IoT Attack Vectors

In this section, we discuss the concept of IoT attack vectors, attack surfaces, and threat vectors to clarify the difference between these cybersecurity terms, which are often used interchangeably. We discuss some IoT attack vectors that should be considered when designing cybersecurity strategies for IoT networks and systems. We also discuss some strategies that can be used to eliminate or mitigate the risk posed by IoT attack vectors.

IoT attack vectors are the various methods that cybercriminals can use to access IoT devices to launch cyberattacks on the IoT infrastructure or other information system infrastructure of an organisation or the Internet as a whole. They provide a means for cybercriminals to exploit security vulnerabilities to compromise sensitive data's confidentiality, integrity, and availability. It is essential to minimise the attack vectors to reduce the risk of a security breach. It may cost an organisation a lot of money, and its reputation may be negatively impacted after a security breach.

The number of attack vectors keeps growing as cybercriminals develop numerous simple and sophisticated methods to exploit unresolved security vulnerabilities and zero-day abilities on computer systems and networks. In this way, there is no single solution to mitigate the risk posed by the growing number of attack vectors in classical computer systems and networks. As the number of IoT devices connected to the Internet increases, the number of IoT-related attack vectors also increases, requiring the development of a holistic cybersecurity strategy that handles the traditional attack vectors (e.g., malware, viruses, email attachments, web pages, pop-ups, instant messages, text messages, and social engineering, credential theft, vulnerability exploits, and insufficient protection against insider threats) and those that are designed to target IoT systems (e.g., exploitation of IoT-based vulnerabilities such as weak or no passwords, lack of firmware and software updates, unencrypted communications).

To defend IoT networks and systems, it is crucial to understand the various ways a cybercriminal can use to gain unauthorised access to IoT networks and systems. The term threat vector is often used interchangeably with attack vector. An IoT threat vector is the number of potential ways or methods cybercriminals can use to compromise the confidentiality, integrity, or availability of IoT data and systems. As IoT networks grow and are integrated with other IT and cyber-physical systems, the complexities of managing them and the number of threat or attack vectors increase. Therefore, it is very challenging to illuminate all threat or attack vectors, but IoT-based cybersecurity systems are designed to eliminate threat or attack vectors whenever possible.

An IoT attack surface is the number of attack vectors that cybercriminals can use to manipulate an IoT network or system to compromise data confidentiality, integrity, or availability. It combines all IoT attack vectors available to cybercriminals to compromise IoT data and systems. It implies that the more IoT attack vectors an organisation has due to deploying IoT systems, the larger its cybersecurity attack surface and vice versa. Therefore, organisations must minimise the number of attack vectors to minimise the attack surface.

To eliminate IoT attack vectors, it is essential to understand the nature of some of them and their sources and then develop comprehensive security strategies to deal with them. This section will discuss IoT attack vectors from the perception layer to the application layer. Some of the IoT attack vectors or ways in which cybercriminals can gain illegal access to IoT networks and systems (to compromise data security or launch further attacks) include the following:

• Compromised user or device credentials: Password compromise is one of the most common ways cybercriminals can gain unauthorised access to IoT systems. This is partly because some IoT device manufacturers ship devices with hardcoded passwords and sometimes with default passwords that are rarely changed. This gives cybercriminals easy access to IoT devices, which they use to conduct sophisticated attacks such as DDoS attacks. Password credentials to log in to IoT mobile and web applications can also be compromised by cybercriminals through data leaks, phishing scams, malware, and brute-force attacks.
• Weak cryptographic algorithms: Implementing strong cryptographic algorithms in IoT devices is very challenging due to hardware constraints. This makes it easy for cybercriminals to access IoT data transported over wireless communication channels. Also, the confidentiality of sensitive data stored on IoT devices can easily be compromised. Hence, weak cryptographic algorithms (and data encryption algorithms not implemented) make it attractive for cybercriminals to try to access IoT data through man-in-the-middle attacks.
• Open communication ports: Cybercriminals can exploit unsecured and unnecessarily open ports (virtual entry points into a device that associates network traffic with a given application or process) to gain access to the device. Every necessarily open and unsecured port is a threat vector that cybercriminals can exploit to attack IoT devices, servers, and applications.
• Misconfigurations: Poorly configured IoT devices, network devices, servers, computing nodes, and applications can serve as weak points that cybercriminals can exploit to attack the IoT network and systems. Thus, exploiting vulnerabilities created by misconfiguration is one-way attackers can gain unauthorised access to IoT networks and systems.
• Firmware vulnerabilities: Since IoT firmware and software are not regularly updated to patch security holes and to protect IoT devices from newly discovered security vulnerabilities, cybercriminals can exploit unresolved firmware and software vulnerabilities to gain unauthorised access to IoT devices and data. Thus, exploiting firmware and software vulnerabilities is one of the ways cybercriminals can easily compromise the security of IoT networks and systems.
• Zero-day vulnerabilities: Several security vulnerabilities (flaws in hardware or software) are regularly being discovered on a daily, weekly, monthly, or annual basis. Suppose there are security vulnerabilities for which the developer has not released a security patch, or the user has not installed/applied the update. In that case, attackers will likely exploit such vulnerabilities to gain unauthorised access to IoT networks and systems. A zero-day attack exploits unknown vulnerabilities or software flaws before a security patch is released. Therefore, exploiting unresolved known vulnerabilities is one of the attack vectors that cybercriminals use to compromise the security of IoT networks and systems.
• Cross-site scripting (XSS): A browser-based attack vector can inject or insert malicious code within a browser-based application designed for users to access IoT services. For many IoT applications, the end-users access the IoT services hosted on cloud computing platforms through web and mobile applications using their browsers. Cybercriminals can inject malicious code into IoT web applications, redirect users to fake websites and trick the browser into executing malicious code that downloads malware that infects user devices. The inserted malicious code can launch into an infected script, infecting the user's device and stealing information. Hence, since IoT services are provided to users through web-based applications, this kind of attack vector will be targeted by cybercriminals.
• SQL injection: Many IoT data is stored in structured databases and then accessed through web and mobile applications by users and other applications. The data stored in structured databases is often managed using SQL (structured Querry Language), a programming language used to administer or interact with the database to store, access, and manipulate the data. An SQL injection attack vector is one in which an attacker leverages known vulnerabilities to inject malicious SQL statements into an application to trick the server into allowing the attacker to illegally extract, alter or delete information. In the case of IoT applications in which sensor data is collected and stored in structured databases, this type of attack vector will likely be targeted.
• Distributed Denial of Service (DDoS) attacks: This type of attack vector involves the use of bots to infect IoT devices and then create a botnet (network of bots) that can be controlled to overwhelm IoT gateways, services, data centres, and web applications with a massive amount of traffic or requests. This attack aims to cause the IoT gateways, services, data centres, and web applications to crash, depriving the users of accessing IoT services. The attacker takes over many IoT devices, creates a botnet, and redirects traffic from their devices to IoT gateways, services, data centres, and web applications to disrupt IoT services.
• Session hijacking: Cybercriminals can gain unauthorised access to sensitive IoT data through session hijacking. When IoT users login to access IoT services, they are provided with a session key or cookie, so they don't need to log in again. This cookie can be hijacked by an attacker who uses it to gain access to sensitive IoT information ^[1].
• Malware infection: This attack vector involves using malicious software (malware) designed to take control of an IoT network or system. Malware may corrupt and steal data and can also be used to carry out malicious attacks on multiple IoT devices and other systems. Some examples of malware that can be used to target IoT networks and systems include ransomware (malware that can encrypt valuable IoT data or data of IoT users to deprive legitimate access to the data until a ransom is paid) and trojan (malware that can be used to create a backdoor that gives attackers unauthorised access to IoT networks and systems).
• Phishing: This type of attack vector could be targeted at employees of IoT organisations or users to compromise their login credentials. It involves using social engineering strategies where the target is contacted by email, telephone, or text message by someone posing as a legitimate colleague or institution to trick them into providing sensitive data, credentials, or personally identifiable information (PII). It is one of the most commonly used attack vectors to gain unauthorised access to sensitive information, and it is also the starting point for many forms of attacks like ransomware attacks (which often start with phishing campaigns against their targets) and spyware (malware that can share sensitive IoT data to attacks).
• Brute-force attack: This is another attack vector aimed at compromising the authentication credentials and encryption keys to gain unauthorised access to IoT data. It could be done using a trial-and-error method to guess the password or encryption key to gain unauthorised access to IoT networks, systems, and data. If the password and the encryption key are not strong enough, the attacker can illegally gain access to IoT devices. Using default passwords and weak encryption schemes in IoT devices makes them susceptible to these attacks.
• Physical attacks: This type of attack vector involves the adversary's physical access to the IoT device. Suppose an attacker can physically access deployed IoT devices. In that case, it is possible to steal sensitive data, compromise the devices, and later use them to conduct attacks on IoT networks and other systems.
• Insider attack: It is also essential to consider the fact that legitimate users or employees could decide to leak sensitive IoT data to external entities, compromising the confidentiality of the data. An insider may also delete sensitive data intentionally or unintentionally. This attack vector should be considered when designing a cybersecurity strategy for IoT networks and systems.
• Exploitation of supply chain vulnerability: This kind of attack vector involves the exploitation of vulnerabilities present in third-party hardware and software systems. Attacks could target vulnerabilities that the hardware or software system supplier may not have discovered. Therefore, vulnerabilities present in third-party products may become entry points for attackers to gain unauthorised access to IoT networks and systems.

The attack vectors discussed above could be grouped into two categories: passive and active. Passive attack vector exploits allow attackers to gain unauthorised access to IoT networks and systems without intruding or interfering with their operation. Examples of these attack vectors include phishing and other social engineering-based attack vectors. On the other hand, active attack vector exploits interfere with the operation of the IoT network and system. Examples of this category of attack vector include DDoD attacks, brute-force attacks, malware attacks, etc.

To address common attack vectors, it is vital to understand the nature of the attack vector exploits, including passive and active ones. Most attack vector exploits share some common characteristics, which include the following:

• The attackers first identify targets that they intend to go after.
• The attackers use social engineering strategies, malware, phishing, and vulnerability scanning tools to scan the targeted victim's IoT network and other information systems to identify vulnerabilities they intend to exploit.
• The attackers set out to identical a set of attack vectors that they intend to exploit and then search for the tools required to carry out the attack vector exploits.
• Attackers gain unauthorised access to IoT systems, steal sensitive data, install malware, and sometimes escalate the attack by using compromised devices to carry out further attacks to compromise other system resources.
• The attack tries to clean their tracks to remain undetected. They also steal valuable data or use computing and communication resources.

Identifying and deploying practical security tools and policies to deal with IoT attack vectors is essential. These security tools and policies should be designed to eliminate or reduce the risk from IoT attack vectors from the IoT perception layer to the application layers. Some of the strategies that can be designed to defend IoT networks and systems against well-known IoT attack vectors include the following:

• Create secure authentication policies: Replace default passwords with strong passwords. Encourage the use of password managers to ensure that login credentials are strong and resilient to brute-force attacks.
• Implementation of strong energy-efficient cryptographic schemes: The IoT data stored in IoT devices, computing devices, network devices, and databases should be encrypted or transformed to a format that is unintelligible to unauthorised entities. Data should be encrypted before being transported over communication networks.
• Secure communication ports: All communication ports should be secured, and unused ports should be closed to prevent exploitation.
• Identify and resolve vulnerabilities: Use security monitoring tools to identify and fix vulnerabilities as quickly as possible to ensure that they are not exploited to compromise the security of the IoT network and systems. Also, install or apply security updates as soon as they are released to quickly patch security vulnerabilities that attackers may target.
• Enforce the policy of least resistance: Implement the principle of least privilege, in which only necessary permissions are granted to firmware components and processes. Users should also be given only the required privileges at the networking and application layers. When a user no longer needs certain privileges, they should be deactivated.
• All IoT devices in the network should be identifiable: To avoid unwanted access, every device should have a distinct identity to ensure that it can be effectively monitored and must authenticate before it can access IoT networks and systems.
• Adoption of secure software development methods: The code should be well-tested and reviewed to ensure that security vulnerabilities can be identified and resolved. We should also ensure that the libraries used to implement the device firmware are secured and well-tested. When programming IoT devices, copying already-written code from the Internet should be minimised to ensure it does not introduce security vulnerabilities.
• Continual monitoring of IoT devices: Maintaining an up-to-date inventory of all connected devices and monitoring the activities within IoT devices and other systems. Automated tools should be used to discover all connected devices and continuously scan them to identify and address vulnerabilities.
• Regular security update and patching: Although managing and installing security updates and patching security gaps for thousands of devices can be challenging, Remote Management and Monitoring (RMM) tools can perform regular security updates and patching. This will ensure that IoT device firmware and software are always up to date.
• Decommission unused IoT devices: Unused IoT devices should be removed from the IoT network. If any IoT device is not being used, it may not be regularly updated or adequately secured, which poses a risk to the IoT network and systems. Thus, any used IoT device and any other hard or software system not being used should be removed from the IoT network.
• Implement centralised management for IoT devices: Managing IoT devices, network traffic and data flow from a single point facilitates the detection of malicious events and swiftly addresses them. It also promotes the implementation of integrated cybersecurity systems that enforce the implementation of security controls throughout the network.
• Isolate IoT devices from critical system resources and data: By isolating IoT devices from essential system and data resources, we ensure that even if the IoT network is compromised, the attacker cannot move laterally across the network to compromise critical system resources and networks. Segmenting the network and isolating the IoT devices from some of the organisation's networks gives the organisation more visibility and control of the network.
• Use updated antimalware software: Ensure that antimalware software is up to date to guarantee that it can protect against the latest malware.
• Deploy attack detection and response tools: Deploy automated attack detection and response tools that can detect and stop cyberattacks as soon as they are launched. AI and machine learning tools should be leveraged to design automated attack prevention, detection and response tools for IoT.
• Regular and effective employee training: Employees should be well-trained to handle cybersecurity tools and detect social engineering and phishing attacks designed to trick them into leaking sensitive information.
• Ensuring supply chain security: Third-party hardware and software tools should be well-secured to prevent the introduction of security vulnerabilities that attackers can exploit. Also, ensure that third-party software is regularly updated on time.
• Zero-trust security approach: Apply the Zero Trust (ZT) security framework to ensure that all users, whether in or outside the organisation's network, are authenticated, authorised, and continuously validated for security configuration and posture before being granted or keeping access to IoT networks, systems, applications and data.
• System-based security approach: The IoT security landscape is very complex and is constantly changing, requiring the integration of security tools, security policies, people, and diverse types of information and cyber-physical systems. The best way to manage the complex and dynamic interaction of complex components that constitute the IoT infrastructure is to use a system-based approach. Concepts from the growing fields of systems thinking, systems dynamics, and software engineering can be borrowed to model and design robust and secure cybersecurity systems for IoT networks and systems.