IoT Attack Vectors

In this section, we discuss the concept of IoT attack vectors, attack surfaces, and threat vectors to clarify the difference between these cybersecurity terms that are often used interchangeably. We discuss some IoT attack vectors that should be taken into consideration when designing cybersecurity strategies for IoT networks and systems. We also discuss some strategies that can be used to eliminate or mitigate the risk posed by IoT attack vectors.

IoT attack vectors are the various methods that can be used by cybercriminals to access IoT devices in order to launch cyberattacks on the IoT infrastructure or other information system infrastructure of an organisation or the Internet as a whole. They provide a means for cybercriminals to exploit security vulnerabilities to compromise the confidentiality, integrity, and availability of sensitive data. It is very important to minimise the attack vectors to reduce the risk of a security breach. It may cost an organisation a lot of money, and its reputation may also be negatively impacted after a security breach.

The number of attack vectors keeps growing as cybercriminals keep developing numerous simple and sophisticated methods to exploit unresolved security vulnerabilities and zero-day abilities on computer systems and networks. In this way, there is no single solution to mitigate the risk posed by the growing number of attack vectors in classical computer systems and networks. As the number of IoT devices connected to the internet increases, the number of IoT-related attack vectors also increases, requiring the development of a holistic cybersecurity strategy that handles the traditional attack vectors (e.g., malware, viruses, email attachments, web pages, pop-ups, instant messages, text messages, and social engineering, credential theft, vulnerability exploits, and insufficient protection against insider threats) and those that are designed to target IoT systems (e.g., exploitation of IoT-based vulnerabilities such as weak or no passwords, lack of firmware and software updates, unencrypted communications).

In order to defend IoT networks and systems, it is important to understand the various ways a cybercriminal can use to gain unauthorised access to IoT networks and systems. The term threat vector is often used interchangeably with attack vector. An IoT threat vector is the total number of potential ways or methods that cybercriminals can use to compromise the confidentiality, integrity, or availability of IoT data and systems. As IoT networks grow in size and are integrated with other IT and cyber-physical systems, the complexities of managing them increase, and the number of threat or attack vectors increases. Therefore, it is very challenging to illuminate all threat or attack vectors, but IoT-based cybersecurity systems are designed to eliminate threat or attack vectors whenever possible.

An IoT attack surface is the total number of attack vectors that cybercriminals can use to manipulate an IoT network or system to compromise its data confidentiality, integrity, or availability. That is, it is the combination of all IoT attack vectors available to cybercriminals to use to compromise IoT data and systems. It implies that the more IoT attack vectors an organisation has due to the deployment of IoT systems, the larger their cybersecurity attack surface and vice versa. Therefore, in order to minimise the attack surface, organisations must minimise the number of attack vectors.

In order to eliminate IoT attack vectors, it is important to understand the nature of some of these attack vectors and their sources and then develop comprehensive security strategies to deal with them. In this section, we will discuss IoT attack vectors from the perception layer to the application layer. Some of the IoT attack vectors or ways in which cybercriminals can gain illegal access to IoT networks and systems (to compromise data security or launch further attacks) include the following:

• Compromised user or device credentials: Password compromise is one of the most common ways that cybercriminals can gain unauthorised access to IoT systems. This is partly because some IoT device manufacturers ship devices with hardcoded passwords and sometimes with default passwords that are rarely changed. This gives cybercriminals easy access to IoT devices, which they use to conduct sophisticated attacks such as DDoS attacks. Password credentials to log in to IoT IoT mobile and web applications can also be compromised by cybercriminals through data leaks, phishing scams, malware, and brute-force attacks.
• Weak cryptographic algorithms: It is very challenging to implement strong cryptographic algorithms in IoT devices due to hardware constraints, making it easy for cybercriminals to access IoT data transported over wireless communication channels. Also, the confidentiality of sensitive data stored on IoT devices can easily be compromised. Hence, weak cryptographic algorithms (and data encryption algorithms are not implemented) make it attractive for cybercriminals to try to access IoT data through man-in-the-middle attacks.
• Open communication ports: Unsecured and unnecessarily open ports (virtual entry points into a device that associates network traffic with a given application or process) can be exploited by cybercriminals to gain access to the device. Every necessarily open and unsecured port is a threat vector that cybercriminals can exploit to attack IoT devices, servers, and applications.
• Misconfigurations: Poorly configured IoT devices, network devices, servers, computing nodes, and applications can serve as weak points that cybercriminals can exploit to attack the IoT network and systems. Thus, exploitation of vulnerabilities created by misconfiguration is one of the ways in which attackers can gain unauthorised access to IoT networks and systems.
• Firmware vulnerabilities: Since IoT firmware and software are not regularly updated to patch security holes and to protect IoT devices from newly discovered security vulnerabilities, cybercriminals can exploit unresolved firmware and software vulnerabilities to gain unauthorised access to IoT devices and data. Thus, the exploitation of firmware and software vulnerabilities is one of the ways cybercriminals can easily compromise the security of IoT networks and systems.
• Zero-day vulnerabilities: Several security vulnerabilities (flaws in hardware or software) are regularly being discovered on a daily, weekly, monthly, or annual basis. Suppose there are security vulnerabilities for which the developer has not released a security patch, or the user has not installed/applied the update. In that case, it is likely attackers will exploit such vulnerabilities to gain unauthorised access to IoT networks and systems. The exploitation of unknown vulnerabilities or software flaws before a security patch is released is called a zero-day attack. Therefore, the exploitation of unresolved known vulnerabilities is one of the attack vectors that cybercriminals use to compromise the security of IoT networks and systems.
• Cross-site scripting (XSS): It is a browser-based attack vector that can inject or insert malicious code within a browser-based application designed for users to access IoT services. For a lot of IoT applications, the end-users access the IoT services hosted on cloud computing platforms through web and mobile applications using their browsers. Cybercriminals can inject malicious code into IoT web applications, re-direct users to fake websites and trick the browser into executing malicious code that downloads malware that infects user devices. That is, the inserted malicious code can launch itself into an infected script that could infect the user's device and steal information. Hence, since IoT services are provided to users through web-based applications, this kind of attack vector will be targeted by cybercriminals.
• SQL injection: A lot of IoT data is stored in structured databases and then accessed through web and mobile applications by users and other applications. The data stored in structured databases is often managed using SQL (structured Querry Language), which is a kind of programming language that is used to administer or interact with the database to store, access, and manipulate the data. An SQL injection attack vector is one in which an attacker leverages known vulnerabilities to inject malicious SQL statements into an application to trick the server into allowing the attacker to illegally extract, alter or delete information. In the case of IoT applications in which sensor data is collected and stored in structured databases, this type of attack vector will likely be targeted.
• Distributed Denial of Service (DDoS) attacks: This type of attack vector involves the use of bots to infect IoT devices and then create a botnet (network of bots) that can be controlled to overwhelm IoT gateways, services, data centres, and web applications with a massive amount of traffic or requests. This type of attack aims to cause the IoT gateways, services, data centres, and web applications to crash, depriving the users of accessing IoT services. The is, the attacker takes over a large number of IoT devices, creates a botnet, and redirects traffic from their devices to IoT gateways, services, data centres, and web applications with the goal of disrupting IoT services.
• Session hijacking: Cybercriminals can gain unauthorised access to sensitive IoT data through session hijacking. When IoT users login to access IoT service, they are provided with a session key or cookie, so you don't need to log in again. This cookie can be hijacked by an attacker who uses it to gain access to sensitive IoT information ^[1].
• Phishing: This type of attack vector could be targeted at employees of IoT organisations or users to compromise their login credentials. It involves the use of social engineering strategies where the target is contacted by email, telephone, or text message by someone who is posing to be a legitimate colleague or institution to trick them into providing sensitive data, credentials, or personally identifiable information (PII). It is one of the most commonly used attack vectors to gain unauthorised access to sensitive information, and it is also the starting point for many forms of attacks like ransomware attacks (which often start with phishing campaigns against their targets).
• Brut-force attack: It is another attack vector that is aimed at compromising the authentication credentials and encryption keys to gain unauthorised access to IoT data. It could be done by using a trial and error method to guess the password or encryption key in order to gain unauthorised access to IoT networks, systems, and data. If the password and the encryption key are not strong enough, the attacker can illegally gain access to IoT devices. The use of default passwords and weak encryption schemes in IoT devices makes them susceptible to these kinds of attacks.
• Physical attacks. This type of attack vector involves the adversary's physical access to the IoT device. If an attacker can physically access deployed IoT devices, it is possible to steal sensitive data and also to compromise the devices and then later use them to conduct attacks on IoT networks and other systems.
• Insider attack: It is also important to consider the fact that legitimate users or employees could decide to leak sensitive IoT data to external entities, compromising the confidentiality of the data. An insider may also delete sensitive data intentionally or unintentionally. This kind of attack vector should be considered when designing a cybersecurity strategy for IoT networks and systems.
• Exploitation of supply chain vulnerability: This kind of attack vector involves the exploitation of vulnerabilities present in third-party hardware and software systems. Attacks could go after vulnerabilities that are present in third-party hardware and software systems that the supplier of the hardware or software system may not have discovered. Therefore, vulnerabilities present in third-party products may become entry points for attackers to gain unauthorised access to IoT networks and systems.