IISR: A Secure Router for IoT Networks
Third Year Undergraduate Student, Computer Science and Engineering Department, National Institute of Technology Agartala, Tripura
Research Guide, Center of Excellence in Cyber Security, Institute for Development and Research in Banking Technology, Castle Hills, Road No. 1, Masab Tank, Hyderabad-500 057
The Internet of Things (IoT) is a moderately new idea in the field of technology. The fundamental thought that lies behind IoT is to make things associated with the internet and make them ready to send, receive, and process data. These devices have a small computational power and memory storage. They are associated with cloud where care can be taken for these auxiliary services. The number of IoT devices is increasing multi-folds each year, and it is expected that there will be around 75 billion IoT devices by 2025. With expanding the prevalence of IoT devices, the vulnerabilities and security issues related to these devices are also increasing. The absence of security mechanisms and vulnerable protocols make IoT gadgets obvious targets for hackers, for instance, the "Mirai Botnet Attack" in 2016. There is a critical requirement for security of IoT frameworks. In this project, We propose a secure IoT Router, which is safe from many digital attacks. IISR protects the device network against malicious attacks by giving a one-step solution for securing IoT systems. IISR consists of a Raspberry Pi 3 Model B+, five IoT devices, and an attacker machine. The router has been tested by conducting ten attacks namely: Deauthentication, Fake-Authentication, MAC Spoofing, Denial of Service, Port Scanning, WiFi Cracking, ARP Poisoning, DNS Spoofing, Malware Injection, and Firmware Exploitation. Security mechanisms have been deployed for detection and mitigation of these attacks. They consist of Snort IDS rules, Arduino programming, Packet Sniffer, and configuration of connection methods. The test results show that IISR has detected seven out of ten attacks and it has been able to mitigate six out of the ten attacks performed.
Keywords: attacks, detection, Internet of Things, mitigation vulnerabilities.
|ARP||Address Resolution Protocol|
|BSSID||Basic service sets ID|
|DNS||Domain Name System|
|FIN||Used for meaning “Finish”|
|HTTP||HyperText Transfer Protocol|
|IDRBT||Institute for Development and Research in Banking Technology|
|IDS||Intrusion Detection System|
|IISR||IDRBT IoT Secure Router|
|IoT||Internet of Things|
|MAC||Media Access Control|
|OWASP||Open Web Application Security Project|
|RAM||Random Access Memory|
|TCP||Transmission Control Protocol|
|UDP||User Datagram Protocol|
|WAP||Wireless Access Point|
|WEP||Wired Equivalent Privacy|
|WPA||Wi-Fi Protected Access|
Statement of the Problems
Digital attacks have threatened the world of computers right from the very beginning, yet with the advent of IoT, the simplicity and volume of these attacks have expanded substantially. The essential purpose behind this is the non-existence of appropriate safety measures in IoT devices. The number of IoT devices is increasing multi-fold every year, as are the attacks on them .
Objectives of the Research
This project concerns IoT network architecture, which is generally deployed in smart homes. We have deployed this testbed at CCS Lab, IDRBT, Hyderabad, India. The IISR (IDRBT IoT Secure Router) is a Raspberry Pi device https : / / raspberry - valley. azurewebsites . net / RaspAP Wifi-Hotspot/ , and five IoT devices are connected to it. We study the behaviour of IISR and IoT devices under attacks, security flaws, and privacy protection issues. Due to the heterogeneity of IoT devices, security implementation is going to be highly variable. This motivated us to develop a low-cost solution for such IoT networks. We believe that IISR can be augmented with the existing security techniques to increase resistance to IoT attacks. Using IISR, the security of IoT devices can be strengthened, and a better environment for small scale IoT networks can be created.
The overall objective of this research is the development of a secure central authority (IISR), which can be deployed in small-scale IoT networks to ensure the security for the whole of the network Aneesh Dua, et al ,2019 .
IISR is best suited for small scale IoT networks, and it can prevent a large number of entry-level attacks from happening. We have used a single Raspberry Pi as the router, but the number of Raspberry Pis can be increased to handle complex situations. Also use of blockchain technology can be used to make a very efficient and good solution for the security of small scale IoT networks.
The rest of the report is organized as follows:
Section 2 contains related work. Experimental setup and Proposed approach is explained in section 3. Section 4 contains Results and Discussion. Section 5 contains details of Summary and Future Work.
Review of Related Work
In the work by B. Dorsemaine, et al ,2016 , the possible attacks to an Internet of Things (IoT) system in a corporate environment have been discussed. Their work also discusses a case study of connected smart thermostats. Their work discusses only the corporate environment. We require a solution that suits not only the corporate environment but others as well, namely home, military, and industrial.
M. Miettinen, et al ,2017 have described a method for securing IoT systems. Their model comprises of an SDN (Software-Defined Networking) security gateway that analyses the vulnerability level of each new IoT device that connects to the network using a cloud service. They constraint the communications of the IoT device to make a more secure environment. Moreover, constraining interactions is not an efficient method to achieve security.
Using BlockChain based methods, A. Dorri, et al ,2017 have proposed a model to secure IoT devices. Their work makes use of local BlockChain Ledger and its immutability to create a secure network for IoT devices. This is a very promising method for securing IoT devices, but it comes at the cost of high processing overhead. Their model requires a BlockChain Manager to manage the transactions among the devices as well as communications to the internet.
A. F. A. Rahman, et al discussed the security threats & vulnerabilities of all layers in IoT Architecture. Their proposed framework requires security mechanisms to be constructed at each layer of the diverse IoT Architecture to provide a more secure IoT environment and cloud system. Also, the implementation feasibility of their method is a questionable proposition.
Evaluation of Related Work
All the methods which are discussed in section 2.1 have given their solutions but none of the solutions is a one-step solution to secure IoT networks. Some of the solutions are quite expensive and are not feasible to implement in the small-scale IoT networks. Others require high processing powers which is again a problem for small scale IoT networks, especially domestic IoT networks.
The security methods discussed in section II lack the characteristic of being feasible and efficient at the same time. IISR has both these characteristics. It is a low power device that suits any type of network architecture and protects the network from all kinds of attacks. It also has a provision for monitoring the network as well.
In order to test IISR, we have classified the IoT attacks into four-levels according to their nature and complexity. The complexity, as well as the threat-level of the attacks, increases as the number of levels increase. We performed ten attacks from level-0 to level-3. Figure 1 shows a diagrammatic representation of our classification of these attacks as well as the vulnerabilities of IoT devices.
The Testbed used for IISR comprises of a Raspberry Pi 3 Model B+ (Raspbian OS), five IoT devices, an Attacker Machine, and a Packet Sniffer. Ten attacks were performed on IoT devices using the Attacker Machine. The detection and mitigation mechanisms were configured on the IISR. In general, mainly two types of attack scenarios are possible: attacks from outside the network and attacks from inside of the network. Attacks from outside network target the network itself. They are mostly attempting to enter the network. Hence according to the type of attacks to be executed, we setup our experimental network. Figure 2 shows the connections of our experimental entities for attacks from outside the network, while Figure 3 shows for attacks originating inside the network.
A. IISR Secure Router
We configured the Raspberry Pi Model 3 Model B+ with internet connectivity as IISR. This offers a low-cost and low- processing power solution to the security requirement of IoT devices. The internet connection through the Ethernet port was bridged with the WiFi broadcasting network interface. The router was configured with WPA (WiFi Protected Access) security using CCM Mode Protocol encryption.
B. IoT Devices
For realistic testing, we made IoT devices with the help of ESP32 module and sensors. The sensors used were the temperature and humidity sensor (DHT11), motion detector (D- Sun Hc-Sr501), LM393 photosensitive light-dependent control sensor module, and MPU6050 (gyroscope + accelerometer + temperature) sensor module. We connected an ESP32 module with IISR to connect to the wireless network. The module captured the sensor readings and broadcasted them through the network using an HTTP server.
C. Attacker Machine
To perform attacks, we set up a computer with 4GB RAMand 3.8GHz Intel i7 processor. We installed Kali Linux OS (Version 2019.1) on it. Using the former, we performed attacks, both from outside as well as inside the network. Attacks from outside the network, namely deauthentication and fake authentication attacks were conducted by sending malicious packets from outside the network with the help of a WiFi adapter (Atheros AR9271) by using it in monitor mode.
D. Packet Sniffer
To protect our IISR Wifi from attacks such as Deauthentication, Fake Authenticationhex, and Wifi Credential Cracking, we programmed an ESP8266 Wifi Module using Arduino IDE as a packet sniffer.
RESULTS AND DISCUSSION
Level-Wise IoT-Attacks Detection & Mitigation
Level 0 IoT-Attacks
- Deauthentication & Fake Authentication Attacks:
Deauthentication & Fake authentication attacks that fall in this category originate outside the network. Authentication & Authorization problems arise when measures are taken to verify the authenticity of a device are insufficient. Deauthentication is not a very advanced attack. The attacker needs to generate only one packet for every six packets generated by the client and server to deauthenticate or disconnect the client from the Wireless Access Point (WAP). Fake-authentication is another attack in which the attacker associates with the target network when he is not authorized to do so. It can be launched against WAPs using Wired Equivalent Privacy (WEP) security. These attacks are the stepping stones towards cracking Wifi credentials. Hence, even though they are not very advanced or complex, they lead to higher level attacks. We have performed these attacks on our setup and studied the packets during the attack. Figure 4 shows a scan done by "airodump-ng
The packets are sent by the attacker machine to the router but do not enter the network and hence cannot be detected using tools like Snort, Wireshark etc. One solution to tackle fake authentication attacks is to use better security methods like Wi-Fi Protected Access (WPA) or WPA2. We detect both these attacks using a packet sniffer by programming an ESP8266 Wifi Module in monitor mode using Arduino IDE to detect such packets. The module was deployed on the IISR, and it successfully detected these attacks. Figure 6 shows the successful detection of the deauthentication packets.
Figure 7 shows a fake-authentication attack where the entries in the figure show the successful authentication and successful association by the attacker machine. The malicious device is associated with the router using fake credentials.
- Port Scanning:
Port Scanning attack originates within the network. It finds all the open ports which a hacker can use to exploit the target device. Once open ports of a device have been found, they can be used to deliver dangerous payloads and malware. We performed port scanning using the widely used NMAP Tool and studied the packets using Wireshark. To tackle these attacks, we formulated Snort rules on the IISR. These rules detect packets associated with port scanning and also provide us with the info of the attacker IP address as well the victim(s) IP. Post-deployment of the same, all kinds of NMAP Scans, namely TCP, UDP, XMAS, FIN, and NULL were detec- ted. Figure 8 shows the Detection of NMAP TCP Scan being executed by the Attacker machine present in the same network. The highlighted section in the figure shows a TCP scan launched by the device 192.168.50.147:42876 against the device 192.168.50.1:903 M. De Vivo, et al ,1999 .
Level 1 IoT-Attacks:
- ARP Poisoning:
Address Resolution Protocol (ARP) is a standard protocol which maps the logical address of a device with the physical address of that device. Whenever a device wants to know the MAC address of a device it broadcasts an ARP request in the network with the IP address of that device and the device with the specified IP replies back and tells it’s MAC address to the requesting device C. L. Abad ,2007 , W. Gao, et al ,2018 .
To launch this attack first, an NMAP scan is done so as to know the IP and MAC addresses of all the devices including the gateway in the network. This framework also does the SSL stripping, and thus, all the traffic of the victim devices start flowing through the attacker machine, and the attacker has access to all the data of the victims. This attack was performed using “mitmf” (Man-In-The-Middle-Framework) tool of Kali Linux. This attack requires the attacker to be in the same network in which the victim device is present. The command to launch this attack is:
$ mitmf –arp –spoof –gateway <gateway ip> –targets <ips of target machines> -i <interface name>
In arp poisoning attack the malicious device sends a fake arp request to the victim device. The victim device replies and sends its MAC address. Figure 9 shows the entries of the ARP table in the victim device before the attack. Figure 10 shows the content of the ARP table in the victim device after the attack.
- Wifi Cracking:
Wifi cracking attacks are common for networks containing IoT devices as they pose a great potential for further exploitation. To prevent such attacks, it is advised to use WPA/WPA-PSK security methods for WiFi authentication. However, the credentials can still be cracked using intensive attacks. The process to execute such intense attacks involves Deauthentication. Prevention of Deauthentication attacks has already been discussed in Level 0 attacks.
Level 2 IoT-Attacks:
- Denial of Service:
A denial-of-service (DoS) attack is where hackers render a device inaccessible to legitimate customers. They do this by overwhelming the device with traffic and data until it stops its regular functioning. IoT devices usually are low bandwidth devices due to their characteristic features. Hence, hackers can easily generate a massive amount of traffic to overload an IoT device thus create lag or even crash its working. To perform this attack, an attacker targets the IoT device’s IP address and floods it with huge amount of packets through any of the network protocols (TCP/UDP/HTTP).
- MAC Spoofing:
MAC spoofing J. Yu, et al ,2016 , is another attack which is most commonly used to connect to a router on which MAC filtering is deployed.Figure 11 shows MAC-Spoofing and changing the MAC address of an interface to any desired MAC address. In this attack, the attacker monitors the devices connected to the network using monitor mode and clones the MAC Address and bypasses the MAC filter configuration of the network.
- DNS Spoofing:
DNS stands for Domain Name System, and the main use of this server is to convert the domain names to the respective IP addresses. Even if the DNS is unavailable for a very short period of time it can cause huge losses. The simple nature of the DNS protocol and mainly use of the UDP packets make it quite vulnerable to spoofing and DoS attacks.
The figure 12 shows a DNS attack using the "Ettercap" tool. The highlighted section shows the successful launching of the attack against the victim device. Whenever the victim device is trying to go to yahoo.com it is being redirected to the attacker machine.
To prevent DNS spoofing, we can implement DNS spoofing detection mechanisms:
– Using encrypted data transfer protocols Using end-to-end encryption via SSL/TLS will help decrease the chance that a website or its visitors are compromised by DNS spoofing. This type of encryption allows the users to verify whether the server’s digital certificate is valid and belongs to the website’s expected owner.
– Use Domain Name System Security Extensions (DNSSEC; it uses digitally signed DNS records to help determine data authenticity. DNSSEC is still a work in progress as far as deployment goes, but is useful, especially in IoT scenarios.
Level 3 Attacks:
- Firmware Vulnerabilities:
IoT devices for practical purposes come with a firmware installed on them in order to function properly. It contains the operational code for the device. Firmware installed on IoT devices is easily extractable and in some cases available freely on the internet. Moreover, they usually do not have any security mechanism. Therefore, the vulnerabilities in the developers’ code are easily known. They are not regularly updated, which makes their vulnerabilities more open as time passes by. Figure 13 shows an example of the same. This has proven to be a very high-level threat to IoT devices in terms of harm done.
- Malware and Botnets:
Due to lack of security mechanism in IoT devices, malware injection of these devices is quite simple and prevalent M. Christodorescu, et al ,2005 . There can be various ways through which this malware infect the systems. Some of them include the use of USB drives to execute a malicious file on a system; other methods may include Phishing, drive-by downloads, etc. Malware also causes the IoT devices to act as bots for bigger coordinated attacks like DDoS. To prevent this, we proposed a security router that handles all data traffic to and from these devices. The router makes sure that no unusual or malicious traffic goes to the IoT device.
- Unencrypted Data:
IoT devices are of low processing power and cannot handle big operations such as encryption and decryption. Thus, all of the data, especially sensitive information, remains as plain text and can be easily read by an unauthorized user. The IISR security router can also handle encryption for the device data going outside the network. It decrypts data that is coming in for the device.
Summary of Results and Discussion
- The attacks generated from outside the network were un-successful after the deployment of the ESP8266 module, which detected malicious packets coming to the router.
- In the case of Port Scanning, the rules prevented scans of all the protocols TCP, UDP, XMAS, etc.
- The snort rules formulated can detect both the types of ARP-Spoofing attacks. It generates alert packets whenever an attack is launched and prevent the attack from taking place.
- The table in Figure 14 shows the summary of the detection and mitigation of various attacks that we studied in our paper. Tick in a cell means that the respective task is performed successfully while cross shows otherwise.
CONCLUSION AND FUTURE WORK
IISR is a one-step solution for securing IoT devices. The proposed system detected and mitigated six out of ten attacks, namely: Deauthentication, Fake-Authentication, Denial of Service, Port Scanning, WiFi Cracking, and ARP Poisoning. It could detect the attack of mac spoofing but could not mitigate it. The deployed security mechanisms consisted of Snort IDS rules, Arduino programming, Packet Sniffer, and configuration of connection methods. The router performed really well under the attacks. Thus, it protects connected IoT devices from these attacks. Even though it was tested on a small scale network, it’s architecture makes it suitable for all kinds of applications: industrial, military, and corporate networks. Thus, IISR can be scaled for bigger networks as well. To scale it for greater systems for military or modern purposes a group of Raspberry Pi gadgets can be utilized to build handling power.
Our future work will be concerned about broadening this solution on a greater scale and fortifying the safety efforts to cover numerous different attacks and vulnerabilities, with the goal that a more secure environment can be made for the deployment of IoT gadgets. We plan on adding more Snort guidelines to handle any new attacks. It might likewise cover different conventions like Bluetooth, Zigbee, and so forth to secure IoT gadgets working on various Protocols. The other thought is the utilization of blockchain on IoT systems. Blockchain does not explicitly give any solution for the detection or mitigation of attacks on IoT gadgets; however, it's execution makes it illogical for the attacker to lead these attacks. A local blockchain can be actualized on a local IoT system using platforms like Ethereum. This blockchain will take care of fortifying the security of the IoT devices in its local network.
I would like to thank Prof. B M Mehtre for continuous guidance and patience. Being my 1st summer project, I had a lot of things to learn, and the amount of knowledge and experience I have gained from him is matchless. I owe my sincere thanks to him.
I thank Mr. N D Patel and Mr. Anessh Dua for their cooperation and team-work in lab and overall for making it a great learning experience.
I would also like to thank each member of the Centre for Excellence in Cyber Security Lab, IDRBT for all the support and discussions.
I also thank the Indian Academy of Sciences for their support throughout the programme and for giving me this great opportunity. It would not have been possible without this Summer Research Fellowship.
I would also like to thank the Institute for Development and Research in Banking Technology, Hyderabad for providing me the whole infrastructure, resources, accommodation, and other requirements and hence, making my stay comfortable.
S. Haller, S. Karnouskos and C. Schroth, ‘The internet of things in an enterprise context’, in Future Internet Symposium, Springer, 2008, pp. 14–28.1
L. Xiao, X. Wan, X. Lu, Y. Zhang and D. Wu, ‘Iot security techniques based on machine learning’, arXiv preprint arXiv:1801.06275, 2018.1
M. U. Farooq, M. Waseem, A. Khairi and S. Mazhar, ‘A critical analysis on the security concerns of internet of things (iot)’, International Journal of Computer Applications, vol. 111, no. 7, 2015.1
https : / / raspberry - valley. azurewebsites . net / RaspAP Wifi-Hotspot/.1
Aneesh Dua, Vibhor Tyagi, ND Patel, BM Mehtre (2019) IISR: A Secure Router for IoT Networks. Submitted to 4th IEEE International Conference on Information Systems and Computer Networks ISCON 2019.1
B. Dorsemaine, J.-P. Gaulier, J.-P. Wary, N. Kheir and P. Urien, ‘A new approach to investigate iot threats based on a four layer model’, in 2016 13th International Conference on New Technologies for Distributed Systems (NOTERE), IEEE, 2016, pp. 1–6.1
M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.-R. Sadeghi and S. Tarkoma, ‘Iot sentinel: Automated device-type identification for security enforcement in iot’, in 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS), IEEE, 2017, pp. 2177–2184.1
A. Dorri, S. S. Kanhere, R. Jurdak and P. Gauravaram, ‘Lsb: A lightweight scalable blockchain for iot security and privacy’, arXiv preprint arXiv:1712.02969, 2017.1
A. F. A. Rahman, M. Daud and M. Z. Mohamad, ‘Securing sensor to cloud ecosystem using internet of things (iot) security framework’, in Proceedings of the International Conference on Intern.1
H. Xu, D. Sgandurra, K. Mayes, P. Li and R. Wang, ‘Analysing the resilience of the internet of things against physical and proximity attacks’, in International Conference on Security, Privacy and Anonymity inComputation, Communication and Storage, Springer, 2017, pp. 291–301.1
M. Waliullah, A. Moniruzzaman, M. S. Rahman et al., ‘An experimental study analysis of security attacks at ieee 802. 11 wireless local area network’, International Journal of Future Generation Communication and Net- working, vol. 8, no. 1, pp. 9–18, 2015.1
M. De Vivo, E. Carrasco, G. Isern and G. O. de Vivo, ‘A review of port scanning techniques’, ACM SIGCOMM Computer Communication Review, vol. 29, no. 2, pp. 41–48, 1999.1
C. L. Abad and R. I. Bonilla, ‘An analysis on the schemes for detecting and preventing arp cache poison- ing attacks’, in 27th International Conference on Dis- tributed Computing Systems Workshops (ICDCSW’07), IEEE, 2007, pp. 60–60.1
W. Gao, Y. Sun, Q. Fu, Z. Wu, X. Ma, K. Zheng and X. Huang, ‘Arp poisoning prevention in internet of things’, in 2018 9th International Conference on Information Technology in Medicine and Education (ITME), IEEE, 2018, pp. 733–736.1
J. Yu, E. Kim, H. Kim and J. Huh, ‘A framework for detecting mac and ip spoofing attacks with network characteristics’, in 2016 International Conference on Software Security and Assurance (ICSSA), IEEE, 2016, pp. 49–53.1
M. Christodorescu, S. Jha, S. A. Seshia, D. Song and R. E. Bryant, ‘Semantics-aware malware detection’, in 2005 IEEE Symposium on Security and Privacy (S&P’05), IEEE, 2005, pp. 32–46.1