Content uploaded by Audrey Gendreau
Author content
All content in this area was uploaded by Audrey Gendreau on Jul 31, 2016
Content may be subject to copyright.
Internet of Things: Arduino Vulnerability Analysis
Audrey Ann Gendreau, Ph.D., CISSP, GCFE
audreygendreau@icloud.com
Abstract—This paper examines the vulnerabilities to the
security of physical computing interactive systems, which are
designed to sense and respond to a physical phenomenon.
Specifically, it discusses vulnerabilities of physical computing
from the unique perspective of the Do-It-Yourself (DIY)
community. Vulnerabilities associated with the Arduino, a
popular Microcontroller prototyping technology in the DIY
community is used as a case study. The exploitability and impact
characteristics of the Arduino are evaluated according to the
Common Configuration Scoring System (CCSS), a vulnerability
scoring system proposed by National Institute of Standards and
Technology (NIST). In this system, vulnerabilities are listed and
ranked according to the level of risk that they represent due to
software flaws. The purpose of the metric is to assist in security
configuration decisions for the overall security posture of a
system. It is anticipated that this work in combination with
analysis of other domains in the IoT can be used to help map
security configuration issues to a set of standards and policies.
Consequently, enabling security automation for End-to-End
Trust in the IoT
Keywords— Internet of Things; Physical Computing; Arduino;
Vulnerability Analysis; Microcontroller; Security Automation
I. INTRODUCTION
This paper is about vulnerabilities of physical computing from
the unique environmental perspective of ordinary people (- e.g.
the Do-It-Yourself community) using electronic prototyping
tools to build interactive systems designed to sense and
respond to the physical world. When connected to the Internet,
less visible objects are more susceptible to attacks [7]; yet, they
act as end nodes monitoring and encoding the analog world
into digital data as part of the Internet of Things (IoT). With
respect to previous mobile embedded systems, todays devices
used to facilitate physical computing offer greater flexibility,
affordability, and programmability to the average user.
Moreover, barriers due to a lack of experience or skill have
been removed by fostering a new nontechnical electronic user
group of inventors and artist as part of what is designated as the
maker movement, incentivized by hackathons for student
teams. In this context, “hacking” means to build a new
electronic object or application quickly [25].
In the toolset of the maker movement, there are two basic
platforms: mini computers and microcontrollers. The current
popular mini computers include: Raspberry Pi and BeagleBone
Black, which are both Linux distributions with Python
scripting. To enable physical computing, they use a General-
Purpose Input/Output (GPIO) extension board. One of the
GPIO interfaces frequently utilized in the Maker movement is
the Arduino, a microcontroller electronic prototyping platform
and the use case for this study.
The first standard Arduino system was released in 2005 by the
Interaction Design Institute in Northern Italy. Its purpose was
to teach students electronics quickly by using microcontrollers
and basic printed circuit board (PCB) to promote new ways of
doing interactive design. This began the international Do-It-
Yourself (DIY) revolution in physical computing, and the
Maker movement. Physical computing is analogous to the
concept of traditional embedded programming [1], while the
Maker movement is a broader term used to cover both
technology-based DIY as well as hand made textiles and other
creative arts. In the same way users once built their own
computers at home, DIYers and Tech-Makers now use a
combination of hardware and software to build interactive
systems that can sense and respond to physical phenomenon,
such as home security monitoring systems, or a talking heart
rate monitor. As with all embedded technology, for the object
to be mobile and close to the physical phenomena it is sensing,
the device must be small in size and energy efficient. Examples
include everything from spy glasses to an art work named
Shifting Times by Camille Utterback on display in San Jose,
California. Here, images shift based on the sensed movements
of pedestrians are used to represent a blend of lost memories
[2].
Moreover, two or more battery powered embedded devices
fitted with Wireless Personal Area Network (WPAN)
technology such as ZigBee, can together create a Wireless
Sensor Network (WSN) [3] using a low powered
communication protocol. XBee51 can be purchased with a
shield for ZigBee enabled WPAN communication. Naturally,
physical computing is pervasive in commercial and medical
applications, such as machine vision used for quality inspection
in a factory assembly line and home health care. However, the
focus of this paper is not on industry driven programmable
logic units (PLU) or other “for profit” applications of physical
computing, but on the unimaginable gadgetry and art that
ordinary people are producing as part of the maker movement.
Moreover, this distinction is in large part environmental, as
these undocumented objects exist in homes and public libraries
and are frequently developed and maintained by minors, the
IoT’s weakest link.
II. BACKGROUND
In 2005, the first Arduino was introduced. It had another name,
did not have enough computing power, and cost one hundred
dollars. Since that time, a fundamentally different version has
been produced. To make the board affordable, the creators’
goal was to bring down the purchase price of the board to thirty
dollars. An open-source model common for inexpensive
software innovation was also adopted, and the commonly
available ATmega 328 microcontroller was selected to make it
possible for Arduino community members to build their own
hardware. The latest version has a 32-bit CPU and 48KB of
onboard Random Access Memory (RAM). A Printed Circuit
Board (PCB) for the microcontroller with an Ethernet card
using a familiar programming architecture can be purchased
for less than fifty dollars. Overall, this ease of development and
affordability trend of physical computing in the IoT era is
continuing, and drawing more people into the MakerSpace
field. Unlike past configurations, the new IoT WiFi enabler
shield ($49.90) using 802.11 b/g/n requires only the SSID and
passward to be configured and uses a symmetric
(public/private) hardware key cryptographic signature solution
with WEP and WPA2. While still under development, it has
basic compatibility with the Arduino Uno board, which is the
most common in the family of PCBs [8]. For more information
about Arduino, an overview of Arduino can be found in The
Making of Arduino [1].
The software, hardware, interoperability and documentation
available for Arduino and other open source microcontrollers
and software promote Do It Yourself (DIY) models; however,
the maker movement and other DIY models are not regulated
and at this time have no common set of security standards in
place. Many different standards organizations are working to
address various aspects of this technology, but there is little
collaboration, nor does there appear to be a consensus as to
how to address the potential vulnerabilities created by DIY
products.
This paper presents an analysis of the threats of DIY physical
computing in the IoT using the Arduino as a case study. The
paper reflects the most recent systems, including a special
release designed for the IoT. Attack patterns are analyzed with
respect to their exploitability and their impact on individual
objects and their users – e.g. minors, Arduino systems, and the
local environmental risk that they represent. The Methodology
used to conduct the threat analysis is introduced in Section 3.
The analysis is presented in Section 4. Conclusion in Section 5.
III. METHODOLOGY
The threat analysis is conducted according to a Common
Configuration Scoring System (CCSS) methodology described
in [15]. The CCSS incorporates the base score into the optional
temporal and environmental perspectives for a more holistic
assessment of the security posture of a system. As an early step
towards standardized vulnerability measurements and risk
assessments of system security, the CCSS author encourages
information security researchers interested in security
automation to pilot sets of CCSS scores.
Policies need to be established based on an assessment of
the severity of vulnerabilities within existing systems in order
to improve the security posture of the IoT. It is this author’s
intent to use this work as a step towards analysis of the whole
IoT, in order to establish commonalities across the domains.
The model is composed of three metric groups: Base,
Temporal, and Environmental, each sequentially
parameterized, as shown in the following Figures: 1, 2 and 3.
The only metric required by CCSS is the Base Score, shown in
Figure 1, however it is this author’s contention that the
Temporal and Environmental score should also be taken into
consideration. The Base Score is focused on the threat posed
by a security configuration issue that is constant over time and
across user environments.
Figure 1: Base Metrics [15]
The second metric is the Temporal Score and it focused on the
time-variant aspect of threats. This is important because real-
time data streaming and how the frequency impacts the device
is a critical aspect of the IoT. As important aspect of this
measurement system is that the Base Exploitability and Base
Impact parameters are a part of the Temporal Scores.
Figure 2: Temporal Score [15]
Access Vector
Access Complexity
Confidentiality
Impact
Integrity Impact
Availability Impact
Base Exploitability
Base Impact
Base Score
Authentication
Temporal Score
Base Exploitability
General
Exploit Level
General Remediation
Level
Base Impact
Temporal Exploitability
The third metric is the Environmental Score. It is also optional,
but important when used to captures the character of physical
computing vulnerabilities in the DIY environment. The Base
score is incorporated into the environmental score as:
Exploitability, Exploit Level, Base Impact, Integrity Impact,
and Availability Impact parameters.
Figure 3: Environmental Metrics [15]
The following is a detailed explanation of the Base,
Temporal, and Environmental metric models. According to the
specifications of the system, each metric is to provide the
abbreviated metric name, a colon, followed by the abbreviated
metric value. The vectors are listed in order using a forward
slash character to separate the metrics. Parameters not used are
assigned a not defined (ND) acronym. For more information
refer to the documentation on CCSS [15].
A. Base Metric Evaluation
The Base metric is focused on the threat posed by a security
configuration issue that is constant over time and across user
environments. The evaluation shown in Figure 1 is based on
two criteria: Impact and Exploitability. These are conducted
according to 6 criteria: Access Vector (AV), Authentication
(Au), Access Complexity (AC), Confidentiality Impact (CI),
Integrity Impact (I), and Availability Impact (A). The base
equation does not include the Exploitation Method (EM) and
Privilege Level (PL), but they are part of the decision making
process in other assessments.
The AV reflects how the vulnerability is exploited it
requires: Local: 0.395; Adjacent Network: 0.646; Network:
1.0. The AC measures the complexity of the attack once the
attacker has gained access; High: 0.35; Medium: 0.61; and
Low: 0.71. The Au measures the number of times an attacker
authenticates; Multiple: 0.45; Single: .56; No Authentication:
0.704. C, I, and A measures the impact on Confidentiality,
Integrity, and Availability respectfully: None: 0; Partial: 0.275;
Complete: 0.660. The EM is either Active or Passive and PL
will be set to: Root, User, Admin, or Not Defined.
BaseScore = round_to_1_decimal(((0.6 * Impact) + (0.4 *
Exploitability) – 1.5) * f(Impact))
Impact = 10.41 * (1- (1-confImpact) * (1 – IntegrImapct) * (1 –
AvailImact))
Exploitability = 20 * AccessVector * AccessComplexity *
Authentication
f(Impact) = 0 if Impact = 0, 1.176 otherwise
The Base notation is: AV:[L,A,N]/AC:[H,M,L]//Au:[M,S,N]/
C:[N,P,C]/I:[N,P,C]/A:[N,P,C]/PL:[R,U,A,ND]/EM:[A,P]
B. Temporal Metric Evaluation
The Temporal metrics are focused on the time-variant
aspect of threats. It is applied to the Exploitability components
of the base metric. Because it is optional, the default value (not
defined) has no effect on the score. The two components of the
CCSS temporal metrics are the General Exploit Level (GEL)
and the General Remediation Level (GRL). The GRL
measures the available remediation’s that can mitigate the
vulnerability (e.g. network firewalls, training, security
practices). The GEL measures the frequency of the attack. The
metrics denotations are different but are quantified similarly as
follows: Not Defined: 1.0, None: 0.6, Low: 0.8, Medium: 1.0,
and High: 1.2.
TemporalScore = round_to_1_decimal(((0.6 * Impact) + (0.4 *
TemporalExploitability) – 1.5) * f(Impact))
TemporalExploitability = min(10, Exploitability *
GeneralExploitLevel * GeneralRemediationLevel)
The following is the Temporal notation:
GEL:[N,L,M,H,ND]/GRL:[H,M, L,N,ND].
C. Environmental Metric Evaluation
The Environmental metric measures differences between
environments which affect the vulnerabilities risk. These
aspects of vulnerability severity are categorized as: Local
Exploit Level, Local Remediation Level, and Local Impact.
First, the Local Exploit Level parameters are as follows.
LowVulnerabilityPrevalence (LVP) metric values are: None:
0.6; Low: 0.8; Medium: 1.0; High: 1.2; and Not Defined: 1.0.
PerceivedTargetValue (PTV) metric values are: None: 0.6;
Base Exploitability
General
Exploit Level
General
Remediation Level
Base Impact
Integrity Impact
Availability Impact
Availability Impact
Availability Impact
Availability Impact
Availability Impact
General
Remediation Level
Local
Remediation Level
Environmental
Impact
Environmental
Exploitability
Local
Exploit Level
Environmental Score
Low: 0.8; Medium: 1.0; High: 1.2; and Not Defined: 1.0.
Secondly, the LocalRemediationLevel (LRL) values are: None:
1.0; Low: 0.8; Medium: 0.6; High: 0.4; and Not Defined: 1.0.
Thirdly, the Local Impact parameters are as follows.
EnvConfImpact (EC), EnveIntegImpact (EI), and
EnvAvailImpact (EA) metric values are: None:0.0;
Partial:0.275; Complete:.0660; Not Defined. ConfReq (CR),
IntegReq (IR), and AvailReq (AR) metric values are: Low: 0.5;
Medium: 1.0; High: 1.51; and Not Defined: 1.0.
CollateralDamagePotential (CDP) metric values are: None:
1.0; Low:1.25; Low-Medium: 1.5; Medium-High: 1.75; High:
2.0; and not defined: 1.0.
EnvironmentalScore = round_to_1_decimal(((0.6 *
EnvironmentalImpact) + (0.4 * EnvironmentalExploitability) –
1.5) * f(Impact))
EnvironmentalImpact = min( 10, 10.41 *(1 - (1 –
EnvConfImpact * ConReq) * (1 – EnvIntegImpact *
IntegReq)) * (1 – EnvAvailImpact * AvailReq)) *
CollateralDamagePotential)
EnvironmentalExploitableility = min (10, Exploitability *
GeneralExploitLevel * LocalExploitLevel *
LocalRemediationLevel)
LocalExploitLevel = LocalVulnerabilityPrevalence *
PerceivedTargetValue
The following is the Environmental notation:
LVP:[N,L,M,H,ND]/PTV:[L,M, H,ND]/LRL: [N,L,M,H,ND]/
EC:[N,P,C,ND]/EI:[N,P,C,ND]/EA:[N,P,C,ND]/CDP:[N,L,L
M,MH,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,N
D].
IV. ANALYSIS
The Common Attack Pattern Enumeration and Classification
(CAPEC) reference framework is a catalogue of attack patterns
designed to provide a common language. The framework was
designed by MITRE Corporation, and complements the NIST SP 800-
126 [14] standard which proposes a taxonomy that measures security
in order to certify secure software and systems. In the NIST SP 800-
126 taxonomy for automation, the CCSS is recommended for
scoring the vulnerabilities. Table 1 shows the CAPEC attack
patterns categorized into six different domains. At the time of writing
this paper there are 504 different attack patterns.
A. Social Engineering, CAPEC403
B. Supply Chain, CAPEC437
C. Communications, CAPEC512
D. Software, CAPEC513
E. Physical Security, CAPEC514
F. Hardware, CAPEC515
Table 1: Major six CAPEC attack pattern categories.
Working towards automation as a goal for end to end security in
the IoT, the first step is to manually analyze the components
facilitating the IoT DIY paradigm. Using this methodology the
CAPEC in combination with the Common Configuration Scoring
System (CCSS) was utilized. Organized by domains, each category is
listed as an attack vector with shared and expanding subcategories of
attacks. Within the limitations of this one paper, a subset of the attack
domains was analyzed and researched for the Arduino as a pilot on a
mechanism for evaluating the security posture of the IoT. According
to this methadolegy the cases should be examined from the
perspective of the highest score for the vulnerability. These are
the minors in the DIY community driving physical computing
gadgetry to create non-industry based applications and objects.
Still relatively new, campaigns to exploit cell phones are just
beginning to surface [21]. The Arduino is a much newer platform than
the state-of-the-art cell phone. For this reason and in order to be
proactive, attacks on Arduinos and similar microcontroller-based
platforms were studied. In particular, an industry specified
programmable logic unit (PLU) is a system of many
microcontrollers for automation of electromechanical
processes. There have been several documented and
experimental attacks on these systems.
A secure system is one in which the following security
objectives are met: Confidentiality, Integrity, and Availability.
Confidentiality is the authorized participation of the
conversation. Integrity is prohibiting altered data by
unauthorized parties. Lastly, Availability can be viewed as
accessibility. The attack patterns are identified by their CAPEC
ID. The attacks will be analyzed according to the NIST
Common Configuration Scoring System (CCSS): Metrics for
Software Security Configuration Vulnerabilities are based on
the impact, and exploitability of the attack. The continual
monitoring of some physical phenomena is modeled using the
temporal equation. The environment is presented from the
perspective of specifically the DIY community of minors and
not a corporate entity.
A. Category Social Engineering, CAPEC403:
The category of Social Engineering is focused on attacks of
trickery and deception that exploit people in order to obtain
information for the purpose of computer system access. As
discussed in [19], people are the weakest link in computer
security.
CAPEC404: Social Information Gathering Attacks
In this category the attacker gathers information about a
targeted individual or organization in combination with
executing the attack. Spear phishing, CAPEC163, is an
indirect decedent of CAPEC404. To execute a Spear Phishing
attack, users must open an attachment to an email, or navigate
to a fake Web site. In both cases, there is a hidden payload
designed to exploit the victim by downloading a back door.
Using this technique, microcontrollers, the components of
programmable logic units (PLU), are increasingly being
compromised. The first well-documented exploit was named
Struxnet. It was introduced via a USB port in 2010 as a worm
that eventually made the centrifuges of an Iranian nuclear
power plant spin out of control. More recently, this year there
was an attack on Israel’s Public Utility Authority and another
on a blast furnace in Germany [20]. A similar platform, social
engineering, can be used to physically exploit an Arduino
microcontroller.
Because an Arduino can be accessed remotely, one
computes the Base score as follows: the Access Vector is
“Network”. The Access Complexity is “high” because a
payload is an additional circumstance that needs to be
downloaded for the exploit to be successful. No authentication
is required to trigger the vulnerability; therefore, the
Authentication Metric is “None”. The impact metrics are set to
”Complete”, because of the high probability of a complete
system compromise. The resulting base vector is
AV:N/AC:H/Au:N/C:C/I:C/A:C/ PL:R/EM:A. Therefore, the
base score is 7.6.
To compute the Temporal score, the General Exploit Level
is “None”. As discussed earlier, with a new technology attack
patterns are not yet observed on the Arduino platform.
Nonetheless, the Arduino hobbyists are interested in the
electronics DIY community and Arduino forums. These
forums are additional social-engineering platforms to gleam
information from for planning attacks and new channels in
which to communicate on. However, as observed by the Reddit
sub, DIY electronics group and Arduino sites have minimal
information in the registered user profiles. The Arduino profile
includes: name, location, post history, date registered, and
signature. The Reddit user profile has even less information.
The General Remediation Level is “High”, representing the
effectiveness security training could have on the maker
movement. The Temporal Vector is GEL:N /GRL:H. The
Temporal score is 6.9.
The characteristics of the vulnerabilities produced by an
Arduino in this maker movement environment are similar to
other environments. The environmental score targets the
impact on the device and not the user. For this reason, social
engineering techniques for child exploitation are not
considered. To compute the Environmental score, the Local
Prevalence of the configuration in the environment is “low”,
representing the author’s perception of the percentage of
Arduinos that are connected to the Internet at this time. The
Perceived Target Value or motivation is considered “low”
because an attack on a minor is not going to produce large
monetary or nation state gains. There is a lot that we can do to
stop these types of attacks. As the maker movement is
relatively new, there is no required training in place at this
time. According to [19], there are two primary reasons people
fall victim to social engineering. The first one is that people
take the path of least resistance, or mental shortcuts, which are
triggered by messages looking legitimate. The second one is
the assumption that online systems are safe. For this reason,
with education it can be remediated, and thus, the Local
Remediation Level is “High”. The Impact metrics remain
“Complete” to indicate the level of access. The Collateral
Damage Potential is set to “Low” because exploitation would
cause slight damage loss. The Confidentiality requirements are
“low”, the integrity is medium, and the availability is the
highest as an Android device is usually used for entertainment
or as a hobby. The environmental vector is:
LVP:L/PTV:L/LRL:H/EC:C/EI:C/EA:C/CDP:L/CR:L
/IR:M/AR:H. The environmental score is 5.7.
CAPEC410: Information Elicitation via Social Information
Gathering
This attack is a subset of CAPEC404. It involves three of
the same attacks: gathering information, social engineering,
and social information gathering via pretexting. However, the
later attack has a more extensive list of attacks. The only attack
used to gather information is pretexting which is acting out a
role in order to gather information – i.e. a jogger by a badge
reader that is pretending to look for the reader’s card. The
deceived employee allows them entrance.
An attacker could pretend to act as an adviser on how to
construct a device while remotely gaining access to the
physical space. For example, in the 2015 Internet Security
Report by Symantec, they stated that in May, 2014 the FBI and
police in nineteen countries arrested more than ninety people in
connection with “creepware”. Creepware are attacks using
Internet-connected webcams to spy on people. Similarly, in the
Arduino forums, there are posts asking for help to build glasses
that capture images when blinking, and on building a DIY
home security system. Therefore, as these devices are
monitoring the physical space they are also at greater risk of
hacking. The base, temporal, and environmental parameter
values of this issue are almost the same as category 404.
Unlike Spear Phishing, attacks in this category do not result
in a complete attack. For this reason, the base and
environmental impact metric are set to partial. The resulting
base vector is AV:N/AC:H/Au:N/C:P/I:P/A:P/ PL:R/EM:A.
The base score is 5.1. The changed Base score affects the
Temporal score. The Temporal Vector is still: GEL:N /GRL:H.
The Temporal score is 4.4. The Environmental Model has also
changed to: LVP:L/PTV:L/LRL:H/EC: P/EI:P/EA:P/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 4.5.
CAPEC416: Target Influence via Social Information
Gathering
This attack focuses on the social engineering perspective by
exploiting the inherent human psychological predispositions.
For example, complimenting an individual produces a sense of
obligation. While the additional social media sites for Android
development expanded the social information gathering attack
surface, it is limited by the restricted content. The tone and
content is very different than a strictly social site. The pictures
depicted are about electronic accomplishments verses family
graduations. For this reason the base, temporal, and
environmental parameter values are the same as CAPEC410.
B. Category Supply Chain, CAPEC437:
CAPEC438 Modification during Manufacture
An attacker modifies technology, product, or component
during manufacturing in order to attack a supply chain entity.
As discussed previously the Arduino software, hardware, and
documentation is open source. The same absence of control
promoting inventiveness and growth also prevents establishing
safeguards. There are many different solution providers and
clones. What prevents a back door from being flashed as part
of the new operating system? For example in 2006, the
Japanese division of McDonald’s promotion had a give-away
of 10,000 MP3 players pre-loaded with 10 songs. In addition to
the songs, the music players contained QQPass malware. When
plugged into a computer, the Trojan horse was loaded into the
computer. It transmitted the logged key strokes, collected user
password and other personal data; in 2007, the Taiwanese
Ministry of Justice discovered that Seagate hard drives had two
Trojans built into them which uploaded data to a pair of
websites hosted in Beijing, China. More recently, Galaxy 54
smartphones shipped from a factory in China were preloaded
with a Trojan masquerading as the Google Play Store.
Attackers recorded phone calls, read emails, intercepted
financial information and remotely watched and listened in via
phone cameras and the microphone. This author points out that
it is conceivable that everything from refrigerators and clocks
to wearables could conceivably be weaponized [22].
To compute the Base score, because the vulnerability must
be installed physically, the Access Vector is “Local”. The
Access Complexity is “Low” because no additional
circumstances need to exist for the exploit to be installed; the
attacker need only have access to the hardware on the
production line. No authentication is required to trigger the
vulnerability; therefore, the Authentication Metric is “None”.
The impact metrics are set to ”Complete”, because of the high
probability of a complete system compromise. According to
[22]. it would be easy to create a “kill switch” that could be
invoked remotely. The resulting base vector is
AV:L/AC:L/Au:N/C:C/I:C/A:C/PL:R/EM:A. The base score is
7.2.
To compute the Temporal score the General Exploit Level
on the Arduino is “None” at this time. The General
Remediation Level is “None”, it takes into account that while
solutions have been suggested to mitigate the problem;
currently, there are no remediation measures available.
According to General Hayden hardware hacking is a condition
that cannot be solved but must be managed [22]. The Temporal
Vector is GEL:N /GRL:N. The Temporal score is 6.
To compute the Environmental score, based on the local
environment the known or Local Prevalence of the
configuration is “None”. The Perceived Target Value is
considered “Low” because attackers with physical access to the
equipment are not going to directly receive large monetary or
nation state gains. In the DIY environment, there is limited
physical security for the systems but no other remediation
strategies deployed. There is not much that we can do to stop
these types of attacks as Arduino is an open platform with
opportunity for added hardware parts. For these reasons,
currently the Local Remediation Level is “None”. The Impact
metrics are set to “Complete” to indicate the increased level of
access. The Collateral Damage Potential is set to “High”
because exploitation would cause a lot of damage. Especially,
with a kill switch. The Availability, requirements for an
Arduino in this hobbyist environment is the most important
attribute to be preserved. The environmental vector is:
LVP:N/PTV:L/LRL:N/EC:C/EI:C/EA:C/CDP: H/
CR:L/IR:M/AR:H. The environmental score is 5.8.
CAPEC439: Manipulation during Distribution
An attacker tampers with the technology, product, or
component during integration or packaging for distribution.
Supply chain operations are usually multi-national, as are
Arduinos purchased from china. Also, there are many different
components and sensor add-ons for the physical computing
platforms available for purchase as well. The different types of
communication and sensors can replace legitimate hardware
with faulty counterfeits.
According to the CAPEC documentation, fewer than 10
transistors out of billions are required to create malicious
functions [13]. In 2011, faulty transistors were found in an
electromagnetic interference filter as part of a US Navy
helicopter (SH-60). While believed not to be intentional, the
detective part was traced back to a production company in
China [22]. For this reason, the scores are mostly the same as
in CAPEC438. However, total ruin is not imminent with
replaced Arduino parts. The reason is the CPU is not
replaceable on the microcontroller. It is only the auxiliary parts
that would be replaced i.e. sensors, bread boards,
communication components, cameras, and wires. The
Collateral Damage Potential is set to “Medium-High”.
LVP:N/PTV:L/LRL:N/EC:C/EI:C/EA:C/CDP: MH/
CR:L/IR:M/AR:H which makes little difference, and thus,
produces the same scores CAPEC438.
C. Category Communications, CAPEC512:
CAPEC117: Interception
The attacker monitors and collects data streams, but what
distinguishes it from other similar attack patterns is that the
attacker explicitly observes certain data channels and reads the
content. Moreover, the attacker is not the intended recipient of
the data stream. Sniffing attacks are part of this attack pattern
and any WPAN XBee broadcast can be received by another
XBee. When sending data to the serial port, there is nothing to
stop another XBee from picking up the broadcast. Moreover,
the Arduino Yun is specially designed for the IoT. In addition
to the ATmega32u4, it has a secondary higher-level Atheros
processor that is used to integrate an outdated Linux Kernal
compiled specifically to run on embedded devices. Based on
Openwrt, it supports Wifi and Ethernet capability. The Arduino
connects to the Linux environment through a bridge in order
for the scripts that are run to communicate with the network
interfaces. This network configuration enables the Arduino
administration interface to be accessed using port 80, viewing
this connection on the network in plain text. Other problems
include automated connection to the nearest access point when
the default fails to connect. This enables disassociate packets to
be sent in order to force it to re-authenticate and reveal a
hidden ESSID, capture WPA/WPA2 handshakes, and more
[29]. We analyze the WPAN case.
To compute the Base score, because the vulnerability can
be exploited locally, the Access Vector is “Adjacent Network”.
The Access Complexity is “Low” because very little additional
circumstances need to exist for the exploit to be successful; the
attacker needs to physically be in the proximity to receive a
signal. No authentication is required to trigger the vulnerability
(anyone can receive the broadcast), so the Authentication
Metric is “None”. The impact metrics are set to ”Partial”,
because of the low probability of a complete system
compromise. The resulting base vector is
AV:AN/AC:L/Au:N/C:P/I:P/A:P/PL:R/EM:P. The base score
is 5.8.
To compute the Temporal score, the General Exploit Level
is “None”, because the bad actor is not observed on the
Arduino platform at this time. The General Remediation Level
is “low”. In the case of ZigBee, the device is working as
intended. While not part of the WPAN scenario being
analyzed, the Arduino Yun’s outdated kernels patches are not
in the official Arduino repository and must be done manually
[29]. The Temporal Vector is GEL:N/GRL:L. The Temporal
score is 4.2.
To compute the Environmental score, based on the local
environment the Local Prevalence of the configuration is
“Low” based on the perceived existing online systems. As
discussed above, the Perceived Target Value or motivation is
considered “low”. In the environment, there is limited physical
security for the systems but no other remediation strategies
deployed. Besides proximity, there is not much that we can do
to stop these types of attacks. For this reason, currently the
Local Remediation Level is “Low”. The Impact metrics are set
to “Medium” to indicate the viewed data. The Collateral
Damage Potential is set to “Low” because exploitation would
cause slight damage loss. The need for Availability,
Confidentiality, and Integrity requirement is “low”. The
environmental vector is:
LVP:L/PTV:L/LRL:L/EC:P/EI:P/EA:P/CDP:L/
CR:L/IR:M/AR:H. The base score is 5.
CAPEC272: Protocol Manipulation
This attack targets the communication protocol stack. One
of the sub attack patterns is CAPEC220. CAPEC220 targets
Client-Server Protocol Manipulation and the ability to bypass
the authentication process in order to spoof other clients or
servers. An Arduino using an Ethernet Shield, an easily added
on component, can be configured as a simple Web server. For
example, using the Ethernet library it is possible to construct a
browser that can display input values from the clients’ analog
pins [17]. Shodan is a web crawler that works off banners to
list the available servers on the Internet [16]. At the time of
writing this paper, scanning using the search term Arduino
returns results of at least one Arduino Uno server that is visible
on the Internet. Moreover, typically with microcontrollers (as
in the Arduino) there is not an authentication process to bypass.
Shodan has examples of the ability to reconfigure
microcontrollers over the Web. According to Shodan [16], the
only barrier is that the technology of microcontrollers is more
complex and varied than traditional programming. The base,
temporal, and environmental scores were determined as
follows.
Because it has no authentication barrier, to compute the
Base score the Access Vector is “Network”. The Access
Complexity is “Low” because without authorization no
additional circumstance needs to be in place. The
Authentication Metric is “None”. With control of the system,
the impact metrics are set to ”Complete”. The resulting base
vector is AV:N/AC:L/Au:N/C:C/I:C/A:C/PL:R/EM:A. The
base score is 10.
As a new technology there are currently no published
exploitations; therefore, to compute the Temporal score, and
the remediation is to provide an authentication process [18].
The more sensitive microcontrollers have one in place [18].
The Temporal Vector is GEL:N/GRL:N. The temporal score is
7.
In the environment of the young hobbyist or artist, there are
limited connected systems, there are no known attacks or
remediation strategies deployed. The environmental vector is:
LVP:L/PTV:L/LRL:N/EC:C/EI:C/EA:C/CDP:L/CR:L/IR:M/A
R:H. The environmental score is 7.1.
Another sub attack pattern is CAPEC548, a contaminate
Resource to expose information to unauthorized entities on
devices or networks. The cross contamination configuration is
one that is suggested as a gateway solution in the Arduino
literature [26]. The Arduino can exist as an end node or an
edge node. The protocol of a WSN is not the same as a
WLAN. WSN are data centric and due to the physical size of
the embedded system the software capability is restricted by
the limited hardware and power, especially, computationally
expensive software, such as encryption algorithms. Using
ZigBee to facilitate a WSN, the nodes are both computers and
routers sending data towards the sink. The sink is the gateway
where the data is forwarded in order to collect it upstream
using Ethernet or WiFi. IoT-centered Cloud services, such as
Xively collect data streaming from the secondary network.
Therefore, having two different network spheres is a potential
point of attack of the integrity of the end-to-end link [9]. To
safeguard the network one protocol should be used. Currently,
6LoWPAN is the solution [9]. The devices can communicate
across the Internet without having to transform the packets
from ZigBee-to-IP and the other way around. However, this
does not seem to be widely adopted at this time by the majority
of the Arduino DIY community. It is much easier to fit an
Arduino with Ethernet capability with an XBee and it’s shield.
To compute the Base score, because the vulnerability can
be exploited remotely, the Access Vector is “Network”. The
Access Complexity is “low”; the attacker need only
communicate with the device over the Internet [16]. As
discussed, the Authentication Metric is “None”. The impact
metrics are set to ”Complete”, because of the high probability
of a complete system compromise. The resulting base vector is
AV:N/AC:L/Au:N/C:C/I:C/A:C/. The base score is 7.5.
To compute the Temporal score the General Exploit Level
is “None”, because from what this author can tell at the time of
writing this paper, it is not observed on the Arduino platform at
this time. The General Remediation Level is “High”, it takes
into account the recommended remediation measure such as
6LoWPAN. The Temporal Vector is GEL: N /GRL:M. The
temporal score is 8.1.
To compute the Environmental score, based on past
findings the environmental vector is: LVP:L/PTV:L/LRL:N/
EC:C/EI:C/EA:C/CDP:L/ CR:L/IR:M/AR:H. The
environmental score is 10.
CAPEC262: Manipulate Resources.
This attack is a decedent of CAPEC548. The attack pattern
focuses on the adversary’s ability to manipulate one or more
resources. The examples include physically isolated devices
being picked up, reconfigured or even reprogrammed, and
returned to the wireless sensor network (WSN). Moreover, the
parts not soldered in could be replaced. In a WSN,
Microcontrollers are removable and thus replaceable. The
network protocol is designed to configure itself at deployment
and to reconfigure itself when the mobile microcontroller is no
longer in reach or low on power. Also, when designing a
circuit board the resisters are not always soldered, and
therefore, can be easily replaced with inappropriate voltages
that heat up the system when turned on [6]. The removable and
reprogrammed Arduino case is analyzed.
To compute the Base score, because the vulnerability can
be exploited locally, the Access Vector is “Local”. The Access
Complexity is “High”. No additional circumstances need to
exist for the exploit to be successful; the attacker need only be
in proximity of the device. However, the exploit needs to be
deployed before the device is entered back into the network.
No authentication is required to trigger the vulnerability (the
person will need to hide their intentions or do it when no one is
present), so the Authentication Metric is “None”. The impact
metrics are set to ”Complete”, because of the high probability
of a complete system compromise. The resulting base vector is
AV:L/AC:H/Au:N/C:C/I:C/A:C/PL:R/EM:A. The base score is
5.4.
To compute the Temporal score the General Exploit Level
is “None”. As infrastructures are being more frequently
exploited [20]. The General Remediation Level is “low”, it
takes into account available remediation measures such as
security training for the physical safety of the devices in the
maker movement. The Temporal Vector is GEL:N /GRL:L.
The temporal score is 5.3.
To compute the Environmental score, based on the local
environment the “Local Prevalence” of any device is “High”.
The Perceived Target Value in a domestic environment
continues to be considered “low”. In the environment, the
physical security for the systems is a remediation. As the
maker movement is new, there is no required training in place.
For this reason, currently the Local Remediation Level remains
“High”. The Impact metrics are set to “Complete”. The
Collateral Damage Potential continues to be “Low” as do the
requirements for confidentiality, integrity, and availability. The
environmental vector is:
LVP:H/PTV:L/LRL:L/EC:C/EI:C/EA:C/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 7.6.
CAPEC607: Obstruction
An attacker obstructs the interactions between system
components in order to degrade system performance. The sub
attack patterns include everything from manipulation of
resources and communications, to physical destruction or
blockage and Jamming. CAPEC601: Jamming is one of the
related attack patterns. It is when an adversary uses radio noise
or keeps the device in receive mode in order to prevent it from
sending data. Potentially an attacker using a five dollar WiFi
dongle flashed with modified Atheros firmware and changes to
registery values can defy the protocol by continually sending
packets and keeping the radio in receive mode. The attack
illustrated is to the access point, but selective jamming based
on source and destination, performed quickly, is also possible
[27]. Other instances of jamming include using a
microcontroller to construct a device with a RF sensor by
emitting signals on a particular channel at the same frequency
repeatedly and stronger [28].
To compute the Base score, because the vulnerability can
be exploited on a local network, the Access Vector is “Adjacent
Network”. The Access Complexity is “low” because no
additional circumstances need to exist for the exploit to be
successful; the attacker need only be in proximity of the
device. The Authentication Metric is “None”. Only the impact
availability metrics is set to ”Complete”.. The resulting base
vector is AV:AN/AC:M/Au:N/C:N/I:N/A:C/PL:ND/EM:A.
The base score is 5.2. The Temporal Vector is GEL:N /GRL:N.
The temporal score is 4.2.
To compute the Environmental score, the base values are
the same. The Local Vulnerability Prevalence include those
devices using a radio, as it is more recently available and has
costs associated with it, presumably it is low. The Collateral
Damage Potential reflecting the use in this environment
continues to be “Low”. The environmental vector is:
LVP:N/PTV:L/LRL:N/EC:N/EI:N/EA:C/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 6.
D. Category Category Software, CAPEC513:
Attack patterns focus on exploitation of software
application. However, with the microcontrollers or other
physical computing devices when monitoring a physical
phenomenon in real time it is less likely to be interrupted. An
unpatched systems expose many software vulnerabilities. The
largest domain, the following are a few specifically addressed.
CAPEC115: Authentication Bypass
Without authentication on a microcontroller, the
ramifications of bypassing authentication will occur, and thus,
produces the same scores as CAPEC220.
CAPEC123: Buffer Manipulation.
Buffer attacks involve adding more input than can be stored
in the allocated buffer. With little available memory in the
Arduino, it is easy to perform both a heap and stack buffer
overflow attack by consecutive subroutine calls with a large
amount of variables. Heap attacks can be performed separately
by repeatedly allocating buffers in order to write over existing
data in memory [29]. The authors in [29] show how reading
inputs from the serial interface larger than the expected size
without checking the boundaries crashes an Arduino YUN
system.
To compute the Base score, because the vulnerability for
this case uses a Blue Tooth interface, the Access Vector is
“Adjacent Network”. The Access Complexity is “medium”. As
demonstrated by the Arduino YUN, Linux commands executed
through the bridge can create a buffer overflow on the Arduino
using a typical blue tooth interface with defaulted root
privileges. The Authentication Metric is “None”. The impact
metrics are set to ”Complete”, because it crashes the system.
The resulting base vector is AV:AN/AC:L/Au:N/C:C/I:C/A:C/
PL:R/EM:A. The base score is 8.3.
To compute the Temporal score the General Exploit Level
is “none”, because there is not evidence of a bad actor utilizing
this attack. Without a fix, the General Remediation Level is
“None”. The Temporal Vector is GEL:N /GRL:N. The
temporal score is 6.4.
To compute the Environmental score, based on the local
environment the prevalence of the ability to overflow the stack
and heap the vulnerability can be exploited when bluetooth is
in place. Thus, Local Prevalence is “Low”. The Perceived
Target Value is considered “Low”. Without a solution, the
Local Remediation Level is “None”. The Impact metrics are set
to “Compete” as the existing functionality stops. The
Collateral Damage Potential is set to “low”.. The need for
availability or Availability Requirement is “high”. The
Confidentiality and Integrity Requirements are set to “Low”
and “Medium” respectively. The environmental vector is:
LVP:L/PTV:L/LRL:N/EC:C/EI:C/EA:C/CDP:LM/
CR:L/IR:M/AR:H. The environmental score is 6.5.
CAPEC125: Flooding
An attacker depletes the resources of the target by a rapid
and large number of interactions within a period of time. An
example is a Distributed Denial-of-Service attack. The Arduino
Yun specialty platform is vulnerable to this type of attack,
because the Linux kernel responds from prohibited interfaces
as a DNS server it allows a DoS attack. Also, the system
crashes when there is a DoS because of a firewall bug [29].
To compute the Base score, because the vulnerability can
be exploited remotely, the Access Vector is “Network”. The
Access Complexity is “Low” because the attacker need only
repeatedly invoke the device. No authentication is required to
trigger the vulnerability, so the Authentication Metric is
“None”. The impact metrics are set to ”Complete”, because
system crashes. The resulting base vector is
AV:N/AC:L/Au:N/C:C/I:C/A:C/ PL:R/EM:A. The base score
is 10.
To compute the Temporal score the General Exploit Level
is “high”, because it’s been done. The General Remediation
Level is “low”, because the Kernal is outdated and there are no
patches packages in the Arduino openwrtyun downloads. The
Temporal Vector is GEL:L /GRL:M. The temporal score is 8.1.
To compute the Environmental score, including the fact
that the prevalence of any new technology is “Low”, the
remainding environmental anlysis is similar to CAPEC123
with the environmental vector:
LVP:L/PTV:L/LRL:N/EC:C/EI:C/EA:C/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 7.1.
CAPEC622: Electromagnetic side-channel
CAPEC622: electromagnetic side channel and
CAPEC623: compromise emanations are derived from
CAPEC189, a decedent of CAPEC 188. In a summarization
of microcontroller-based system threats the authors in [18]
demonstrated that both electromagnetic side channel and other
compromising emanations attacks are feasible. In particular,
they experimented with an ATmega8, part of the family of
Arduino microcontrollers. (ATmega328 is standard for
Arduino platform.) They concluded that a standard
microcontroller is vulnerable to extraction of embedded code
and cryptographic keys and that even high-security devices
protected with countermeasures can still be attacked [18].
To compute the Base score, because the vulnerability can
be exploited locally, the Access Vector is “Local”. The Access
Complexity is “medium” because no additional circumstances
need to exist for the exploit to be successful; the attacker need
only be in proximity of the device. No authentication is
required to trigger the vulnerability (the person will need to
hide their intentions or do it when no one is present), so the
Authentication Metric is “None”. The impact metrics are set to
”Complete”, because of the demonstrated high probability of a
complete system compromise. The resulting base vector is
AV:L/AC:M/Au:N/C:C/I:C/A:C/ PL:R/EM:P. The base score
is 6.9.
To compute the Temporal score the General Exploit Level
is “None”, documented attacks on Arduinos are not observed at
this time. The General Remediation Level is “Low”, it takes
into account available remediation measure such as security
training for the maker movement on the possibility of these
types of attacks after using social engineering to get near the
device. The Temporal Vector is GEL:N /GRL:L. The temproal
score is 6.
To compute the Environmental score, based on the DIY
environment the prevalence of the configuration is high. Thus,
Local Prevalence is “High”. As a type of sniffing, there is not
an direct impact to the data integrity or availability. The
remaining values have already been expressed in CAPEC125.
The environmental vector is:
LVP:H/PTV:L/LRL:N/EC:C/EI:N/EA:N/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 2.2.
CAPEC623: Compromise Emanations
The analysis is similar to CAPEC622.
E. Category Physical Security, CAPEC514:
The attack patterns exploit the physical security of a system to
achieve an advantage. These are bypassing physical security,
physical theft, and physical destruction of device or
component. Anyone can remove a device without knowledge,
because they are small.
Focused on the decedent, CAPEC547 Physical Destruction
of Device or Component, it is conceivable that it is easily
accomplished if the device is outside or in public space. As
discussed Shifting Times by Camille Utterback on display
outside in San Jose, California. Therefore, the removed
reprogrammed device in CAPEC262: Manipulate Resources
produces similar results.
F. Category Hardware, CAPEC515:
CAPEC169: Foot printing is a kind of information
gathering or reconnaissance before the attack. As discussed
Shodan returns the banner of Arduino servers. The banner
shows vulnerability of unpatched systems.
Because it has no authentication barrier, to compute the
Base score the Access Vector is “Network”. The Access
Complexity is “Low” because without authorization no
additional circumstance needs to be in place. The
Authentication Metric is “None”. Without control of the
system, the impact metrics are set to ”None”. The resulting
base vector is AV:N/AC:L/Au:N/C:N/I:N/A:P/PL:N/EM:P.
The base score is 5.
To compute the Temporal score, Foot printing can difficult
to trace. The best practice is to keep software patches up to
date. However, a device sensing a physical phenomenon or
monitoring an event to occur is less likely going to be shut
down in order to be patched as frequently as other types of
devices. Also, as discussed, thus far the current patches have
not been available on this platform. The Temporal Vector is
GEL:N/GRL:M. The temporal score is 3.1.
In the environment of the young hobbyist or artist, there are
limited connected systems, and there are no traces of this type
of attack. . The environmental vector is:
LVP:L/PTV:L/LRL:N/ EC:N/EI:N/EA:P/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 3.8.
CAPEC440: Is when technology is compromised and
deployed to a victim’s location for purpose of carrying out an
attack. In the future, will trading gadgets be part of this
hobbyist paradigm? This has to do with trust and how it is
established similar to the business model used by EBay and
others. To compute the Base score, because the vulnerability
could be exploited remotely, the Access Vector is “Network”.
The Access Complexity is “Low” because no additional
circumstances need to exist for the exploit to be successful. No
authentication is required to trigger the vulnerability The
Authentication Metric is “None”. The impact metrics are set to
”Complete”, because of the high probability of a complete
system compromise. The resulting base vector is
AV:N/AC:L/Au:N/C:C/I:C/A:C/. The base score is 10. The
Temporal Vector is GEL:N /GRL:N. The temporal score is 7.
To compute the Environmental score, based on the local
environment the prevalence of trading Arduino gadgets is
unknown, The Perceived Target Value is considered “Low..
There is not much that we can do to stop these types of attacks.
The Local Remediation Level is “None”. The Impact metrics
are set to “Compete” to indicate the increased level of access.
The rest of th environmental vector is as follows:
LVP:L/PTV:L/LRL:L/EC:C/EI:C/EA:C/CDP:L/
CR:L/IR:M/AR:H. The environmental score is 6.8.
CAPEC441: Malicious Logic Insertion
It is possible that a device can be reprogrammed and entered
back into the system.. The resulting score for this case is the
same as CAPEC262: Manipulate Resources.
Domain
CAPEC Attack Pattern
B
T
E
A. CAPEC403:
Social
Engineering
404 Social Info Gathering
7.6
6.9
5.7
410 Information Elicitation
via Social Info Gathering
5.1
4.4
4.5
416 Target Influence via
Social Info Gathering
5.1
4.4
4.5
B. CAPEC437:
Supply Chain
438 Modification during
Manufacturing
7.2
6
5.8
439
Manipulation during
Distribution
7.2
6
5.8
C. CAPEC512:
Communications
117 Interception
5.8
4.2
5
272
Protocol
Manipu-
lation
220 Client-
Server Protocol
Manipulation
10
7
7.1
54
8
Contam-
inate
Resource
10
8.1
7.5
262Man-
ipulate
Resources
5.4
5.3
5.3
607
Obstruc
-tion
601 jamming
5.7
4.2
6
D. CAPEC513:
Software
115 Authentication Bypass
10
7
7.1
123 Buffer manipulation
8.3
6.4
6.5
125 Flooding
10
8.1
7.1
188
Rev.
Enginee
r
622
electromagnetic
side channel
6.9
6
2.2
623
Compromise
Emanations
6.9
6
2.2
E. CAPEC514:
Physical
Security
547
Physical Destruction of
Device
5.4
5.3
5.3
F. CAPEC515:
Hardware
169 Foot printing
5
3.1
3.8
440 Deploy compromised
HW to Target entity
10
7
6.8
441
Malicious Logic Insertion
5.4
5.3
5.3
Table 2: The Base (B), Temporal (T), and Environmental (E)
scored results.
V. CONCLUSION
An analysis of the threats to the security of the Arduino as
an eventual trusted physical computing participant in the IoT
has been conducted. As part of IoT infrastructure,
microcontrollers are coming under increasing threat of attack
While more simplistic than some other network devices, these
same devices are being used by DIYers to solve perceived
problems and as a hobby for common everyday people. The
massive amount of undocumented creations accessible using
the Internet and managed by an assortment of minors and
others will be increasingly difficult to protect. For this reason,
the attacks in a DIY environment as a study on the potentially
weakest link in the IoT has been conducted using a
combination of the CCSS methodology and the CAPEC list of
vulnerabilities. According to the CCSS documentation,
because the foundation is qualitative, the difference between
4.7 and 5.4 is not meaningful. However, 4.7 and 10 is
significantly different. Therefore, the following two main
groups were identified. The groups with a base vector of 10
and a second group scoring between 6.9 and 8.3.
The critical attack patterns with a base vector of 10 are
decedents of the communication, software, and hardware
domains. They include: Client-Server Protocol Manipulation
(220), Contaminate Resource (548), Authentication Bypass
(115), and Deploy compromised HW to Target entity (440).
The next major attack patterns with a base vector range
between 8.3 and 6.9 include: Buffer Manipulation (123), Social
Information Gathering (404), Modification during
Manufacturing (438), Manipulation during Distribution (439),
Flooding (125), Electromagnetic Side Channel (622), and
Compromise Emanations (623). It was found that the temporal
score is less meaningful when evaluating new Technology that
does not have a history of attacks; however, the environmental
metric produced some interesting results. In the higher scored
vulnerabilities there was a greater disparity between the
environment score and the base score than the lower scored
attack patterns. For example, in the reverse engineering domain
(CAPEC188) the overall base score was 6.9 compared to the
environment score of 2.2. Contrary, the Malicious Logic
Insertion (CAPEC441) environment base score is 5.4
compared to the 5.3 environmental score. This can be
interpreted as a greater DIY environmental influence (–e.g
confidentiality and integrity are not critical in a hobby culture)
on the higher risk vulnerabilities.
In the future, holistic IDS that utilizes the CCSS attack
patterns with the common language in [14] may ubiquitously
communicates with an undocumented device before connecting
it to the IoT. This study was an attempt to use existing
methodologies in order to show how the IoT technology can
become a trusted participant in our information world.
VI. ACKNOWLEDGEMENTS
This research was directly influenced by an
EEE/Internet2/NSF co-sponsored End-to-End Trust and
Security for IoT workshop on February 4, 2016 in Washington,
DC. In our group on case studies, we found that in order to
establish policies that the commonalities across the domains in
the IoT needed to be recognized. It is hoped that this work to
analyze one of the domains that make up the physical space of
the IoT is a step towards a derivation of a set of policies
required to safeguard the machines and their owners. For future
studies, contact the author for the CAPEC spreadsheet used for
computing the values in Table 2.
VII. REFERENCES
[1] D. Kusher, The Making of Arduino, The IEEE Spectrum, October 2011.
[2] camilleutterback.com/projects/sifting-time-san-jose
[3] K. Karl & A. Willig, “Protocols and Architectures for Wireless Sensor
Networks,” West Sussex, Hoboken, N.J.: Wiley, May 2005.
[4] T. Karvinen, K. Karvinen, & V. valtokari, Make: Sensors, Maker Media
Inc., Sebastopol, CA, May 2014
[5] C. Pfister, Getting started with the Internet of Things, O’Reilly,
Sebastopol, CA, 2011
[6] J. Blum, Arduino, John Wiley & Sons, 2014.
[7] CCTV cameras worldwide used in DDos attacks,
www.zdnet.com/article/cctv-cameras-worldwide-used-in-ddos-attacks/,
October 26, 2015.
[8] store-usa.arduino.cc
[9] J. Titus, 6LoWPAN Goes Where Zgbee Can’t, Electronic Comonent
News (ECN), 2009.
[10] N. Kushalnagar, G. Montenegro, & C. Schumacher, IPv6 over Low-
Power Wireless Personal Area Networks (6LoWPANs), RFC 4919
(tools.ietf.org/html/rfc4919), August 2007.
[11] Z. Shelby and C. Bormann, 6LoWPAN: The Wireless embedded
Internet, 1st ed.; John Wiley & Sons Ltd: Chichester, UK 2009.
[12] csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
[13] capec.mitre.org/data/definitions/3000.html
[14] csrc.nist.gov/publications/nistpubs/800-126/sp800-126.pdf
[15] csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf
[16] J. Matherly, Complete Guide to Shodan, Lean Pub (www.leanpub.com),
February 2016.
[17] www.arduino.cc/en/Tutorial/WebServer, Web Server
[18] D. Strobel, D. Oswald, B Richter, F Schellenberg, & C Paar,
Microcontrollers as (In) Security Devices for Pervasive Computing
Applications, In Proceedings of the IEEE, 102(8), 1157-1173, July
2014.
[19] A. Vishwanath, Cybersecurity’s Weakest Link: Humans, Government
Technology (www.govtech.com), May 2016.
[20] A. Vishwanath, When Hackers turn your lights off, CNN
(www.cnn.com/2016/02/11/opinions/cyber-infrastructure-attacks-
vishwanath http://www.cnn.com/2016/02/11/opinions/cyber-
infrastructure-attacks-vishwanath), February 2016.
[21] Symantec Corpration, Internet Security Threat Report, April 2016.
[22] P.W. Singer, Hacked Hardware Could Cause the Next Big Security
Breach, Popular Science, February. 2015.
[23] J. Market, M. Massoth, k-P. Fischer-Hellman, S. M. Furnell, and C.
Bolan, Attack Vectors to Wireless ZigBee Network Communications –
Analysis and Countermeasures, In Proceeding s of SEIN 2011, October
2011. (not ref yet)
[24] G. Ose, Exploiting USB Devices with Arduino, Black Hat USA, 2011.
(not ref yet)
[25] A. George, Popular Mechanics, How your world works, pp..21-22,
December/January 2016.
[26] D. Norris, The Internet of Things: Do-It-Yourself at Home Projects for
Arduino, Rapberry Pi, and BeagleBone Black, Mc Graw Hill, pp. 243-
245, 2015
[27] https://www.helpnetsecurity.com/2015/10/13/wifi-jamming-attacks-
more-simple-and-cheaper-than-ever/
[28] http://www.warse.org/pdfs/2014/icceitsp052014.pdf
[29] C. Alberca, G. Suarez-Tangil, S. Pastrana, P. Palmieri, Securithy
Analysis and Exploitation of Arduino devces in the Internet of Things,
ACM CF’16, May 2016.