IoT Attack Vectors

In this section, we discuss the concept of IoT attack vectors, attack surfaces, and threat vectors to clarify the difference between these cybersecurity terms that are often used interchangeably. We discuss some IoT attack vectors that should be taken into consideration when designing cybersecurity strategies for IoT networks and systems. We also discuss some strategies that can be used to eliminate or mitigate the risk posed by IoT attack vectors.

IoT attack vectors are the various methods that can be used by cybercriminals to access IoT devices in order to launch cyberattacks on the IoT infrastructure or other information system infrastructure of an organisation or the Internet as a whole. They provide a means for cybercriminals to exploit security vulnerabilities to compromise the confidentiality, integrity, and availability of sensitive data. It is very important to minimise the attack vectors to reduce the risk of a security breach. It may cost an organisation a lot of money, and its reputation may also be negatively impacted after a security breach.

The number of attack vectors keeps growing as cybercriminals keep developing numerous simple and sophisticated methods to exploit unresolved security vulnerabilities and zero-day abilities on computer systems and networks. In this way, there is no single solution to mitigate the risk posed by the growing number of attack vectors in classical computer systems and networks. As the number of IoT devices connected to the internet increases, the number of IoT-related attack vectors also increases, requiring the development of a holistic cybersecurity strategy that handles the traditional attack vectors (e.g., malware, viruses, email attachments, web pages, pop-ups, instant messages, text messages, and social engineering, credential theft, vulnerability exploits, and insufficient protection against insider threats) and those that are designed to target IoT systems (e.g., exploitation of IoT-based vulnerabilities such as weak or no passwords, lack of firmware and software updates, unencrypted communications).

In order to defend IoT networks and systems, it is important to understand the various ways a cybercriminal can use to gain unauthorised access to IoT networks and systems. The term threat vector is often used interchangeably with attack vector. An IoT threat vector is the total number of potential ways or methods that cybercriminals can use to compromise the confidentiality, integrity, or availability of IoT data and systems. As IoT networks grow in size and are integrated with other IT and cyber-physical systems, the complexities of managing them increase, and the number of threat or attack vectors increases. Therefore, it is very challenging to illuminate all threat or attack vectors, but IoT-based cybersecurity systems are designed to eliminate threat or attack vectors whenever possible.

An IoT attack surface is the total number of attack vectors that cybercriminals can use to manipulate an IoT network or system to compromise its data confidentiality, integrity, or availability. That is, it is the combination of all IoT attack vectors available to cybercriminals to use to compromise IoT data and systems. It implies that the more IoT attack vectors an organisation has due to the deployment of IoT systems, the larger their cybersecurity attack surface and vice versa. Therefore, in order to minimise the attack surface, organisations must minimise the number of attack vectors.

In order to eliminate IoT attack vectors, it is important to understand the nature of some of these attack vectors and their sources and then develop comprehensive security strategies to deal with them. In this section, we will discuss IoT attack vectors from the perception layer to the application layer. Some of the IoT attack vectors or ways in which cybercriminals can gain illegal access to IoT networks and systems (to compromise data security or launch further attacks) include the following:

• Compromised user or device credentials: Password compromise is one of the most common ways that cybercriminals can gain unauthorised access to IoT systems. This is partly because some IoT device manufacturers ship devices with hardcoded passwords and sometimes with default passwords that are rarely changed. This gives cybercriminals easy access to IoT devices, which they use to conduct sophisticated attacks such as DDoS attacks. Password credentials to log in to IoT IoT mobile and web applications can also be compromised by cybercriminals through data leaks, phishing scams, malware, and brute-force attacks.
• Weak cryptographic algorithms: It is very challenging to implement strong cryptographic algorithms in IoT devices due to hardware constraints, making it easy for cybercriminals to access IoT data transported over wireless communication channels. Also, the confidentiality of sensitive data stored on IoT devices can easily be compromised. Hence, weak cryptographic algorithms (and data encryption algorithms are not implemented) make it attractive for cybercriminals to try to access IoT data through man-in-the-middle attacks.
• Open communication ports: Unsecured and unnecessarily open ports (virtual entry points into a device that associates network traffic with a given application or process) can be exploited by cybercriminals to gain access to the device. Every necessarily open and unsecured port is a threat vector that cybercriminals can exploit to attack IoT devices, servers, and applications.
• Misconfigurations: Poorly configured IoT devices, network devices, servers, computing nodes, and applications can serve as weak points that cybercriminals can exploit to attack the IoT network and systems. Thus, exploitation of vulnerabilities created by misconfiguration is one of the ways in which attackers can gain unauthorised access to IoT networks and systems.
• Firmware vulnerabilities: Since IoT firmware and software are not regularly updated to patch security holes and to protect IoT devices from newly discovered security vulnerabilities, cybercriminals can exploit unresolved firmware and software vulnerabilities to gain unauthorised access to IoT devices and data. Thus, the exploitation of firmware and software vulnerabilities is one of the ways cybercriminals can easily compromise the security of IoT networks and systems.
• Zero-day vulnerabilities: Several security vulnerabilities (flaws in hardware or software) are regularly being discovered on a daily, weekly, monthly, or annual basis. Suppose there are security vulnerabilities for which the developer has not released a security patch, or the user has not installed/applied the update. In that case, it is likely attackers will exploit such vulnerabilities to gain unauthorised access to IoT networks and systems. The exploitation of unknown vulnerabilities or software flaws before a security patch is released is called a zero-day attack. Therefore, the exploitation of unresolved known vulnerabilities is one of the attack vectors that cybercriminals use to compromise the security of IoT networks and systems.
• Cross-site scripting (XSS): It is a browser-based attack vector that can inject or insert malicious code within a browser-based application designed for users to access IoT services. For a lot of IoT applications, the end-users access the IoT services hosted on cloud computing platforms through web and mobile applications using their browsers. Cybercriminals can inject malicious code into IoT web applications, re-direct users to fake websites and trick the browser into executing malicious code that downloads malware that infects user devices. That is, the inserted malicious code can launch itself into an infected script that could infect the user's device and steal information. Hence, since IoT services are provided to users through web-based applications, this kind of attack vector will be targeted by cybercriminals.
• SQL injection: A lot of IoT data is stored in structured databases and then accessed through web and mobile applications by users and other applications. The data stored in structured databases is often managed using SQL (structured Querry Language), which is a kind of programming language that is used to administer or interact with the database to store, access, and manipulate the data. An SQL injection attack vector is one in which an attacker leverages known vulnerabilities to inject malicious SQL statements into an application to trick the server into allowing the attacker to illegally extract, alter or delete information. In the case of IoT applications in which sensor data is collected and stored in structured databases, this type of attack vector will likely be targeted.
• Distributed Denial of Service (DDoS) attacks: This type of attack vector involves the use of bots to infect IoT devices and then create a botnet (network of bots) that can be controlled to overwhelm IoT gateways, services, data centres, and web applications with a massive amount of traffic or requests. This type of attack aims to cause the IoT gateways, services, data centres, and web applications to crash, depriving the users of accessing IoT services. The is, the attacker takes over a large number of IoT devices, creates a botnet, and redirects traffic from their devices to IoT gateways, services, data centres, and web applications with the goal of disrupting IoT services.
• Session hijacking: Cybercriminals can gain unauthorised access to sensitive IoT data through session hijacking. When IoT users login to access IoT service, they are provided with a session key or cookie, so you don't need to log in again. This cookie can be hijacked by an attacker who uses it to gain access to sensitive IoT information ^[1].
• Malware infection: This attack vector involves the use of malicious software (malware) designed to take control of an IoT network or system. Malware may corrupt and steal data and can also be used to carry out malicious attacks on multiple IoT devices and other systems. Some examples of malware that can be used to target IoT networks and systems include ransomware (malware that can encrypt valuable IoT data or data of IoT users to deprive legitimate access to the data until a ransom is paid), trojan (malware that can be used to create a backdoor that gives attackers unauthorised access to IoT networks and systems)
• Phishing: This type of attack vector could be targeted at employees of IoT organisations or users to compromise their login credentials. It involves the use of social engineering strategies where the target is contacted by email, telephone, or text message by someone who is posing to be a legitimate colleague or institution to trick them into providing sensitive data, credentials, or personally identifiable information (PII). It is one of the most commonly used attack vectors to gain unauthorised access to sensitive information, and it is also the starting point for many forms of attacks like ransomware attacks (which often start with phishing campaigns against their targets), and spyware (malware that can share sensitive IoT data to attacks).
• Brut-force attack: It is another attack vector that is aimed at compromising the authentication credentials and encryption keys to gain unauthorised access to IoT data. It could be done by using a trial and error method to guess the password or encryption key in order to gain unauthorised access to IoT networks, systems, and data. If the password and the encryption key are not strong enough, the attacker can illegally gain access to IoT devices. The use of default passwords and weak encryption schemes in IoT devices makes them susceptible to these kinds of attacks.
• Physical attacks. This type of attack vector involves the adversary's physical access to the IoT device. If an attacker can physically access deployed IoT devices, it is possible to steal sensitive data and also to compromise the devices and then later use them to conduct attacks on IoT networks and other systems.
• Insider attack: It is also important to consider the fact that legitimate users or employees could decide to leak sensitive IoT data to external entities, compromising the confidentiality of the data. An insider may also delete sensitive data intentionally or unintentionally. This kind of attack vector should be considered when designing a cybersecurity strategy for IoT networks and systems.
• Exploitation of supply chain vulnerability: This kind of attack vector involves the exploitation of vulnerabilities present in third-party hardware and software systems. Attacks could go after vulnerabilities that are present in third-party hardware and software systems that the supplier of the hardware or software system may not have discovered. Therefore, vulnerabilities present in third-party products may become entry points for attackers to gain unauthorised access to IoT networks and systems.

The attack vectors discussed above could be grouped into two categories: passive and active attack vectors. Passive attack vector exploits are the various ways that attackers can gain unauthorised access to IoT networks and systems without intruding or interfering with their operation. Examples of their kinds of attack vectors include phishing and other types of social engineering-based attack vectors. On the other hand, active attack vector exploits are those that interfere with the operation of the IoT network and system. An example of this category of attack vector includes DDoD attacks, brute-force attacks, malware attacks, etc.

In order to address common attack vectors, it is important to understand the nature of the attack vector exploits, including passive and active ones. Most attack vector exploits share some common characteristics, which include the following:

• The attackers first identify targets that they intend to go after.
• The attackers use social engineering strategies, malware, phishing, and vulnerability scanning tools to scan the IoT network and other information systems of the targeted victim to identify the vulnerabilities that they intend to exploit.
• The attackers set out to identical a set of attack vectors that they intend to exploit and then search for the tools required to carry out the attack vector exploits.
• Attackers gain unauthorised access to the IoT systems, steal sensitive data, install malware, and sometimes escalate the attack by using the devices that they have compromised to carry out further attacks to compromise other system resources.
• The attack tries to clean their tracks to remain undetected. They also steal valuable data or use computing and communication resources.

It is essential to identify and deploy effective security tools and policies to deal with IoT attack vectors. These security tools and policies should be designed to effectively eliminate or reduce the risk from IoT attack vectors from the IoT perception layer to the application layers. Some of the strategies that can be designed to defend IoT networks and systems against well-known IoT attack vectors include the following:

• Create secure authentication policies: Ensure that default passwords are replaced with strong passwords. Also, encourage the use of password managers to ensure that login credentials are strong and resilient to brute force attacks.
• Implementation of strong energy-efficient cryptographic schemes: The IoT data stored in IoT devices, computing devices, network devices, and databases should be encrypted or transformed to a format that is unintelligible to unauthorised entities. Data should be encrypted before being transported over communication networks.
• Secure communication ports: All communication ports should be secured, and unused ports should be closed to ensure that they are not exploited.
• Identify and resolve vulnerabilities: Use security monitoring tools to identify and resolve vulnerabilities as quickly as possible to ensure that they are not exploited to compromise the security of the IoT network and systems. Also, install or apply security updates as soon as they are released in order to patch security vulnerabilities that may be targeted by attackers quickly.
• Enforce the policy of least resistance: Implementation of the principle of least privilege, in which only necessary permissions are granted to firmware components and processes. Also, at the networking and application layers, users should be granted only the privileges that they need. Also, when a user no longer needs certain privileges, they should be deactivated.
• All IoT devices in the network should be identifiable. In order to avoid unwanted access, every device should have a distinct identity to ensure that they can be effectively monitored and must authenticate before they can access IoT networks and systems.
• Adoption of secure software development methods. The code should be well-tested and reviewed to ensure that security vulnerabilities can be identified and resolved. Also, we should ensure that the libraries used to implement the device firmware are secured and well-tested. When programming IoT devices, copying of already written code from the internet should be minimised to ensure that it does not introduce security vulnerabilities.
• Continous monitoring of the IoT devices: Keeping an up-to-date inventory of all connected devices and monitoring the activities within IoT devices and other systems. Automated tools should be used to discover all connected devices and continuously scan them to identify every vulnerability and deal with them.
• Regular security update and patching: Although managing and installing security updates and patching security gaps for thousands of devices can be challenging, Remote Management and Monitoring (RMM) tools can be used to perform regular security updates and patching. This will ensure that IoT device firmware and software are always up to date.
• Decommission unused IoT devices: Unused IoT devices should be removed from the IoT network. If any IoT device is not being used, it may not be regularly updated or properly secured, which poses a risk to the IoT network and systems. Thus, any used IoT device and any other hard or software system that is not being used should be removed from the IoT network.
• Implement centralised management for IoT devices: Managing IoT devices, network traffic and data flow from a single point facilitates the detection of malicious events and swiftly addresses them. It also facilitates the implementation of integrated cybersecurity systems that enforce the implementation of security controls throughout the network.
• Isolate IoT devices from critical system resources and data: By isolating IoT devices from critical system resources and data, we ensure that even if the IoT network is compromised, the attacker cannot move laterally across the network to compromise critical system resources and networks. By segmenting the network and isolating the IoT devices from some of the networks of the organisation, given the organisation more visibility and control of the network.
• Use updated antimalware software: Ensure that antimalware software to ensure that they can protect against the latest malware.
• Deploy attack detection and response tools: Deploy automated attack detection and response tools that can quickly detect and stop cyberattacks as soon as they are launched. AI and machine learning tools should be leveraged to design automated attack prevention, detection and response tools for IoT.
• Regular and effective training of employees: Employees should be well trained to handle cybersecurity tools and to be able to detect social engineering and phishing attacks designed to trick them into leaking sensitive information.
• Ensuring supply chain security: Ensuring that third-party hardware and software tools are well-secured so that they do not introduce security vulnerabilities that attackers can exploit. Also, ensure that third-party software is regularly updated on time.
• Zero-trust security approach: Apply the Zero Trust (ZT) security framework to ensure that all users, whether in or outside the organization’s network, are authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to IoT networks, systems, applications and data.
• System-based security approach: The IoT security landscape is very complex and is constantly changing, requiring integration of security tools, security policies, people, and diverse types of information and cyber-physical systems. The best way to manage the complex and dynamic interaction of complex components that constitute the IoT infrastructure is to use a system-based approach. Concepts from the growing fields of systems thinking, systems dynamics, and software engineering can be borrowed to model and design robust and secure cybersecurity systems for IoT networks and systems.