLS/SSL. This enabled attackers to decrypt messages and obtain token for authentication of machines running version 1.0.
SSL stripping is used to reduce secure HTTP connections (HTTPS) to HTTP by intercepting the authentication message sent from the authenticating body to the victim. The attacker them sends the unencrypted version of the message he intercepted to the victim while he still maintains his secure session with the authorizing body.
SSL Hijacking involves the attacker generating secure key for both the authorizing body and the victim so he maintains a secure connection on both ends to give both parties the feeling that their communication line is secure.
A recent example of the man in the middle attack was carried out on the Samsung smart fridge, RF28HMELBSR. The Smart was part of their range of Samsung home appliances which controlled by their Smart Home App.  The fridge used Google’s calendar services so u could set events and reminders from the fridge.
The fridge implemented SSL poorly and failed to validate the SSL certificate so an attacker could carry out HTTPS spoofing whereby he generate messages remotely posing as the fridge and in turn download sensitive information from the fridge user’s google servers or potentially pose as a Google and steal the users Google credentials.
Ransomware is a type of attack which prevents a user from getting access to their system either by locking the screen of the user or by encrypting user’s files unless payment to the tune of a certain amount is paid. The victim is usually is made aware that the attack has been carried out. Payment of this sort is usually demanded in digital currency because they provide a lot of anonymity. The payment doesn’t always guarantee that the users will get access to their files.
The malware used to carry out the ransomware attacks can be spread through email attachments, malicious software applications, storage devices and compromised websites. Once the ransomware malware has been executed, one of two things can happen, the system screen is locked or a couple or all the files are encrypted. A list of instructions is then displayed on the screen on how to effect the ransom payment.
Up till very recently IoT ransomware wasn’t given much attention. This was because
- Most IoT devices usually have very little storage space and in cases where large storage was required, the cloud is usually employed to act as storage devices so even if the data gets encrypted, there was little or no incentive to pay the ransom.
- The vast number of IoT devices out there made it more challenging for hackers because each device would have to be attacked in a uniquely different way which would then mean that a lot of hacks would have to be developed.
- The IoT device would need a screen notifying the user that he has been hacked and a lot of IoT devices out there don’t possess a display mechanism so hacker would have to find an alternative way to notify the user that their device has been hacked either by looking up their phone number and calling or texting them or by sending them an email notifying them that they have been hacked.
The above listed reasons didn’t provide enough motivation for hackers to invest in the ransomware for IoT. An important point to note is that with ransomware of IoT, the attack doesn’t need to be irreversible as the conventional ransomware attack, it just need to be executed at the right time for instance an attacker could hack your pacemaker and demand bitcoins if not he ends the life of the victim.
White hackers on the 5th of August, 2017 went a step ahead to prove that the ransomware threat to IoT was real. They carried out the attack on a Nest Thermostat.  The attack was made possible as a result of a bug in the thermostat but refused specific information about the bug since it hadn’t been fixed yet.
The thermostat in question had a display and ran a Linux operating system and had a SD card slot for users to load custom wallpapers and settings. The attackers also discovered that thermostat didn’t check what kind of files were being uploaded and an attacker could upload a malicious file and disguise it as a picture, transfer it to the thermostat and make it run automatically. On successful execution of the program the attacker would have full control of the thermostat.
3.2.4 SOCIAL ENGINEERING
Social engineering is the act of using deception to make people give up sensitive information or information they wouldn’t normally give up on a normal day. Criminals resort to this type of attack because it is easier when compared to hacking. A common technique used in Social engineering attacks is the use of phishing emails. This involves the use fraudulent email to retrieve sensitive information about the victim.
IoT is becoming a part of our everyday lives. They are also known to be vulnerable to attacks as we have already shown in the course of this chapter. Any type of defense put in place can be bypassed as long as one has access to the passcode or important information about the infrastructure in place. The increased popularity of IoT devices have increased the capability of an attacker and the efficacy of social engineering attacks. These IoT when deployed have access to the internet through the local network as well as other sensitive devices such as mobile phones, laptops and tablet computers. These connected devices then serve as an avenue for social engineering attacks.
4.1 Securing IoT
As the impact of the various applications of IoT in our daily lives continue to grow with each passing day, the security of these connected devices is becoming more glaring and the seriousness of which the technological community takes the security of these devices has to be stepped up a notch. In the course of this paper, we have taken a look at the current security status of these connected devices and the attacks that they ae vulnerable to. The complexity and magnitude of the attacks will only increase as time passes.
We are now going to look at how these devices can be improved on security wise from 3 point of Views:
The Manufacturer’s View
The manufacturers have the largest role to play in the realization of a more secure IoT world. For manufacturers of smart devices to increase the quality of devices they put out in the market, they have to take into consideration the following issues and their controls as it applies to the device they are producing.
Web Interfaces Issues
A devices which use web interfaces as point of interaction between the user and the device need to make sure that the web interface possesses the following characteristics:
- The use of weak default credentials are they can be easily guessed by anyone should be avoided.
- The interface should enforce the change of default credentials upon initial setup and also enforce strong password policy in selecting a new password.
- The interface shouldn’t allow multiple login attempts and should notify the user either (via email or text message) of failed logins and employ the use of solid password recovery methods so that an attacker doesn’t get legitimate access to the system.
- The manufacturers should take steps to ensure that their web interfaces are not susceptible to XSS (cross-site scripting), SQLi (SQL Injection) or CSRF (Cross-Site Request Forgery).
- Release regular updates for firmware to patch vulnerabilities that were not considered at the design stage or vulnerabilities that were discovered after the product has been put on the market.
A devices which employs authentication services to verify the identity of the user has to ensure that the following measures are in place:
- It has to employ the use of a strong password policy to make them immune to different forms of dictionary attacks.
- It employs granular access control so that a guest user doesn’t have the same privileges as a super user or the owner of a device.
- It should ensure that the login credentials of users of the device is properly protected and not easily accessible.
- Where possible, it should also ensure that two factor authentication should be implemented.
- It should also make sure that the infrastructure put in place to ensure password recovery is well secure as this is one of the various avenues which attackers use to bypass authentication.
In other to avoid attacks which occur at the network level, the following measures should be taken:
- Ensure that only ports which ae necessary for the full functionality of the device should be kept open to prevent attackers using such ports as points of entry during attacks.
- Ensure that ports and services are not accessible via Universal Plug and Play because that protocol doesn’t have restrictions on devices that are trying to connect to it.
- Data transferred through a network should be encrypted using protocols SSL and TLS to prevent sniffing of data and retain the integrity of the data.
To address the privacy issues of connected devices in the market. The following practices should be considered:
- Only critical data that are important to the functionality of the device should be recorded so as to prevent a breach of privacy.
- Sensitive data that has been collected should be protected by encryption to prevent the viewing of the data if the data is lost or hacked.
- Ensuring that only privileged individuals have access to personal identifiable information so to prevent the disclosure of sensitive data to unauthorized individuals.
- Ensuring that the end users are aware of the data that is being collected about them so that there is no breach of privacy.
- Ensuring that the data that is collected have retention limits to prevent the retention of data beyond the actual needed time.
- Ensure that the data that is collected is anonymised and has no glaring links to the end user.
Physical Security Issues
These following are measures which will deal with physical security issues:
- Ensuring the storage medium of devices are easy to tamper with so as to make it difficult for attackers to tamper with the firmware of the device.
- Ensure that the data stored in the storage devices are encrypted to make it difficult for the attacker to read the information if they get their hands on it.
- Ensure that the functionality of USB devices (if available) are very limited so as to not access restricted aspects of the device so as the reduce means by which an attacker can attacker can access the firmware of the device.
- Ensure that the device is tamper proof prevent the attacker from getting access to vital components of the device.
The Consumer’s View
The IoT craze is one that has been embraced by the public with open arms. They have done so without really considering the security implications of owning such devices. Even though these end users don’t really want to bother themselves with such burdens, there are still some basic security practices which as end users they must execute to try and keep themselves safe from attacks.
- A good percentage of connected device usually require them to be connected to the user’s Wi-Fi network. Seeing as some these devices are insecure as we have proved during the course of this paper, it is advisable that u create a special guest network for your smart devices and connect them there. This keeps them in a separate environment away from your more trusted devices like your mobile phones, laptops etc. in the event of an attacker successfully carry out an attack on your smart device.
- Turn off the Universal Plug and Play on your connected devices so as prevent attackers exploiting it. An attacker can go online and search for devices awaiting connections using specialized search engines.
- Always update the firmware of your connected device so as to patch vulnerabilities which were discovered post production.
- A lot of IoT devices use very weak default passwords which are prone to password attacks so it is advisable to change the default password upon deployment.
- IoT devices which employ the use of cloud services are less secure due to the fact that the data would have to be transported via network to the cloud and the information can be sniffed in transit. IF possible the user should avoid devices that employ the use of cloud.
- If a smart device has the ability to connect to a network but at the same time doesn’t require the connectivity for basic functionality, the user should avoid making such connections to minimize the probability of an attack occurring.
With quantity and quality of the connected devices out in the market space and giving the large number of insecurities they possess, the government could weigh in on the security internet of things by introducing standards and regulations which would help improve the standard of connected devices being produced.
A standard has already been proposed which known as the proposal for ePrivacy Regulations, which covers all forms of electronic communications and the channels they use. When it comes to communication involving IoT its principle is broad:
“Connected devices and machines increasingly communicate with each other by using electronic communications networks (Internet of Things). The transmission of machine-to-machine communications involves the conveyance of signals over a network and, hence, usually constitutes an electronic communications service. In order to ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market, it is necessary to clarify that this Regulation should apply to the transmission of machine-to-machine communications. Therefore, the principle of confidentiality enshrined in this Regulation should also apply to the transmission of machine-to-machine communications. Specific safeguards could also be adopted under sectorial legislation, as for instance Directive 2014/53/EU” 
The proposal isn’t very clear as it doesn’t specify whether it refers to machine to machine communication involving personal data or all machine to machine communications but a more literal interpretation would suggest when machine to machine communications are implemented, they should comply with the draft’s policy on confidentiality which states that
“Electronic communications data shall be confidential. Any interference with electronic communications data, such as by listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance or processing of electronic communications data, by persons other than the end-users, shall be prohibited, except when permitted by this Regulation” 
The draft also suggests that in the case of a breach, the resulting consequences would be fines of up to 20 million euros or 4% of their total worldwide turnover. 
The ePrivacy Regulations which would take effect in 2018 would go a long way to make sure that companies produce devices which employ the use of protocols to ensure that confidentiality as defined by the regulations is upheld during electronic communication. But this law alone is not enough to tackle all the insecurities which are associated with IoT devices which have been pointed out during the course of this project.
An argument can be made that seeing that IoT is still largely developing, such laws will only slow down or hamper the development of IoT. But the attack magnitude of attacks which involve IoT will only increase if no drastic steps are taken to arrest the enormous amount of devices which will only keep rising.
The internet of Things is taking the world by surprise and people are getting carried away by its exciting capabilities and not thinking about the impact these devices would have on their lives. In this project we discussed the various ways in which IoT is changing the way we lives today. We determined the main entities that pose a threat to the security of IoT and used a threat model to analyse the security of IoT and help us identify and address the security risks associated with IoT. We then went to further propose ways by which the security of IoT from three standpoints: The manufacturer, the Consumer and the government. This assessment would provide guidance as to where substantial effort should be directed when developing controls to govern IoT.
5.2 Future Work
In my future work, I aim to propose a regulatory document to govern IoT devices based on the security assessment I have performed. The aim of this document is to help improve the standards of products (security –wise) out there for public use.
- Ashton, kevin (2009) That ‘Internet of things’ thing – 2009-06-22 – page 1. Available at: http://www.rfidjournal.com/articles/view?4986 (Accessed: 24 February 2017).
- BBC News. (2017). How the world’s first webcam made a coffee pot famous – BBC News. [online] Available at: http://www.bbc.co.uk/news/technology-20439301 [Accessed 27 Jul. 2017].
- Learnthenet.co.za. (2017). How did the internet start? – Learnthenet. [online] Available at: http://learnthenet.co.za/how-did-the-internet-start/ [Accessed 28 Jul. 2017].
- internet? W. (2017). Who invented the internet? – Ask History. [online] HISTORY.com. Available at: http://www.history.com/news/ask-history/who-invented-the-internet [Accessed 28 Jul. 2017].
- Home.cern. (2017). The birth of the web | CERN. [online] Available at: https://home.cern/topics/birth-web [Accessed 28 Jul. 2017].
- Postscapes.com. (2017). History of IoT | Background Information and Timeline of the Trending Topic. [online] Available at: https://www.postscapes.com/internet-of-things-history/ [Accessed 30 Jul. 2017].
- Deoras, S. (2017). First ever IoT device- “The Internet Toaster”. [online] IoT India Magazine. Available at: http://iotindiamag.com/2016/08/first-ever-iot-device-the-internet-toaster/ [Accessed 30 Jul. 2017].
- Appliancedesign.com. (2000). LG Electronics Introduces Digital Refrigerator. [online] Available at: http://www.appliancedesign.com/articles/89516-lg-electronics-introduces-digital-refrigerator [Accessed 31 Jul. 2017].
- Parry, T. (2017). The Internet of Things Is About Experience… and Data – Multichannel Merchant. [online] Multichannel Merchant. Available at: http://multichannelmerchant.com/blog/the-internet-of-things-is-about-experience-and-data/ [Accessed 31 Jul. 2017].
- Business Insider. (2017). How Google’s self-driving car project rose from a crazy idea to a top contender in the race toward a driverless future. [online] Available at: http://uk.businessinsider.com/google-driverless-car-history-photos-2016-10/#google-began-its-project-with-six-toyota-priuses-and-an-audi-tt-that-drove-through-the-streets-of-mountain-view-california-it-hired-a-handful-of-people-with-perfect-driving-records-to-sit-behind-the-wheel-a-position-it-still-hires-for-seven-years-later-3 [Accessed 2 Aug. 2017].
- EDN. (2017). Bluetooth Low Energy (BLE) – A Short History of the BLE standard and GATT. [online] Available at: http://www.eedesignnewseurope.com/blog/bluetooth-low-energy-ble-short-history-ble-standard-and-gatt [Accessed 2 Aug. 2017].
- Internetsociety.org. (2017). Archive: 2011 World IPV6 Day | Internet Society. [online] Available at: http://www.internetsociety.org/ipv6/archive-2011-world-ipv6-day [Accessed 4 Aug. 2017].
- Basics, I. (2017). What is a IPv6?. [online] WhatIsMyIPAddress.com. Available at: http://whatismyipaddress.com/ip-v6 [Accessed 4 Aug. 2017].
- Nest. (2017). About us. [online] Available at: https://nest.com/about/ [Accessed 4 Aug. 2017].
- The Verge. (2017). Nest reportedly shipping over 40,000 Learning Thermostats every month. [online] Available at: https://www.theverge.com/2013/1/30/3933412/nest-shipping-over-40000-thermostats-every-month [Accessed 4 Aug. 2017].
- Mqtt.org. (2017). FAQ – Frequently Asked Questions | MQTT. [online] Available at: http://mqtt.org/faq [Accessed 7 Aug. 2017].
- IPSO Alliance. (2017). Internet Protocol | About IPSO Alliance. [online] Available at: https://www.ipso-alliance.org/about-us/ [Accessed 7 Aug. 2017].
- Baselinemag.com. (2017). A Brief History of the Internet of Things. [online] Available at: http://www.baselinemag.com/networking/slideshows/a-brief-history-of-the-internet-of-things.html [Accessed 9 Aug. 2017].
- KeyCDN Blog. (2017). What Is the Difference between IPv4 and IPv6? [online] Available at: https://www.keycdn.com/blog/difference-between-ipv4-and-ipv6/ [Accessed 9 Aug. 2017].
- Greengard, S. (2014a) A brief history of the Internet of things. Available at: http://www.baselinemag.com/networking/slideshows/a-brief-history-of-the-internet-of-things.html (Accessed: 23 February 2017).
- Clark, D. (2017). IBM to Invest $3 Billion in Sensor-Data Unit. [online] WSJ. Available at: https://www.wsj.com/articles/ibm-to-invest-3-billion-in-sensor-data-unit-1427774463 [Accessed 9 Aug. 2017].
- Kumparak, G., Burns, M., Escher, A., Kumparak, G., Burns, M. and Escher, A. (2017). A brief history of Tesla. [online] TechCrunch. Available at: https://techcrunch.com/gallery/a-brief-history-of-tesla/ [Accessed 11 Aug. 2017].
- GCN. (2017). Can you identify the first computer virus? — GCN. [online] Available at: https://gcn.com/blogs/tech-trivia/2011/08/first-computer-virus.aspx [Accessed 13 Aug. 2017].
- Trendmicro.com. (2017). Command-and-control (C&C) server – Definition – Trend Micro USA. [online] Available at: https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-(c-c)-server [Accessed 14 Aug. 2017].
- Hughes, M. (2017). Massive DDOS attack against Dyn DNS is causing havoc online [Resolved]. [online] The Next Web. Available at: https://thenextweb.com/security/2016/10/21/massive-ddos-attack-dyn-dns-causing-havoc-online/#.tnw_fzMY33UZ [Accessed 14 Aug. 2017].
- York, K. (2017). Dyn Statement on 10/21/2016 DDoS Attack | Dyn Blog. [online] Dyn.com. Available at: https://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/ [Accessed 14 Aug. 2017].
- Sethi, P. and Sarangi, S. (2017). Internet of Things: Architectures, Protocols, and Applications. [online] Hindawi. Available at: https://www.hindawi.com/journals/jece/2017/9324035/ [Accessed 15 Aug. 2017].
- Sciencedirect.com. (2017). Choices for interaction with things on Internet and underlying issues – ScienceDirect. [online] Available at: http://www.sciencedirect.com/science/article/pii/S1570870514003138#b0140 [Accessed 15 Aug. 2017].
- Lab, K. (2017). What is a Botnet? -Kaspersky Daily. [online] Kaspersky.com. Available at: https://www.kaspersky.com/blog/botnet/1742/ [Accessed 15 Aug. 2017].
- Pentestpartners.com. (2017). Hacking DefCon 23’s IoT Village Samsung fridge | Pen Test Partners. [online] Available at: https://www.pentestpartners.com/security-blog/hacking-defcon-23s-iot-village-samsung-fridge/ [Accessed 17 Aug. 2017].
- FRANCESCHI-BICCHIERAI, L. (2017). Hackers Make the First-Ever Ransomware for Smart Thermostats. [online] Motherboard. Available at: https://motherboard.vice.com/en_us/article/aekj9j/internet-of-things-ransomware-smart-thermostat [Accessed 18 Aug. 2017].
- Digital Single Market. (2017). Proposal for a Regulation on Privacy and Electronic Communications. [online] Available at: https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-communications [Accessed 22 Aug. 2017].
- Internet of Things blog. (2017). IoT applications spanning across industries. [online] Available at: https://www.ibm.com/blogs/internet-of-things/iot-applications-industries/ [Accessed 23 Aug. 2017].
- Iot-analytics.com. (2017). The 10 most popular Internet of Things applications right now. [online] Available at: https://iot-analytics.com/10-internet-of-things-applications/ [Accessed 23 Aug. 2017].
- الحى (2017). Embedded Systems in Automotive. [online] Slideshare.net. Available at: https://www.slideshare.net/ssuser92b33b/embedded-systems-in-automotive [Accessed 23 Aug. 2017].
- MakeUseOf. (2017). Android Auto vs. Apple CarPlay: Which In-Car System Is Right for You?. [online] Available at: http://www.makeuseof.com/tag/android-auto-vs-apple-carplay/ [Accessed 23 Aug. 2017].
- Econsultancy. (2017). 10 examples of the Internet of Things in healthcare. [online] Available at: https://econsultancy.com/blog/68878-10-examples-of-the-internet-of-things-in-healthcare [Accessed 23 Aug. 2017].