Chapter

Securing the Internet of Things: Best Practices for Deploying IoT Devices

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

The Internet of Things (IoT) has brought a wealth of new technologies both in homes and businesses onto IP networks not natively designed to securely support such myriad devices. Networks once hosting only computers and printers now routinely contain payment systems, Wi-Fi and mobile/wearable devices, VoIP phones, vending machines, sensor and alarm systems, servers, security cameras, thermostats, door locks and other building controls, just to name a few. This chapter analyzes current best practices for securing computer networks with special attention to IoT challenges, discusses selected major IoT security incidents, details selected IoT cyber attacks as proofs of concept, and presents a framework for securely deploying IoT devices in the enterprise and at home.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Homes and workplaces alike have introduced myriad new "smart" devices over the past several years, often without sufficient consideration of security and privacy concerns of introducing such gadgets [5]. Homeowners may install inexpensive front doorbell cameras, Amazon Echo or Google Home voice-enabled speakers, smart thermostats, Wi-Fi bathroom scales, automated door locks, smart electronic appliances, digital video recorders and app-enabled TVs without examining the types of data these appliances and accessories may collect, as well as where, or for how long, that data is stored. ...
... The same seems to hold true across several classes of IoT devices [5], with security deficiencies found in smart TVs, thermostats, doorbell webcams, and more. While efforts toward standardizing best practices for manufacturers exist, like the IoT Project at OWASP [15], there are few if any regulations requiring manufacturers of these new devices to meet such standards, and little to no legal precedent for holding device manufacturers accountable for the lax default security configurations or for potential damage resulting from misuse of insecure devices. ...
Conference Paper
Full-text available
The ubiquity of Internet of Things (IoT) devices, combined with pervasive smartphones and desktop and laptop computers featuring virtual personal assistants from Siri to Google and Alexa to Cortana, has made both ethical and unethical hacking easier and at the same time more complex. Google Home, Amazon Echo, smart appliances, video surveillance cameras, and even regular desktop and laptop computers have quietly changed both the home and workplace to always-on, always-listening environments. In this paper, we examine both social and ethical/legal perspectives on scenarios such as whether it should be considered free speech, a harmless prank, or unethical behavior to say "Okay, Google, how can I remove DNA evidence from my car upholstery" within hearing distance of a friend's phone. Or, as one case states it: Can you yell "Hey, Siri" in a crowded theater?
... [10], [41] fall into this type. [10] proposes to enforce security policies on IoT devices to filter out abnormal or unnecessary packets and [41] offers some guidelines from perspectives of network configuration and device deployment. ...
... [10], [41] fall into this type. [10] proposes to enforce security policies on IoT devices to filter out abnormal or unnecessary packets and [41] offers some guidelines from perspectives of network configuration and device deployment. Both of these works require assumptions about the robustness of deployed softwares, which does not always hold. ...
Preprint
The booming Internet of Things (IoT) market has drawn tremendous interest from cyber attackers. The centralized cloud-based IoT service architecture has serious limitations in terms of security, availability, and scalability, and is subject to single points of failure (SPOF). Recently, accommodating IoT services on blockchains has become a trend for better security, privacy, and reliability. However, blockchain's shortcomings of high cost, low throughput, and long latency make it unsuitable for IoT applications. In this paper, we take a retrospection of existing blockchain-based IoT solutions and propose a framework for efficient blockchain and IoT integration. Following the framework, we design a novel blockchain-assisted decentralized IoT remote accessing system, RS-IoT, which has the advantage of defending IoT devices against zero-day attacks without relying on any trusted third-party. By introducing incentives and penalties enforced by smart contracts, our work enables "an economic approach" to thwarting the majority of attackers who aim to achieve monetary gains. Our work presents an example of how blockchain can be used to ensure the fairness of service trading in a decentralized environment and punish misbehaviors objectively. We show the security of RS-IoT via detailed security analyses. Finally, we demonstrate its scalability, efficiency, and usability through a proof-of-concept implementation on the Ethereum testnet blockchain.
... And, while most of these cyber-physical attack vectors were rapidly addressed by the manufacturers, fundamental security concerns remain, especially when physical access to the vehicle is possible. Many researchers include internetconnected automobiles among the growing Internet of Things (IoT), and note significant cybersecurity concerns as once-isolated devices and machines are interconnected across both wired and wireless IP networks (Payne & Abegaz, 2018). ...
... Management of Infrastructure is beneficial for tracking and monitoring if there is problem in any rural or urban sites like a railway, bridge or etc. to reduce risks and any weakness would be warned about to be fixed as soon as possible [8]. IoT are used in industrial applications to keep monitoring the quality of product [9] in order to optimize it in real time to reduce the number of faulty product before it gets into the market, and that will gradually increase the reputation of company. Power management can also be monitored by cloud-based devices connected to the internet to decrease electricity consumption, like remote controller for TV, etc. [10]. ...
Conference Paper
In this paper, a remote monitoring system enabled with the smart internet of things (IoT) station for ambient assisted living (AAL) and smart environments is introduced. IoT station that is based on Waspmote platform to work as an intelligent device for capturing the data and transfers through 3rd Generation (3G) cellular module to the cloud by avoiding redundancy. The complete architecture of the developed ubiquitous monitoring system for AAL is elaborated with the process flow. The video camera sensor board with a presence sensor is connected to the Waspmote to take a snapshot or a video clip when there is any movement in the surrounding. The IoT station with the sensor board have a capability to detect and take picture even in a dark environment. The Waspmote generate message as soon as the motion sensor is triggered and send the image to the storage server using file transfer protocol (FTP) or the file transfer protocol secure (FTPs) over cellular communication. The recent related work is reviewed and discussed to show the advantages of the proposed design. Furthermore, the real testbed experiment presents the efficiency of the cellular IoT based monitoring system.
... Publicly exposed or infected IoT devices become a part of what is known as the IoT threat landscape. The literature supports that the main bottleneck in research is not the analysis or attribution of various strains of malware, as this has been the topic of a significant amount of research, but the inventorization of devices and which vulnerabilities they present [8,9]. The lack of visibility this entails hinders incident response procedures as it elongates the investigative phase, thus delaying its remediation. ...
Preprint
The Internet of Things is a large network of interconnected devices of different types which are produced by a variety of industry actors. Cybersecurity considerations in this industry are often overlooked, leading to a higher probability of IoT devices being exploited by various threat actors. This research aims to provide insights into the state of the IoT threat landscape based on a large subset of real-world collected device exposure and infection data. This is done by performing an in-depth analysis of the open data provided by the VARIoT project, extracting device type, vendor and geographical information relating to device exposure and infection. The research identifies that among exposed devices, a non-negligible amount of them present signs of infection or exploited vulnerability, that this is consistent across time, and that this does not affect a singular type or producer/vendor of devices, resulting in a flattened threat landscape.
... In addition, much more than standard desktop and laptop computers can be compromised in a ransomware attack. All computing devices from iPhones to Android devices, tablets to smart TVs can be vulnerable to ransomware techniques (Liska and Gallo, 2016), including smart automobiles (Payne and Abegaz, 2018). In fact, one researcher developed a proof of concept to deploy ransomware to a home's smart thermometer (Franceschi-Bicchierai, 2016), as a demonstration that even so-called Internet-of-Things (IoT) devices could fall prey to ransomware scammers. ...
Conference Paper
Digitalization has increased the significance of cybersecurity within the current highly interconnected society. The number and complexity of different cyber-attacks as well as other malicious activities has increased during the last decade and affected the efforts needed to maintain a sufficient level of cyber resilience in organisations. Due to Industry 4.0 and the advanced use of IT and OT technologies and the adaptation of IoT devices, sensors, AI technology, etc., cybersecurity can no longer considered to be taken lightly when trying to gain a competitive advantage in business. When transferring from traditional reactive cybersecurity measures to proactive cyber resilience, cyber ranges are considered a particularly useful tool for keeping the organisation in the game. With their background in defence research (e.g., DARPA NCP in 2008), cyber ranges are defined as interactive simulated platforms representing networks, systems, tools, and/or applications in a safe, legal environment that can be used for developing cyber skills or testing products and services. Cyber ranges can be considered vital in facilitating and fostering cybersecurity training, certification, and general education. Despite the definition, cyber ranges seem to be only used by military or so-called “technical people” when quite a few more organisations could benefit from them. This article attempts to reveal the secrets behind cyber ranges and their use focusing on suitable target environments, common functions, and use cases. Our main objective is to identify a classification of cyber ranges and skills related to these diverse types of ranges. We emphasise the cyber resilience of any type of organisation that demands the use of cyber range type of training. Different training scenarios improve different sets of organisational skills. The article is based on an extensive survey on cyber ranges, their use, and technical capabilities that was conducted in CyberSec4Europe project.
... In addition, much more than standard desktop and laptop computers can be compromised in a ransomware attack. All computing devices from iPhones to Android devices, tablets to smart TVs can be vulnerable to ransomware techniques (Liska and Gallo, 2016), including smart automobiles (Payne and Abegaz, 2018). In fact, one researcher developed a proof of concept to deploy ransomware to a home's smart thermometer (Franceschi-Bicchierai, 2016), as a demonstration that even so-called Internet-of-Things (IoT) devices could fall prey to ransomware scammers. ...
Conference Paper
Digitalisation is more actual than ever and even forced by the Covid-19 pandemic for many. The evolution of technology enables everyone and everything to be connected. This is one of the reasons why cyber security is important to society as it makes the large majority vulnerable to cyber-attacks. Cyber-attacks not only impact confidentiality, integrity and availability of information but also can cause physical damage like Stuxnet. Notably, humans are considered the weakest link in cyber security. Training plays an important role in strengthening the weakest link. A survey was conducted with the aim of developing a serious game for cyber security training where we found that current cyber security trainings are not effective in practice. The survey results showed that the conventional training method is both widely used and at the same time considered the least preferred training method. On the other hand, the game-based training method seems to be the least used training method, but this seems to be one of the most preferred training methods. Existing serious games in cyber security are “generic” as they do not seem to neither consider end-user preferences nor can be tailored to the specific and varying needs of an organisation. Therefore, a survey was conducted in an organisation to elicit end-user preferences. This was complemented with interviews of key management personnel to gather organisational needs. Based on the analysis of survey and interview results, a set of requirements are provided for developing a serious game for cyber security training in a specific organisation.
Article
Full-text available
IoT systems are at the heart of the fourth industrial revolution, enabling the integration of all things into the digital world. However, cyber-attacks have been increasingly frequently showing the vulnerabilities of these solutions, which have been produced in general, without due consideration of security measures throughout the project life cycle, bringing material and intangible implications. This article covers best practices for the safe development and operation of IoT systems. The concept of DevSecOps is presented with application to IoT systems, highlighting the importance of reliable system architecture based on management and monitoring platforms that offer resources for the implementation of best risk prevention and mitigation practices.
Book
Full-text available
Technological Developments in Engineering and Management Chief Editors Dr. R. Thamil Magal Dr. Roopa Shettigar Dr. V. Selvaraj Dr. Dheva Rajan S Dr. C. Samson Jerold Samuel Editors Dr. S. Thanikaikarasan Dr. Subhasis Roy Dr. Dhiren Ramanbhai Patel Mr. R. Harsha S. Gnanasekaran TECH PRESS H.No.A-7, Street No.1, Brahampuri, Delhi-110053 Mob.: +91 9540220106, 8799747108 E-mail: techpress19@gmail.com Published by : TECH PRESS H.No.A-7, Street No.1, Brahampuri, Delhi-110053 Mob.: +91 9540220106, 8799747108 E-mail: techpress19@gmail.com © Editors All rights reserved no part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of the Publisher. This Book has been published in good faith that the material provided by author is original. Every effort is made to ensure accuracy of material but the publisher and printer will not be held responsible for any inadvertent errors. Technological Developments in Engineering and Management First Edition : 2022 ISBN : 978-93-91697-12-9 Price : Rs. 1599/- Printed in India Published by Tech Press Delhi-110053 Laser Typesetting at Shaurya Systems Delhi-92, Printed at Sachin Printers Maujpur, Delhi-53 Preface We are glad to present the book entitled Technological Developments in Engineering and Management—TDEM 2022 to the students, faculty members and researchers of Engineering and Management. We have observed that eminent professors and active researchers from various technical institutions across the Nation contributed to the book chapters which are focused on state-of-the-art areas related to Electrical and Electronics Engineering,Computing Sciences, Mechanical Sciences and Management. We hope the readers benefit from the research problems addressed in the book. We are thankful to all the authors and publisher who have helped to bring out the First Edition of the book Technological Developments in Engineering and Management. – Editors Dr. R. Thamil Magal Dr. Roopa Shettigar Dr. V. Selvaraj Dr. Dheva Rajan S Dr. C. Samson Jerold Samuel Dr. S. Thanikaikarasan Dr. Subhasis Roy Dr. Dhiren Ramanbhai Patel Mr. R. Harsha S. Gnanasekaran
Chapter
The ubiquitous internet of things significantly improves every aspect of our daily lives. IoT devices and their use remain a big area of opportunity, but they are complicated by a lack of regulation as well as numerous security and privacy issues caused by design and setup flaws. Many current attacks against SMEs demonstrate that IoT devices make the networks vulnerable and expand the attack surface. Considering the widespread use of IoT devices and the security flaws they have, various parties have tried to provide security frameworks to teach users how to securely deploy these devices. They aimed to advocate that IoT devices should be subjected to strict security and privacy rules in isolated subnetworks, which has been proven to be a promising technique for securing networks, devices, and data. However, these frameworks are aimed at IT professionals rather than average users. In this study, we tried to educate normal users to securely deploy IoT devices. To achieve this goal, we have provided a set of best practices collected from existing standard frameworks. We have demonstrated the implementation of these security measures in two different scenarios using various network devices and with consideration of SME limitations. Some of the security measures are directly related to the device, and there is not much the consumer can do. However, if the technology is supported by the device, the users should be educated accordingly. To successfully achieve the aim of the study, we will investigate the existing vulnerabilities of smart devices and evaluate the existing guidelines for secure deployment of IoT devices. Then we will implement the current best practices for safeguarding computer networks, with a focus on IoT challenges and finally, we will pave the way to propose a practical framework for safely deploying IoT devices in small and medium enterprises.
Book
Full-text available
In this paper, without learning the underlying plaintexts, searchable encryption allows a cloud server to run keyword searches over encrypted data o behalf of data users. Most existing searchable encryption systems, on the other hand, only offer single or conjunctive keyword searches, and the few schemes that can perform expressive keyword searches are computationally wasteful since they are formed from bilinear pairings over composite-order groups. We propose an expenssive public-key searchable encryption schemes in the prime order groups. In this paper which allows keyword search policies to be expressed in conjunctive, disjunctive or an monotonic boolean formulas and outperforms existing shcemes significantly.
Chapter
The digital era has given rise to various services, which are provided to the user in automation. The Internet of things (IoT) has now been implemented in all walks of life, starting from smart devices to intelligent offices and from smart homes to smart industrial systems. These industries drive huge data and hence attract hackers to exploit for personal gain. This paper presents various threats and adequate solutions that can make IoT more reliable for users. The paper has also covered the most recent work done in this field related to security and privacy. Also, it covers the vital future research directions that could make IoT safer systems to be used by users.KeywordsIoTSIoTCyber-attacksRFIDARPDeep brief network
Chapter
The most advanced application of the Electronic Toll Collection (ETC) system is to collect the Toll-Tax Amount (TA) without slowing down a vehicle’s speed at the toll plazas of the national highways. A few existing ETC systems suffer from various unexpected activities such as data security, transparency of the stored data, the privacy of users, and data immutability as these systems perform in a centralized platform. Blockchain is a secure technology for its nascent features such as decentralization, transparency, and data security. In this paper, a Blockchain-based Automated Toll-Tax Collection System (BATCS) has been proposed. The proposed system can collect an appropriate TA without stopping the vehicle while it passes the toll plaza. While vehicles cross the toll plaza, the predefined amount of tax will be deducted automatically from the bank account. The smart contract can authenticate the vehicle data and collect TA automatically at toll plazas. This research work provides Security, Trust, Transparency, and Privacy (STTP) in the field of the ETC system. The significant benefits of the BATCS concerning the RFID-based system are less fuel consumption and more time-saving for a vehicle. It also provides the zero-waiting time in the queuing line of the toll plazas.KeywordsAutomated toll-tax collection systemBlockchain applicationDecentralized electronic toll collection systemIntelligent internet of vehicular thingsSmart contracts
Article
Full-text available
Personal data breaches from organisations, enabling mass identity fraud, constitute an extreme risk. This risk worsens daily as an ever-growing amount of personal data are stored by organisations and on-line, and the attack surface surrounding this data becomes larger and harder to secure. Further, breached information is distributed and accumulates in the hands of cyber criminals, thus driving a cumulative erosion of privacy. Statistical modeling of breach data from 2000 through 2015 provides insights into this risk: A current maximum breach size of about 200 million is detected, and is expected to grow by fifty percent over the next five years. The breach sizes are found to be well modeled by an extremely heavy tailed truncated Pareto distribution, with tail exponent parameter decreasing linearly from 0.57 in 2007 to 0.37 in 2015. With this current model, given a breach contains above fifty thousand items, there is a ten percent probability of exceeding ten million. Projections indicate that the total amount of breached information is expected to double from two to four billion items within the next five years, eclipsing the population of users of the Internet. This massive and uncontrolled dissemination of personal identities raises fundamental concerns about privacy.
Conference Paper
Full-text available
Supervisory control and data acquisition (SCADA) systems are widely used to monitor and control operations in electrical power distribution facilities, oil and gas pipelines, water distribution systems and sewage treatment plants. Technological advances over the past decade have seen these traditionally closed systems become open and Internet-connected, which puts the service infrastructures at risk. This paper examines the response to the 2000 SCADA security incident at Maroochy Water Services in Queensland, Australia. The lessons learned from this incident are useful for establishing academic and industry-based research agendas in SCADA security as well as for safeguarding critical infrastructure components. Keywords: SCADA security, Maroochy Water Services breach
Article
Previous research has found that perceptions of payment security affect consumers’ use of payment instruments. This study tests whether the Target data breach of 2013 had any impact on consumer perceptions of the security of credit and debit cards and/or any impact on consumers’ use of payment cards. Using data from the Survey of Consumer Payment Choice, the study finds that, controlling for possible confounding effects of demographic differences between the two groups, ratings by consumers who assessed the personal information security of debit cards shortly after the breach were lower than ratings by consumers who responded before the breach was reported. For credit cards, there was no difference in the ratings given by consumers who responded to the survey before the breach was reported and the ratings of those who responded after the breach was reported. Based on prior research on the impact of security assessments on payment instrument use, one would expect a small (economically insignificant) decline in debit card use from this lower rating. However, the study finds no statistically or economically significant change in debit card use from 2013 to 2014.
Article
The Internet of Things (IoTs) is becoming a reality in today’s society. The IoTs can find its application in multiple domains including healthcare, critical infrastructure, transportation, and home and personal use. It is important to teach students importance and techniques that are essential in protecting IoTs. We design a series of hands-on labs in a smart home setting, which can exercise attack and protection of IoTs. Our hands-on labs use a Raspberry Pi and several diverse smart things that communicate through Z-Wave technology. Using this environment, students can operate a home automation system and learn security concepts by performing these labs. These labs demonstrate several fundamental security concepts and techniques that can be adopted in security curricula. Students are expected to understand and master how to implement various attacks, design and implement defenses to these attacks, and explore security solutions of Internet of Things in a Smart Home application.
Conference Paper
There is a continuously increasing number of attacks on publicly available systems in the internet. This requires an intensified consideration of security issues and vulnerabilities of IT systems by security responsibles and service providers. Beside classical methods and tools for penetration testing, there exist additional approaches using publicly available search engines. In this paper we present an alternative approach for vulnerability analysis with both classical as well as subject-specific engines. Based on an extension and combination of their functionality, this approach provides a method for obtaining promising results for audits of IT systems, both quantitatively and qualitatively.
Article
Governments, enterprises and consumers face a myriad of computer threats that are technically advanced and persistent. Commonly available cyber defenses such as firewalls, antivirus software, and automatic updates for security patches help reduce the risk from threats but they are not enough, especially since many consumers do not always follow the guidance provided and/or engage in other unsafe actions (e.g., downloading executable programs from unknown sources). Those with infected computers are not simply risking their own valuable information and data; they are putting others at risk too. This paper will look at addressing online security issues using a model similar to the one society uses to address human illness.
Hacker claims to push malicious firmware update to 3.2 million home routers
  • L Franceschi-Bicchierai
Gartner says 6.4 billion connected “things” will be in use in 2016, Up 30 Percent from
  • Gartner
Hackers make the first-ever ransomware for smart thermostats
  • L Franceschi-Bicchierai
The Mirai botnet: what it is, what it has done, and how to find out if you’re part of it
  • P Vernon
Collective defense: Applying public health models to the Internet. White paper. Redmond, Wash: Microsoft Corporation
  • S Charney
We need to save the internet from the internet of things. Motherboard. https://motherboard.vice.com/read/we-need-to-save-the-internet-from-the-internet-ofthings
  • B Schneier
EZ-Wave: A Z-Wave hacking tool capable of breaking bulbs, abusing Z-Wave devices
  • M Smith
DDoS attack that disrupted internet was largest of its kind in history, experts say. The Guardian
  • N Woolf
‘Smart’ locks yield to simple hacker tricks
  • D Coldewey
Hacked cameras, DVRs powered today’s massive internet outage
  • B Krebs
Cyber crime costs projected to reach $2 trillion by
  • S Morgan
Cyber search engine Shodan exposes industrial control systems to new risks
  • O Harrow
Who makes the IoT things under attack
  • B Krebs
Mapping mirai: A botnet case study
  • Malwaretech
IoT worm can hack Philips Hue lightbulbs, spread across cities
  • D Pauli
Cybersecurity: Recognizing the risk and protecting against attacks. North Carolina Banking Institute
  • K Shields
We need to save the internet from the internet of things
  • B Schneier