IoT Attack Vectors

IoT attack vectors are the various methods that can be used by cybercriminals to access IoT devices in order to launch cyberattacks on the IoT infrastructure or other information system infrastructure of an organisation or the Internet as a whole. They provide a means for cybercriminals to exploit security vulnerabilities to compromise the confidentiality, integrity, and availability of sensitive data. It is very important to minimise the attack vectors to reduce the risk of a security breach. It may cost an organisation a lot of money, and its reputation may also be negatively impacted after a security breach.

The number of attack vectors keeps growing as cybercriminals keep developing numerous simple and sophisticated methods to exploit unresolved security vulnerabilities and zero-day abilities on computer systems and networks. In this way, there is no single solution to mitigate the risk posed by the growing number of attack vectors in classical computer systems and networks. As the number of IoT devices connected to the internet increases, the number of IoT-related attack vectors also increases, requiring the development of a holistic cybersecurity strategy that handles the traditional attack vectors (e.g., malware, viruses, email attachments, web pages, pop-ups, instant messages, text messages, and social engineering, credential theft, vulnerability exploits, and insufficient protection against insider threats) and those that are designed to target IoT systems (e.g., exploitation of IoT-based vulnerabilities such as weak or no passwords, lack of firmware and software updates, unencrypted communications).

In order to defend IoT networks and systems, it is important to understand the various ways a cybercriminal can use to gain unauthorised access to IoT networks and systems. The term threat vector is often used interchangeably with attack vector. An IoT threat vector is the total number of potential ways or methods that cybercriminals can use to compromise the confidentiality, integrity, or availability of IoT data and systems. As IoT networks grow in size and are integrated with other IT and cyber-physical systems, the complexities of managing them increase, and the number of threat or attack vectors increases. Therefore, it is very challenging to illuminate all threat or attack vectors, but IoT-based cybersecurity systems are designed to eliminate threat or attack vectors whenever possible.

An IoT attack surface is the total number of attack vectors that cybercriminals can use to manipulate an IoT network or system to compromise its data confidentiality, integrity, or availability. That is, it is the combination of all IoT attack vectors available to cybercriminals to use to compromise IoT data and systems. It implies that the more IoT attack vectors an organisation has due to the deployment of IoT systems, the larger their cybersecurity attack surface and vice versa. Therefore, in order to minimise the attack surface, organisations must minimise the number of attack vectors.

In order to eliminate IoT attack vectors, it is important to understand the nature of some of these attack vectors and their sources and then develop comprehensive security strategies to deal with them. Some of the IoT attack vectors or ways in which cybercriminals can gain illegal access to IoT networks and systems (to compromise data security or launch further attacks) include the following:

• Compromised user or device credentials: Password compromise is one of the most common ways that cybercriminals can gain unauthorised access to IoT systems. This is partly because some IoT device manufacturers ship devices with hardcoded passwords and sometimes with default passwords that are rarely changed. This gives cybercriminals easy access to IoT devices, which they use to conduct sophisticated attacks such as DDoS attacks. Password credentials to log in to IoT IoT mobile and web applications can also be compromised by cybercriminals through data leaks, phishing scams, malware, and brute-force attacks.
• Weak cryptographic algorithms: It is very challenging to implement strong cryptographic algorithms in IoT devices due to hardware constraints, making it easy for cybercriminals to access IoT data transported over wireless communication channels. Also, the confidentiality of sensitive data stored on IoT devices can easily be compromised. Hence, weak cryptographic algorithms (and data encryption algorithms are not implemented) make it attractive for cybercriminals to try to access IoT data through man-in-the-middle attacks.
• Open communication ports: Unsecured and unnecessarily open ports (virtual entry points into a device that associates network traffic with a given application or process) can be exploited by cybercriminals to gain access to the device. Every necessarily open and unsecured port is a threat vector that cybercriminals can exploit to attack IoT devices, servers, and applications.
• Misconfigurations: Poorly configured IoT devices, network devices, servers, computing nodes, and applications can serve as weak points that cybercriminals can exploit to attack the IoT network and systems. Thus, exploitation of vulnerabilities created by misconfiguration is one of the ways in which attackers can gain unauthorised access to IoT networks and systems.
• Firmware vulnerabilities: Since IoT firmware and software are not regularly updated to patch security holes and to protect IoT devices from newly discovered security vulnerabilities, cybercriminals can exploit unresolved firmware and software vulnerabilities to gain unauthorised access to IoT devices and data. Thus, the exploitation of firmware and software vulnerabilities is one of the ways cybercriminals can easily compromise the security of IoT networks and systems.
• Zero-day vulnerabilities: Several security vulnerabilities (flaws in hardware or software) are regularly being discovered on a daily, weekly, monthly, or annual basis. Suppose there are security vulnerabilities for which the developer has not released a security patch, or the user has not installed/applied the update. In that case, it is likely attackers will exploit such vulnerabilities to gain unauthorised access to IoT networks and systems. Therefore, the exploitation of unresolved known vulnerabilities is one of the attack vectors that cybercriminals use to compromise the security of IoT networks and systems.