Threat modeling is the process of analyzing and creating scenarios of possible dangers and attacks in order to ensure a higher level of security and protection in various spheres of activity.
1275 
In the world of Internet of Things (IoT), there are threats and challenges that become relevant in the context of the growing number of connected devices. Ensuring the cybersecurity of the IoT ecosystem is an important task, as this technology opens up new opportunities, but also poses potential risks. To ensure security in this context, it is important to understand these threats and take appropriate measures to prevent them. Threats in the Internet of Things may include aspects related to cybersecurity, data privacy, network security, and user privacy. The changing number of connected devices is also changing the threat landscape and creating new challenges for cybersecurity. It is important to consider these threats and take appropriate measures to protect IoT devices and the network in general.
This may include updating software, using strong authentication and data encryption methods, and educating users about cybersecurity. This helps mitigate threats and ensures security and privacy in the IoT environment. If you live in an apartment building, you are probably surrounded by Internet of Things (IoT) objects. Hundreds of people rush down the street “Computers on wheels” every hour, each of which is stuffed with sensors, processors and network equipment. High-rise buildings are dotted with many antennas and dishes connected to the Internet and connecting a network of personal assistants, smart microwave ovens, and thermostats. Somewhere in the sky, mobile data centers transmit information at hundreds of kilometers per hour, leaving a data trail wider than that of an airplane. Visit a factory, hospital, or electronics store and you’ll be surprised at how widespread Internet devices are. Given that even experts interpret the concept of “Internet of things” in completely different ways, in this book we will understand it as physical devices that have the functionality of a computer, are able to transmit data over the network and do not require human-computer interaction . For hackers, the infrastructure of the Internet of Things is a world of possibilities: billions of interconnected devices that transmit and distribute data create a huge platform for experimentation, production, exploitation of systems and pushing them to the limit. And before diving into the technical details of hacking and protecting the Internet of Things, let’s talk about the security of the Internet of Things as such – let’s analyze its legal, practical and personal aspects.
You may know the statistic: By 2025, there will be tens of billions of new IoT devices, adding tens of billions of dollars to global GDP. But this will only happen if everything goes according to plan and the new devices sell out immediately. At the same time, we are seeing security, protection, privacy and data reliability issues that are hindering implementation. Security considerations can influence the purchase as well as the price of the device. The slow development of the Internet of Things industry is explained by more than just economic reasons.
IoT devices can make life easier in many areas. In 2016, 37,416 people died on U.S. highways, and according to the National Highway Traffic Safety Administration, 94% of those deaths were caused by human error. Driverless cars can significantly reduce accidents and make roads safer – as long as they are reliable. In other areas of life, we also expect to benefit from the introduction of innovative technologies.
For example, pacemakers that send data to doctors every day can significantly reduce deaths from heart attacks. However, in a discussion held by the Heart Rhythm Society, a doctor from the US Department of Veterans Affairs noted that her patients refuse implanted devices for fear of hacking. Many manufacturers, government officials and security researchers believe that the crisis of confidence will delay the development of vital technologies for years or decades. Naturally, when technology is actively integrated into our lives, we must know for sure (and not just assume) that it will be trustworthy.
According to a survey of consumer attitudes towards the Internet of Things, initiated by the UK government, 72% of respondents believe that such devices already have a security system. Meanwhile, for a large number of manufacturers, the security of IoT devices is a secondary factor.
In October 2016, the Mirai botnet attacks caused concern among the US and other governments. These growing series of attacks targeted hundreds of thousands of low-cost personal devices and used common factory passwords such as admin, password, and 1234. Ultimately, this resulted in a Distributed Denial of Service (DDoS) attack targeting domain name system (DNS) provider Dyn, serving many American giants such as Amazon, Netflix, Twitter, The Wall Street Journal, Starbucks, etc. The attack on customers, revenue and reputation lasted more than eight hours.
Many believe that this is the work of hackers working for other states. Mirai was quickly followed by the WannaCry and NotPetya attacks, which caused trillions of dollars in total damage, including the hacking of IoT systems used in manufacturing and support facilities. The government has reason to doubt how well it protects its citizens. At their core, WannaCry and NotPetya are ransomware attacks that launch the EternalBlue exploit, which targets a computer vulnerability in the Windows Server Message Block (SMB) software layer network protocol implementation.
In December 2017, when it was revealed that Mirai was developed by a group of teenagers, governments around the world realized that IoT security needed to be scrutinized. There are three possible approaches to the security of the Internet of Things: leave everything as it is, equip unreliable devices with a protection system, or oblige manufacturers to provide such protection in the first place. In a status quo scenario, the use of the Internet of Things will cause regular damage to society.
Adding post-purchase protections will lead to the emergence of new companies to fill the niche not occupied by manufacturers, and as a result, the buyer will be forced to pay more. The third scenario – the implementation of protection in the production of equipment – is the best for consumers in terms of eliminating problems and risks, and pricing is also the most efficient. Let’s use an example from the past to show how these three scenarios can work, especially the last two. For example, buildings in New York often provide external fire escape routes.
This increases the cost of evacuations and harms those inside and outside (see How Fire Escapes Became Decoration in The Atlantic). Emergency exits are now installed inside buildings and people are better protected than ever. Similarly, the internal security of IoT devices will provide functions that external solutions do not have, such as installing updates and new hardware, threat modeling, how to stack ingredient cups – all of which you will learn in the book.
Note that the options listed above are not mutually exclusive – the IoT market can support all three scenarios.
Internet of Things technology has several key differences from more traditional information technology (IT). I Am the Cavalry, a global public initiative dedicated to protecting the scientific community, compared the two on a scientific basis, and the results of that comparison are shown below. The consequences of errors in the protection of the Internet of Things can in some cases lead to the death of a person.
In addition, they can damage the reputation of a company or an entire industry, as well as confidence in the government’s ability to protect citizens through oversight and regulation. For example, the WannaCry attack, which disrupted medical facilities for several days, endangered the lives of patients who had to adhere to a strict medication schedule and were prone to strokes or heart attacks. Criminals carry out attacks with different motives, pursuing different goals, using different methods and opportunities.
Some do not seek to endanger human life and health, on the contrary, they are ready to resort to it. For example, hospitals often face ransomware attacks because the potential harm to patients increases the likelihood and speed of payments. The technical characteristics of IoT devices, including security systems, create limitations that are not present in conventional IT devices. For example, the size and power of pacemakers preclude traditional IT security practices designed for larger, more powerful devices. IoT devices often operate in specific contexts and environments, including everyday life, where they are operated by people who do not have the knowledge or resources to host and safely manage them. It is difficult for drivers of cars with smart controls to update the system themselves, for example by installing anti-virus software. It is also unlikely that the average consumer will be able to quickly and competently respond to a security problem that arises.
But we expect similar actions from the company. From an economic point of view, the production of smart devices tends to maximize the cost of the devices themselves and their components, making it more expensive to add security measures. Many of these devices are aimed at buyers with a limited budget, who also do not have experience in choosing and setting up such equipment. In addition, the costs associated with device vulnerabilities are often not borne by those who directly use them. For example, the Mirai botnet used standard firmware passwords – most users have no idea that they need to change the password set by the manufacturer, or do not know how to do it! Mirai cost the United States economy billions of dollars by targeting a third-party DNS provider that did not control any of the devices affected by the attack.
The time to design, develop, implement, operate and decommission devices is often measured in decades. Response times may also increase depending on device settings, context, and operating environment. For example, Internet-controlled equipment at power plants typically last more than 20 years without needing to be replaced. But attacks on Ukraine’s electricity suppliers caused systems to crash just seconds after attackers took control of the company’s infrastructure.
Because IoT security is fundamentally different from IT security, hacking IoT systems requires different methods. Such systems typically include individual devices and sensors, mobile applications, cloud infrastructure, and network communication protocols. The latter include TCP/IP network stack protocols (such as mDNS, DNS-SD, UPnP, WS-Discovery, and DICOM), as well as protocols used in short-range radios (such as NFC, RFID, Bluetooth, and BLE), medium range (eg Wi-Fi, Wi-Fi Direct and Zigbee) and long-range (eg LoRa, LoRaWAN and Sigfox).
Unlike traditional security testing, IoT security testing involves testing and often disassembling hardware, working with network protocols not commonly found in other environments, analyzing device management through mobile applications, and exploring how devices interact with cloud web services through APIs. All these details will be discussed in other sections.
For example, consider a smart door lock. In fig. Figure 1.1 shows a standard diagram of intelligent closing devices. The smart lock is controlled from the consumer’s mobile app via Bluetooth Low Energy (BLE), and the app communicates with the smart lock servers in the cloud (or, as they sometimes say, someone else’s computer) using an API that works over the HTTPS protocol. In this scheme, the smart lock depends on the user’s mobile device with access to the Internet, which ensures the reception of any messages from the cloud server.
All three components (lock, mobile application and cloud) interact and rely on each other to create an IoT system that provides a wide field for attacks. Imagine what would happen if you revoked an Airbnb guest’s digital key with this smart locking system. On behalf of the owner of the number and smart lock device, the mobile application can send a message to the cloud about the cancellation of the guest key. Naturally, when performing this action, you do not have to be near the locked room and lock it. After receiving the cancellation signal to the server, the server sends a special message to the smart lock to update the access control list (ACL). If an attacker puts his phone in flight mode, the smart lock will not be able to use it as a relay to receive this update from the server and will provide access to your apartment.
The simple attack described above – the invalidity bypass – is a good example of a vulnerability you might encounter when hacking the Internet of Things. Limitations on the use of small, inexpensive devices further increase the vulnerability of these systems. Thus, instead of using resource-intensive public-key cryptography, IoT devices typically rely only on symmetric keys to encrypt their communication channels. These cryptographic keys are often not unique and are programmed into firmware or hardware, allowing attackers to extract them and then reuse them on other devices.
The traditional approach to solving security problems is the implementation of standards. Over the past few years, people have tried to solve IoT security problems by applying many methods, rules, and other materials. While the standards aim to consolidate industries around common best practices, the sheer amount of regulation creates a fragmented picture, leading to disagreements about what to do and how to do it. But we can greatly benefit from exploring different standards and practices, even if we recognize that there is no consensus on the best way to secure IoT devices.
To begin with, we distinguish between documents related to internal structure and documents that define a function. These two aspects are interconnected, because technical devices increase the safety of the user. Conversely, what is not integrated into the design of the device limits functionality: for example, it excludes secure software updates, reliability of data provided, isolation and segmentation in devices, and rapid notification of problems. Instructions provided by manufacturers, industry bodies or government agencies may combine both types of explanatory material.
Second, distinguish between guidelines and standards. The former defines the types of tasks, while the latter defines the processes and specifications for completing those tasks. Both are important, but training materials are more relevant and widely applicable because security standards are quickly outdated and often limited in scope. At the same time, some standards are extremely useful and define key components of Internet of Things technology, such as interoperability, such as IPv4 and Wi-Fi.
Throughout this book, we will refer to methodologies and standards where appropriate to provide guidance to developers and users on how to troubleshoot potential problems with the tools, technologies, and processes we describe.
Here are examples of standards, guidelines and training materials:
Standards. The European Telecommunications Standards Institute (ETSI), founded in 1988, produces more than 2,000 standards annually. Its IoT Cyber Security Technical Specification provides the framework for developing secure IoT devices. The National Institute of Standards and Technology (NIST) and the International Organization for Standardization, ISO) publish a series of standards that support the protection of IoT devices;
Recommendation materials. The international grassroots movement I Am The Cavalry (founded in 2013) includes members of the security research community. His Hippocratic Oath of Smart Medical Devices (Figure 1.2) describes the goals and capabilities of medical device design and development. Many of the principles outlined here have been incorporated into the FDA’s regulatory criteria for approval of medical devices. Other methodologies include the US National Institute of Standards and Technology’s Cybersecurity Guidelines, including those applicable to the ownership and operation of IoT devices, the Cisco IoT Security Guidelines, and the Cloud Security Alliance’s IoT Security Framework;
Instructions and reference materials. The Open Web Application Security Project (OWASP), launched in 2001, went far beyond the activities of the organization of the same name. Its “top 10” lists have become a powerful tool for software developers and IT procurement and are used to improve security in various projects. In 2014, the first “top-10” list of things related to the Internet of Things segment was published (Fig. 1.3). Its latest version (at the time of writing) is from 2018.
Other guidance and reference materials include the US National Institute of Standards and Technology Internet of Things Baseline and the US National Telecommunications and Information Administration (NTIA) Internet of Things, European Network and Information Security Agency (ENISA) Core Guidelines for Internet of Things Security, Global Mobile Communications Association (GSMA), Internet of Things Security Recommendations and Assessments, and the IoT Security Foundation.
Although this book is mainly focused on the technical aspects, it should be noted that there are some other factors that influence the study of Internet of Things security. These factors, from experience, include the trade-offs that are inevitable when a vulnerability is disclosed, and what security professionals, manufacturers, and the general public should consider in this regard. The example below describes a successful IoT security study. We will tell you how it was carried out and what led to a successful result.
In 2016, Jay Radcliffe, a security researcher diagnosed with type 1 diabetes, discovered three vulnerabilities in the Animas OneTouch Ping insulin pump device and reported it to the manufacturer. The testing work began several months earlier: he bought the devices, built a test lab, and identified potential threats. In addition, Jay sought legal advice to ensure that the testing did not run afoul of state and federal laws.
Jay’s primary goal was patient protection, so he submitted his report in accordance with the manufacturer’s vulnerability disclosure policy. Through e-mail, telephone and personal conversations, Jay discussed the technical details, the possible consequences of the problem, and the steps necessary to resolve them. Negotiations continued for several months, during which Radcliffe demonstrated the use of weak points in the operation of the device and provided verification code.
Later, after learning that the manufacturer did not plan to implement any technical fixes until a new model of the pump was released, Jay publicly disclosed the vulnerability, but with the following caveat: “If any of my children develop diabetes and the medical staff recommends that they get a pump , I would not hesitate to choose the OneTouchPing model, even if it is not perfect». https://blog.rapid7.com/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump/.
Jay worked for almost a year to find the vulnerability and fix it. He was to present his work at a major conference after the manufacturer notified the patients for whom it was important. Many patients used mail as their primary source of information, and the mailing was scheduled only after this message. Jay made the difficult decision to cancel his presentation at the conference so that patients could learn about the problem from their doctor or company rather than from a news article.
You can learn a number of lessons from the situations experienced security researchers like Jay deal with.
They take into account the possible reaction from their search. Not only did Jay explain the legal aspects beforehand, but he also made sure that his testing did not harm anyone outside the lab. In addition, he made sure that patients learned about technical problems from people they trusted, which would reduce anxiety and prevent them from abandoning life-saving technologies.
They inform about the problem, but do not interfere in the decision-making process. Jay understood that the manufacturer did not want to spend a lot of money on updating old devices and focused on creating new products that would save even more people and make their lives easier. Instead of insisting on fixing old models, he listened to the manufacturer’s opinion.
They set an example. Like many health researchers, Jay has built long-term relationships with patients, regulators, physicians, and manufacturers. To a certain extent, this meant giving up public attention and paid projects, as well as the need to be extremely patient. But the results speak for themselves. Leading manufacturers are creating the safest medical devices ever, engaging the research community with events like the Biohacking Village at DEF CON.
They know the law. Security researchers have long faced accusations of wrongdoing. These were often unprovoked attacks, but in some cases there was a reason. Although experts are still developing standardized language to regulate disclosure programs and vulnerabilities, there have been few (if any) lawsuits against disclosure researchers.
We tapped several recognized experts in law and public policy to educate readers on topics not traditionally covered in security studies books. Harley Geiger mentions two laws that apply to security researchers in the US, and David Rogers explains what steps are being taken to improve the security of IoT devices in the UK.
Harley Geiger, Director of Public Policy, Rapid7
Perhaps the two most important federal laws affecting IoT research are the Digital Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA). Let’s take a look at these grim laws.
Many IoT security assessments bypass weak software protections, but the Digital Copyright Act in most cases prohibits the circumvention of technological protection measures (TPMs) such as encryption, authentication requirements, and region coding to access copyrighted works (eg software) without the permission of the copyright holder. To do this before, Security Check requires permission from the software manufacturers that run your IoT devices, including the ones you own! Fortunately, there is a special exception for robust security testing that allows researchers to ignore technological protections and not ask permission from the copyright owner. The head of the Library of Congress granted this exception at the request of the security research community and its allies.
As of 2019, research that complies with the Digital Copyright Act meets the following criteria:
carried out on a device purchased on legal grounds (for example, authorized by the computer owner);
performed solely for the purpose of testing or fixing vulnerabilities in the device’s security system;
does not harm the environment (for example, it cannot be carried out at a nuclear power plant or a congested highway);
the information obtained as a result of the research is used primarily to improve the security or protection of devices, computers or their users (and not, for example, for the purpose of piracy);
the study does not violate other laws, including but not limited to the Computer Fraud and Abuse Act.
There are two exceptions, of which only one provides real protection. This more severe exception must be renewed every three years by the head of the Library of Congress, and the degree of protection may change when it is renewed. As a result, some of the most important results of research in the legal aspect can be revealed. The latest version of the Exception in the Digital Age Copyright Act, Applies to Security Testing (2018), available at https://www.govinfo. gov/content/pkg/FR-2018-10-26/pdf/2018-23241.pdf#page=17/.
The Computer Fraud and Abuse Act is also often used; as you may have noticed, it appears in the above quote from the Copyright Act in the Digital Age. The act is the primary US federal anti-hacking law, and unlike the Digital Copyright Act, it does not describe security testing protections. This act generally applies to accessing and malicious activity against other people’s computers without the permission of their owner (rather than the software copyright holder, as in the case of the DMCA). What if an IoT device was allocated to you by your company or school and you decided to test the device for reliability without their knowledge? The courts are still debating this issue. This is one of the controversial points in the Computer Fraud and Abuse Act, which, by the way, was adopted more than 30 years ago. However, if you hack into an IoT device that you own or that the owner of the device has given you for testing, you are likely to fall under the law – both the DMCA and the CFAA. With which we congratulate you.
But wait! Many other laws may be relevant to IoT security research, especially government hacking laws, which can be interpreted even more broadly and vaguely than the Computer Fraud and Abuse Act. (Fun fact: Washington’s hacking law provides special legal protections for so-called white-collar hackers, or ethical hackers.) Don’t assume that your IoT security research is immune just because it’s conducted in strict compliance with the DMCA and CFAA — although it is not bad for a start!
If you are confused by the many laws and are afraid of breaking something, then you are not alone. The laws on this topic are complex, they are a puzzle even for the sharp minds of lawyers and civil servants – but at the same time intensive painstaking work is being done to clarify and strengthen the legal protection of security research. Your voice and experience dealing with controversial laws that hold back valuable IoT security research can serve you well in the debate about reforming the DMCA, CFAA, and other laws.
The field of the Internet of Things is developing rapidly. The number, types, and uses of these “things” change faster than new books about them can be published. By the time you read these lines, some other novelty will appear, about which we do not know anything yet. However, we are confident that this book contains valuable resources and references that will allow you to develop your skills no matter what you have to check in a year or a decade from now.
We used materials from the book “The Definitive Guide to Attacking the Internet of Things” written by Photios Chantsis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentsoglu and Beau Woods.
1275 
1288 
1442 
1230 
1579 
1430 
1412 
1423 
1364 
1378 
1845