The worldwide transition of IT systems deployed in closed networks and in-house enterprise IT networks to the public facing Internet is accelerating at a disturbing pace, raising justified concerns about security. Increasing reliance on intelligent, interconnected devices prevalent in society raises the question of how to protect what could potentially be billions of devices from intrusion and interference which could potentially compromise personal privacy or threaten public safety. As with earlier universal technology trends, such as broad mobile phone adoption and consolidation of data centres, the evolving operating environment associated with the Internet of Things (IoT) equates to considerable impact on both the attack surface and threat environments of the Internet and systems connected to it.
Protection of data has been a concern ever since the first two digital computers were connected. The Internet’s commercialization, expanded security concerns which encompass financial transactions, personal privacy, and the ever-present threat of cyber-theft. Security and safety are inseparable in IoT. Interference with cars, pacemakers or even nuclear reactors, whether with malicious intent or not pose a threat to human life.
Security Controls before the proliferation of IoT devices
Security controls evolved from firewalls executing packet-filtering in the late 1980s to more recent application and protocol aware firewalls, intrusion detection and prevention systems (IDS/IPS), and security incident and event management (SI/EM) solutions. These controls were designed to stave off malicious activity away from corporate networks and to detect unauthorised access. If a firewall was breached, signature matching antivirus techniques and blacklisting kicked in to identify and remediate the incident. As the malware ecosystem expanded and detection avoidance techniques advanced, whitelisting started replacing blacklisting. Equivalently, the increasing adoption of more devices onto corporate networks led to the development of diverse access control systems for authentication of both the devices and the users utilising them, as well as the authorisation of those users to consume specific actions on the devices.
Concerns after the early 2000’s over software authenticity and intellectual property protection gave rise to development of software verification and attestation techniques which are often referred to as measured or trusted boot. These techniques were developed to provide assurance that when a computing platform boots, its executing code hasn’t been compromised. To address the concerns around confidentiality of data, controls such as VPN’s and the encryption of physical media (such as 802.11i (WPA2) or 802.1AE (MACsec) ) were developed with the aim of security data whilst it is in motion.
Constraints, Challenges and Threats around IoT growth
Device constraints within IoT environments inhibit the application of these same security practices without considerable re-engineering effort.  An example would be blacklisting which requires an impractical amount of disk space for IoT applications. IoT devices consume low amounts of power by design, have small silicon form factors and specific and limited connectivity. Memory and processing capacity in IoT devices are also limited to that needed for task completion. IoT devices are designed to work with limited or no human interaction, decisions around authentication, acceptance of commands and execution of tasks is left to the devices themselves.
In addition to device constraints, the variety of IoT applications introduces a broad collection of security challenges. Some examples are:
- IoT enabled smart meters that send energy usage data to utility companies for billing and grid-optimisation purposes. These devices need to protect information from unauthorized access. For instance, burglars could utilise information indicating a drop-in power as a cue that premises are empty.
- Robotic systems utilised on factory floors are operated by embedded programmable logic controllers (PLCs) which are commonly integrated into the IT infrastructure of the manufacturing organisation. These PLCs need to be secured against malicious access while at the same time still providing the advantages of integration with the rest of the organisation’s IT infrastructure.
- Updates and patches to control systems represent an issue when these systems control highly sensitive and potentially dangerous infrastructure such as nuclear reactors. These systems still need to receive security patches and software updates in a timely fashion yet their functional safety need to remain unimpaired and they need to remain certified for operation in sensitive environments.
IoT attacks in practice
Utilising IoT as a weapon, the Dyn/Mirai attack
A DDoS attack on US internet service provider Dyn took place on the 21st of October, 2016. The attack took the form of a botnet of internet connected devices (primarily Digital Video Recorders and Webcams) simultaneously accessing Dyn’s internet facing servers. The botnet was instructed to attempt access of the servers indefinitely. The attack was successful and millions of US internet users we affected by Dyn’s service outage in addition to service disruptions to popular internet sites, including Airbnb, GitHub, Reddit, Spotify and Twitter. An example of weaponizing of IoT, the attack on Dyn was implemented via infection of inadequately-secured IoT devices with the open-source Mirai Botnet software. Mirai infection is achieved via scanning of the internet for IoT devices and attempting access via default usernames and passwords. Webcam and digital video recorder products from Chinese company Hangzhou Xiongmai Technology were used in the assault. Parties answerable for this Mirai-based attack have not been openly identified. Another botnet utilising a newer version of the Mirai malware (Linux.Mirai) was utilised in a wave of attack in Germany, exploiting a weakness found in routers used in that country and crippling internet access for 900 00 home users.
Utilising IoT to censor media, the Krebs on Security Attack
An immense DDoS attack on internet security website “Krebs On Security” in September 2016 constituted over 600 Gbps of invalid data, causing the website to become unavailable.  The site did not go down immediately, being protected by security provider Akamai. The attack was however too large for Akamai to handle without negatively influencing its other customers (the largest attack Akamai had handled prior to this constituted 363 Gbps) and they withdrew protection, causing the site to fail. The site was eventually revived by Google using their Protect Shield DDoS attack mitigation service. Previously execution of attacks of this size were only within reach of the most sophisticated actors. But, the attack on the Krebs site – in the same manner as the Dyn attack – involved an abundance of IoT devices controlled by Botnet code in a similar vein to Mirai. The method and time of the Krebs attack indicate that it was executed by either a private entity or group without the requirement of a large budget or sophisticated technology.
Exposing IoT devices as targets, the PanelShock Exploit
Although IoT devices may be utilised as the launch platforms for attacks, they are also vulnerable as potential targets. Damage to physical systems, disruption of service or injuries could result from the taking of control of IoT devices by malicious actors. A discovery by the Industrial Control Systems Cyber Emergency Response Team during November 2016 exposed a significant vulnerability in an industrial control system utilised for factory machinery management.  The technique known as “PanelShock” utilises the internet to access the target industrial control system. Its outcome is to make a factory control panel unresponsive and to disconnect the panel device from the underlying factory network. This has the result of leading factory floor supervisors and operators to take incorrect remedial actions, which further damages the factory equipment or hinders the production process. The “PanelShock” technique is an excellent example of how an IoT device may be captured and re-actioned with malicious intent.
Exposing IoT devices as targets, the Finland Building Automation attack
A DDoS attack in November 2016 took down the environmental control systems in 2 apartment buildings located in Lappeenranta (Finland). IoT-connected systems controlled the central heating and hot water within the buildings, opening them up to possible attack. Once the attack was in progress, the systems were rebooted but they remained stuck in an infinite loop, leading to a loss of heat in the target buildings.
Both the “PanelShock” and Lappeenrata apartment scenarios describe the vulnerabilities exposed when control systems are exposed to the internet, with possible serious consequences.
The preceding incidents illustrate the latent risks in attacks carried out using IoT devices, including the issues related to the phenomena that need to be dealt with:
- Device implementation and configuration security policies: IoT devices are often protected via default administrator access passwords that are openly published by manufactures and therefore, allow anyone with a network connection to the device access at an administrative level.
- Transparent and easily accessible information access identifying vulnerable IoT devices: Specialised search engines (such as Shodan) allow anyone with an internet connection to detect the IP addresses of devices connected to the Internet. Search results are configurable via device type and version, location etc. enabling attackers to work out their attack vectors. Additionally, hacker groups have been known to publish lists that contain address and device details of IoT devices in the public domain.
- Open-source use: Manufacturers of IoT products often utilise open-source software in their devices. Open-source software often contains security vulnerabilities that are not always rectified by the device manufacturers. Because of the “open” nature of open-source software, malicious actors are also able to analyse the source code to find possible vulnerabilities.
Considering the potential risks described above, the inherent system security weaknesses that originate from them, and the attack vectors that they expose for potential malicious parties to use, the foundations for offensive cyber campaigns are already in place in the world wide IoT ecosystem. Such a campaign could utilise IoT devices as part of a DDoS attack framework or could target disruption of the IoT devices themselves. Of particular concern is the fact that a largescale attack could result in significant damage, such as the Mirai attack on routers in Germany, in which the devices themselves were damaged in the attack. With no evident applicable response to these risks posed by IoT devices, malicious actors such as terrorist organisations are likely to utilise IoT devices to increase the scope, effectiveness, efficiency and ultimately the damage of cyber-attacks.
IoT as a Terrorist Resource
As evidenced above, IoT devices have been deployed without the same levels of security implemented in traditional desktop computers or cellular telephones. The use of internet connections by IoT devices allow for the delivery of augmented user experiences allowing for remote control and automatic software updates for a myriad of appliances, controllers and devices. IoT devices have penetrated beyond personal devices into government, military and critical infrastructure systems. Concurrent to this deployment of IoT devices, the underlying connectivity and communications media utilised by IoT – the Internet has grown into a capability used by terrorist organisations. Most of this use has been around recruitment, propaganda, marketing, fund-raising and assisting with spreading of ideology. The opportunity for this use to change to a more offensive IoT attack based scenario is however latent with the increasing availability of technology and services both at a price (from “Dark Web” sources) or through open source channels (such as evidenced by Mirai).
An illustration of this is the claimed successful infiltration by Shi’ite hackers affiliated to Hezbollah of the Israeli Military of Defence building in Tel Aviv’s security cameras in February 2016. The hackers allegedly gained access to the cameras due to the devices still being configured with default administrative passwords, with access to possibly sensitive video and audio data gained.
Defending against attacks
A considerable part of the IoT security shortfall has been attributed to sub-standard manufacturing, lack of quality control and insufficient security measures in device production. Combined with the use of generic components and the implementation of vulnerable open source code, devices have been produced that are exploitable and vulnerable to malicious security breaches.
A primary, enforceable IoT security standard for device manufacture with supporting standards applicable at local, regional and international level will need to be created to address the current quality issues around device production. Meaningful and across-the-board security policies for the deployment of IoT devices need to be formulated and implemented at all levels. At a minimum, these policies need to cover authentication, encryption and IoT device upgrades (both hardware and software).
Beyond standards and policies, government agencies tasked with security need to engage in proactive defence against possible terrorist use of IoT devices. The demanding aspect of this defence will be to stop attacks while at the same time allowing for the beneficial use of IoT devices in society and industry.
Using IoT devices to track Terrorists
IoT device adoption’s inexorable growth heralds’ new methods for terrorist attack but it also provides new mechanisms for defence. The same IoT devices available for exploitation by terrorists could be re-purposed to hunt them. IoT devices may be utilised for identification, monitoring, surveillance, location tracking and gaining access to terrorist networks. As every connected IoT device is assigned an IP address, intelligence services may be able to intercept IoT communications in the same way as mobile phone signals. By harnessing intercepted information from these intercepts, intelligence services will be able to track and apprehend terrorists.
The concept of the Internet of Things (IoT) is nested within a larger spectrum of networked products and sensors that has resulted in an outbreak of applications, resulting in a significant shift in the methods that humans use to interact with the Internet and devices, providing both opportunities and threats, particularly with respect to critical infrastructure.
The integration of IoT devices with critical infrastructure has created additional opportunities for growth for industries, public sector organisations and governments throughout the world. Armed with the knowledge that IoT-based cyber-attacks will never be fully preventable, both private and government organisations need to advance their threat detection capabilities in the cyber realm so that they may respond to attack threats in an appropriate and proactive way.
Although there are technological challenges and extensive hurdles to conquer, in particular in the fields of connectivity and security, developing IoT technologies will revolutionize interoperability and efficiency in the contemporary world.
Alaba, F.A., Othmana, M., Hashema, I.A.T and Alotaibib, F., “Internet of Things security: A survey”, Journal of Network and Computer Applications, 2017, Vol. 88, pp.10–28
Amir, W., “DDoS Attacks on Apartments’ Heating System Left Residents Cold and Angry”, Hackread, Milan, Italy, 08/11/2016, available at: https://www.hackread.com/ddos-attacks-on-apartments-heating-system/ accessed on 01/05/2017
Critifence, “PanelShock: Schneider Electric Magelis HMI Advanced Panel (0-Day Vulnerabilities)”, Tel Aviv-Yafo, Israel, 11/2016, available at: http://www.critifence.com/blog/panel_shock/download_report.php, accessed on 11/05/2017
Fedorkow, G., “What’s the Difference between Secure Boot and Measured Boot?” Security Now, 07/07/2015, available at: http://forums.juniper.net/t5/Security-Now/What-s-the-Difference-between-Secure-Boot-and-Measured-Boot/ba-p/281251, accessed on 10/05/2017
Fink, G.A., Zarzhitsky, D.V., Carroll, T.E., Farquhar, E.D., “Security and privacy grand challenges for the Internet of Things”, International Conference on Collaboration Technologies and Systems (CTS), 06/2015, pp. 27-34
Gao, Y.,”Chinese Firm Says Its Cameras Were Used to Take Down Internet”, Bloomberg Technology, 24/10/2016, available at: https://www.bloomberg.com/news/articles/2016-10-24/chinese-firm-says-its-cameras-were-used-to-take-down-internet, accessed on 11/05/2017
Goodin, D., “Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net”, ArsTechnica, 24/09/2016, available at: https://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/, accessed on 03/05/2017
Holbrook, D., “A critical analysis of the role of the internet in the preparation and planning of acts of terrorism”, Dynamics of Asymmetric Conflict, 2015, Vol. 8, No. 2, pp. 121-133
Ics-Cert, “Advisory (ICSA-16-308-02A) Schneider Electric Magelis HMI Resource Consumption Vulnerabilities (Update A)”, Industrial Control Systems Cyber Emergency Response Team, Washington, DC, US, 22/11/2016, available at: https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02, accessed on 01/05/2017
Krebs, B., “KrebsOnSecurity Hit With Record DDoS”, KrebsOnSecurity, 16/09/2016, available at : https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/, accessed on 15/05/2017
Kubler, S., Främling, K. and Buda, A., “A standardized approach to deal with firewall and mobility policies in the IoT”, Pervasive and Mobile Computing, 2015, Vol. 20, pp.100–114
LaFree, G., “Terrorism and the Internet”, American Society of Criminology,
Criminology & Public Policy, 2017, Vol. 16, No. 1, pp. 93-98
Loong Keoh, S., Kumar, S.S, and Tschofenig, H., “Securing the Internet of Things:
A Standardization Perspective”, IEEE Internet of Things Journal, 06/2014, Vol. 1, No. 3, pp. 265-275
Mathews, M. and Hunt, R., “EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE 802.11i (WPA2)”, Department of Computer Science and Software Engineering, University of Canterbury, New Zealand, 2007, pp. 1-6, available at: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.490.9144&rep=rep1&type=pdf, accessed on 09/05/2017
Munro, K.,”Leaked DVR creds added to the IoT Fail list”, PenTestPartners, Buckingham, United Kingdom, 11/01/2017, available at: https://www.pentestpartners.com/blog/leaked-dvr-creds-added-to-the-iot-fail-list/, accessed on 12/05/2017
Symantec Security Response, “Mirai: New wave of IoT botnet attacks hits Germany”, Symantec, 29/11/2016, available at:
accessed on : 15/05/2017
Times of Israel, “Hezbollah: We hacked into Israeli security cameras”, Times of Israel, Tel Aviv, Israel, 20/02/2016, available at: http://www.timesofisrael.com/hezbollah-we-hacked-into-israeli-security-cameras, accessed on 19/05/2017
Vaughan-Nichols, S.J., “How to defend against the internet’s doomsday of DDoS attacks”, ZDNet, 24/10/2016, available at: http://www.zdnet.com/article/how-to-defend-against-the-internets-doomsday-of-ddos-attacks/, accessed on 01/05/2017
Wind River, “SECURITY IN THE INTERNET OF THINGS”, Wind River Systems, Inc., 2015, Alameda, California, USA, pp. 1-6, available at: https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf
- Wind River, “SECURITY IN THE INTERNET OF THINGS”, p. 3 ↑
- The differences between whitelisting and blacklisting is in the approach. The whitelisting approach is based on default denying of access and only allowing approved applications, email addresses, website domains etc. The blacklist approach is based on default allowance of access and blocking of unapproved applications, emails, website domains, etc. contained in the “blacklist” ↑
- Fedorkow, “What’s the Difference between Secure Boot and Measured Boot?”, p.2 ↑
- Virtual Private Networks ↑
- Mathews et al., “EVOLUTION OF WIRELESS LAN SECURITY ARCHITECTURE TO IEEE 802.11i (WPA2)”, p. 1. ↑
- Alaba, et. al, “Internet of Things security: A survey”, p. 11 ↑
- Wind River, “SECURITY IN THE INTERNET OF THINGS”, p. 3 ↑
- Distributed Denial of Service ↑
- Vaughan-Nichols, “How to defend against the internet’s doomsday of DDoS attacks”, p. 1 ↑
- Gao, “Chinese Firm Says Its Cameras Were Used to Take Down Internet”, p.1 ↑
- Symantec, “Mirai: New wave of IoT botnet attacks hits Germany”, p. 1 ↑
- https://krebsonsecurity.com/ ↑
- Gigabits per second ↑
- Goodin, “Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net”, p.1 ↑
- Krebs, “KrebsOnSecurity Hit With Record DDoS”, p.1 ↑
- Goodin, p.1 ↑
- The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is part of the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) in the US ↑
- Critifence, “PanelShock: Schneider Electric Magelis HMI Advanced Panel (0-Day Vulnerabilities)”, p.1 ↑
- Ics-Cert, “Advisory (ICSA-16-308-02A) Schneider Electric Magelis HMI Resource Consumption Vulnerabilities (Update A)”, p. 1 ↑
- Amir, “DDoS Attacks on Apartments’ Heating System Left Residents Cold and Angry”, p. 1 ↑
- Munro, “Leaked DVR creds added to the IoT Fail list”, p. 1 ↑
- https://www.shodan.io/ ↑
- Symantec, “Mirai: New wave of IoT botnet attacks hits Germany”, p.1 ↑
- Fink, et. al, “Security and privacy grand challenges for the Internet of Things”, p. 27 ↑
- LaFree, “Terrorism and the Internet”, pp. 93-94 ↑
- Holbrook, “A critical analysis of the role of the internet in the preparation and planning of acts of terrorism”, pp. 121-122 ↑
- Times of Israel, “Hezbollah: We hacked into Israeli security cameras”, p.1 ↑
- Kubler, et. al, “A standardized approach to deal with firewall and mobility policies in the IoT”, p. 101 and p.113 ↑
- Loong Keoh, et. al, “Securing the Internet of Things: A Standardization Perspective”, p. 266 ↑
- An IP address is assigned to device (computer or others) connected to a TCP/IP network (which is the protocol used by the internet) to locate and identify the device for communication with other devices. ↑
- Kubler, et. al, “A standardized approach to deal with firewall and mobility policies in the IoT”, p.100 ↑