Loading...

Summer Research Fellowship Programme of India's Science Academies

A study on cyber security issues and challenges of smart devices

Ankur Vishwakarma

National Institute of Technology Mizoram, Dawrkawn, Chaltlang, Aizawl, Mizoram 796012

Dr. Swades De

Indian Institute of Technology Delhi, IIT Campus, Hauz Khas, New Delhi, Delhi 110016

Abstract

In a few years, with current rate of development, Internet of Things will connect more devices and machines than humans. With recent development in IOT, billions of devices are being interconnected. However, the constant connectivity and data sharing is also creating opportunities for data being compromised as IOT's arrival in industry has produced more data in a couple of years than it was produced in last whole decade. But as IOT refers to a relatively new domain, its security remains a serious concern. It seems that capable hackers are everywhere and the growing focus on IOT has allowed them to view it as a technology with numerous cyber security holes. Devices such as smart TV's, connected LED's, etc. barely have any security patches or updates and being connected to smart meter they can pose a real threat. Whatever be the weakness, just one vulnerable device in IOT can potentially provide hackers an easy way to enter into network, and the compromised nodes can be used as botnets to launch large-scale cyber-physical attacks, such as Distributed Denial of Service (DDoS). The target of this study is to focus on vulnerabilities of smart devices to such cyber attacks and try to simulate attacks such as Denial of Service (DoS), Man-in-the-middle attack, etc., with an aim to exploit the cyber security of smart devices for a better insight into the existing flaws and cyber risks.

Keywords: internet of things, denial of service, man in the middle, data and identity theft, social engineering, distributed denial of service

Abbreviations

Abbreviations
IOT Internet of Things
DoS Denial of Service
DDoS  Distributed Denial of Service
MITM  Man-in-the-Middle

INTRODUCTION

Background/Rationale

Internet of Things is an emerging technology, aiming to connect the world and making every 'thing' Smart. The concern about IOT security remains a barrier that is hindering its widespread adoption. While cyber security in IOT has attracted much work in literature in recent years, yet with attack on Dyn DNS and Krebs On Security blog where thousands of IOT devices were utilised as bots to knock them out of service, caused researchers to analyse attack vectors from totally new perspective. These attacks demonstrated the potential of cyber attacks and challenged not only IOT as a technology but also threatened perfectly settled technologies such as web, etc. And as more vulnerable devices are being added to IOT the threat keeps increasing, also increasing probability of such cyber attacks. In this paper, we try to study some conventional attacks, which in recent years have been used to exploit cybersecurity of IOT. We try to evaluate 5 most common attacks on IOT which threaten its existence.​​

Statement of the Problems

The research problem today is to predict the attack vectors of such cyber attacks, analysing the existing vulnerabilities so that caution could be taken beforehand. Although due to heterogeneity of the IOT framework and its vast surface area it is not an easy task. Also the high connectivity catalysts these attacks. If one device is infected by some malware payloads, it spreads as an epidemic. As per [1] , IOT network consists of millions of vulnerable IOT devices while most of these are always in on state, reside in networks which are unmonitored and the number of such devices increases rapidly. We are not debating on security of a technology that is yet to be deployed rather we are discussing a framework which is already in application and has billions of devices in its network, thus multiplying the complexity of problem. The recent attacks and literature demonstrate the magnitude of security vulnerabilities in IOT and give a clear picture of cyber threats on IOT. Also they claim that cyber threats are real and rely on conventional hacking techniques. In this research, we try to analyse and simulate cyberattacks such as DOS, MITM, DDoS, Data and Identity Theft and Social Engineering which according to [2], are the most common cyber attacks on IOT. As with the knowledge of attack vectors it is easier to perceive which attack could exploit which vulnerability [3]. According to [4], devices forming IOT are relatively newer, yet the increasing cyber attacks that target these devices rely on well-known and predictable security weaknesses. Hence we try to analyse conventional hacking techniques and study the most common attacks on IOT.

Objectives of the Research

The objective of this research is to study the attacks to which IOT is vulnerable and analyse the attack vectors of some conventional attacks for a better insight into existing vulnerabilities of smart devices. The aim of this paper is to present a brief analysis of 5 most common attacks on IOT.

LITERATURE REVIEW

In this section, we try to overview the various approaches for the assessment of cybersecurity concerns in IOT and smart devices as described in literature. ​[5]​ , ​[6]​ , ​[7]​ , ​[8]​ , [9] perform a layerwise security analysis of IOT and consider the various cyber attacks to which each layer is vulnerable. ​[5]​ claims that all layers are suspectible to Denial of Service due to their limited storage capacity, power consumption and computation capability. [8] presents challenges and issues in each layer as - lower layer have limited computation capability and energy scarcity, middle layer of IOT relies on networking and communication which facilitates eavesdropping, interception and DOS attacks, while the upper layer have data scalability and vulnerability issues. [10] also highlights that "resource constrained devices" have multiplied over last years. ​[11]​ performs a case study on smart homes using virtual environments and investigates smart objects with an aim to explore and exploit vulnerabilities. [12] discusses security issues and challenges in ehealth, tries to analyse security threats and attacks and suggests security solutions for eHealth monitoring systems. [13] describes attack vectors into device attacks, application service attack, network attack, web interface attack and data integrity attack. It tries to experimentally evaluate cyber attacks in smart metering and performs SQL injection and DOS attack on smart metering architecture. Thus, attempts to predict the magnitude of risk. Smart Health and Smart Metering are a kind of 'nuclear topics' and should be deployed only after full assurance in security. As in these domains a slight deviation from normal functioning could produce fatal results. [14] illustrates various IOT features from different aspects - description, threats, challenges, solutions and opportunities. [15] presents a model based analysis for IOT-enabled cyber attacks. In the model, it discusses characteristics of the adversary, vulnerabilities of IOT devices and connection between IOT device and actual target. [16] tries to analyse challenges involved in detecting mobile malware in smart devices as well as other threats in connected home ecosystem. It claims that the vulnerabilities of connected home when combined with more advanced wireless smart grid will inevitably lead lights out for everyone.

METHODOLOGY

As per [2], the most common cyber attacks on IOT are Denial of Service(DOS), Man in the middle attack(MITM), Data and Identity thefts, Social Engineering and Distributed Denial of Service(DDoS). We try to study these attacks and analyse the attack vectors for these attacks. Also we simulate some attacks for better understanding.​​

Denial of Service (DOS)

In Denial of Service or DOS attack, an attempt is made to incapacitate the network by flooding the target with excessive traffic that normally cannot be handled by the network [17]. A simple DOS attack involves bombarding more requests on a device or a site than it is able to handle, thus causing either a disrupt in normal functioning or permanent shutdown. Although when seen from web point of view DOS is just an attempt to prevent normal functioning and is not capable of causing much damage. But DOS attack in IOT can pose a real threat if the victim is client of smart health, for example DoSing a pacemaker could be fatal. Smart grid and Smart health are nuclear topics and unlike web technologies they can neither sustain nor recover from such attacks. Some common variations of DOS attack are SYN flood, Teardrop attack, UDP flood, ICMP flood, etc. As [18] states, DOS tests on IOT can focus less on protocol attacks such as TCP flood, UDP flood, etc but more on radio frequency attacks in sensor networks. [19]describes Denial of Service(DOS) as "Flooding a target with traffic or sending it information to trigger a crash". We tried to simulate a conventional DOS attack on few routers and to our surprise we found out that we were able to deauthenticate all devices connected to the router rendering devices unavailable to internet or to be connected to the router. We also tried to launch this basic attack on mobile hotspots and it was as easy to deauthenticate all devices. Not only we were able to deauthenticate all connected devices but also were able to capture a four-way WPA handshake, which with proper resources can be exploited by dictionary attack or brute force attacks to get the password of the respective local network. Once the attacker obtains the password and gets connected to the LAN, can implement many other attacks such as spoofing, Man in the middle attack, etc. For the attack we used kali linux operating system and a tool Aircrack-ng.

First to launch the attack we need to have to switch our wireless network port on Monitor mode so that we can monitor all wireless networks around us. As normally, in managed mode, wifi only accepts packets that are meant for it. Following commands can be used to switch to monitor mode.

ifconfig [port] down

iwconfig [port] mode monitor

ifconfig [port] up

Here port specifies the port from which we want to launch attack. To know about all ports on machine we can type command "ifconfig". 'eth0', 'wlan0', etc. are examples for port names and for this attack we commonly need wireless port.

Now we need to kill some processes that hinder the launch of attack. We can use following command to check for such processes:

airmon-ng check [port]

This will list all the processes, and kill command can be used to kill such process but these processes need to be killed recursively as one process may respawn another.

kill [id-of-process or process-name]

We can use command 'airmon-ng check [port]' to check recursively if all processes have been killed.

Once we have killed processes from previous step, we can start scanning wireless access points nearby us:

airodump-ng [port]

This will perform a scan of all wireless points around us with some information such as bssid, channel number, strength of signal, etc. We can stop this scan as soon as we have target on the list. Use Ctrl+C to stop the scan. Dont close this terminal as we will need some information about target in the next command.

Now start scanning the target using command shown below but for this capture to be successful target should have atleast one device connected to its network.

airodump-ng -c [channel] -w [filename] --bssid [bssid-of-target] [port]

Here channel refers to channel number of target and bssid is mac address of target, both of which can be retrieved from previous terminal. We can give any name in place of filename, this is file where captured data will be stored.

Without closing the previous terminal window, open a new terminal window and use the following command to deauthenticate the devices connected.

aireplay-ng -0 0 -a [bssid-of-target] [port]

The argument 0 specifies deauthentication in infinite loop although we can change this parameter to specify the time. Also we can specify clients in the command for specific DOS.
Along with performing deauthentication we also get a four-way handshake after few seconds of DOS attack, which can be used to crack the password of router or hotspot. Thus this attack also supplements Man in the Middle attack, allowing the attacker to enter into local network by cracking password. [20] shows other methods to implement DOS using tools such as Scapy, Slowloris, etc.

Man-in-the-Middle Attack (MITM)

Man in the middle is a kind of eavesdropping where communication between two legitimate parties is intercepted by a third malicious party. [21] describes Man-in-the-Middle attack as where control of communication channel between two or more end points is secretly taken by malicious third party. [1] found, IOT refrigerators of a brand with access to google calendar did not validate SSL certificates which makes them vulnerable to MITM attack thus can compromise user's google credentials. Also [1] states, that smart devices with Bluetooth Low Energy(BLE), which is a widely used technology today in IOT, are also endangered to MITM attacks. Man in the middle is considered to be one of the most dangerous attacks in any framework. A research conducted by [22] on HTTP security found MITM as a very serious threat. It has various forms which depend on which protocol or technology is being exploited. IP spoofing, ARP Spoofing, DNS spoofing, SSL Hijacking, Session Hijacking are few forms of MITM. MITM can be used to redirect traffic using ARP poisoning or DNS poisoning. Also the SSL strips can be used to decrypt the HTTPS traffic.

ARP table poisoning

Address Resolution Protocol is a protocol that maps IP address to mac address. To improve speed, instead of enquiring all machines over a network each IP stack keep an ARP table, which contains IP addresses corresponding to mac addresses, also called as ARP cache. In ARP table poisoning attack, this property of ARP protocol is exploited. This protocol is vulnerable to various attacks such as mac spoofing, mac flooding, arp spoofing, etc. As per ​Thomas Demuth ,2019​ , detecting this attack is not easy and also claims that there are no simple countermeasures, as operating system does not check if the ARP reply recieved is the answer to an ARP request sent previously, rather it caches reply.

DNS spoofing

Domain Name Servers (DNS) are used for url-resolution for different domains. We, as a user only write domain name while we want to visit some website but internet does not work like that. It needs IP address before it can serve us anything, although domain names are easy to remember but memorizing IP address of websites is a complex job. This is where DNS comes to aid, it helps us to resolve IP address for each domain name we enter. The disadvantage of DNS service is that, it uses cache system for improving performance which is exploited in DNS hijacking and other spoofing attacks. As [21] states these local DNS entries can be overridden, thus controlling the content which will be served to a victim for a particular domain name. For this attack, a fake server phishing site is required which can be easily cloned using various tools such as httrack, etc available in Kali Linux.

IP spoofing

Internet Protocol is used to deliver packets from source to destination based on IP address. [21] states IP spoofing as a condition where "the malicious entity controls the flow of communication and can eliminate or alter information sent to one of the original participants, without their knowledge." In IP Spoofing, packet may have modified source address or it can be sent with wrong return address, this way destination computer treats packet as if it were from a legitimate source, thus providing attacker an opportunity to launch DDoS or MITM.
[20]​ classifies MITM in three categories- MITM based on impersonation technique, based on communication channel in which attack is executed, based on location of attacker and target in network. While [23] discusses evolved versions of MITM - MITC (Man-In-The-Cloud), MITB (Man-In-The-Browser), MITMO (Man-In-The-Mobile), MITA (Man-In-The-App) and MIT-IoT (Man-In-The-Internet of Things). [24] talks about two distinct stages of MITM which are interception and deception. [1] discusses vulnerability of IOT devices to MITM in detail. An unsecured router is enough to launch a conventional MITM attack. We implemented ARP table poisoning attack using tools arpspoof and SSL strips on Kali Linux as shown in [20]. For this we need to be on same LAN as victim. Although we didn't get the expected results, as SSL strips was not able to decrypt HTTPS to HTTP for all sites and browsers. ​[23] describes other ARP exlploit tools as ARP-SK, Arpoc and WCI, Arpoison, Brian, Cain & Abel, Dsniff, Ettercap, Hunt, Juggernaut and Parasite. [26] states that only one packet of an HTTP request needs to be sniffed by an attacker to authenticate itself as victim to any website. HTTP request contains cookie which has session ID in it and discusses sniffing packets without arpspoof. It also proves that arpspoof cannot be prevented using IDS or static ARP.

Data and Identity Theft

Most of IOT devices such as fitness devices, in-car navigation systems, etc rely on continuous fine grained data for optimal functioning. This data is then sent from devices to cloud where it is processed for better results [27] . This data contain very rich information such as location, heartbeat, steps, etc and also contain metadata. Thus sensitive information is continuously travelling and if the protocols are not completely secure they can be exploited by various attacks such as spoofing, eavesdropping, etc. And since its inception, data protection has been a problem. A data breach is when data source is infiltrated and sensitive information is extracted by a cybercriminal [28] . And with increasing IOT devices that constantly generate huge volumes of data, this threat has increased manyfolds. As per [5] , data theft is one of the promising cybersecurity issues in different layer of IOT. And data breach tends to threaten data confidentiality, privacy and integrity. [29] states, IOT increases risks of cybersecurity attacks and thus of data privacy breaches. In almost all the cyber attacks data gathering is the first phase. [30] , found that data security and privacy was neglected in WBAN. In a study conducted by HP, it was found that 70% of most commonly used devices in IOT are vulnerable. Organisations such as insurance companies, healthcare, banks are collecting extensive personal data for many purposes. Thus, they are constantly under the threat of such data breaches and takedown of their databases can leave millions of users vulnerable. In IOT, to provide real time analysis, large volumes of data is constantly collected, which if compromised can be exploited to explore person's behavioural patterns. For instance, home automation systems have control over air conditioning, lightning and even security systems thus just an overview of its data can provide exact time table of owners presence and absence in the house also revealing his pattern of life.
Data theft along with own threats also aids another more disruptive attack called Identity Theft. As per [31], the main strategy of identity theft is to amass data. [32] describes Identity Theft as, "criminal acts where perpetrator fraudulently obtains and uses another person's identity". In IOT identity is being stored and used to such an extent that identity management is the biggest challenge. Researchers of [33] believe that ID related crimes are biggest threat to success of IOT. IOT systems as per [27] are highly heterogeneous with respect to protocol, platform, devices, etc which has resulted in diverse solutions. Due to this diversity of solutions and standards, there is no overall framework for recognising and managing identities across different solutions in present [34]. Thus creating a hole in the ID management field. And as we keep on adding more devices in IOT, we are increasing number of identities which is proportionally increasing the surface area for such ID related attacks. Stolen identity can be used for deception [35], as an effective cover for cybercriminals [36] , etc. IOT framework includes many devices/nodes (sensors and actuators) and by spoofing or exploiting just a node, can provide huge amounts of information thus increasing the possibility of such attacks. A strong identity of users and devices is required. We have many identifiers for devices ranging from IPv6 address, RFID chips, QR codes, etc, but we don't have a common identification system. [34] suggests need for flexible mapping which can map between different object identifiers and their regarding namespaces and could also within defined space is able to express various identifiers. Many users readily accept information from smart devices as facts of life [33] . Hence end users need to be careful and should not blindly allow permission. If a device is requesting access to a service one must verify before affirmation. To avoid such attacks simple strategy could be to share less, encrypt more and authenticate strictly.

Social Engineering

While security measures for cyber world were being designed, human element of security was neglected and Social Engineering attacks exploit this weak link of security process. Social Engineering as per [37] , is a "non technical method of intrusion" in which human is manipulated into performing actions or to divulge confidential information. In this attack hacker tries to trick people while having interaction with target, to obtain some information. As per checkpoint survey, around 43% professionals were atleast once targeted by Social Engineering plots. As the IOT devices around us are increasing, so are their passwords and also the complexity to remember them, which results in default and naive passwords thus increasing risk of social engineering many folds. Now these deception based attacks will not be limited to just cyber world, rather all our devices such as Fridge, TV, cameras, etc will be potential victims as we keep connecting them over internet. Users may be aware and alert of phishing messages generated from institutions such as banks but these messages will not recieve that degree of suspicion or alert if they are generated from smart devices [38]. Social Engineering attacks can target a whole organisation or just an invididual. All the employees of a organisation are potential victims of such attack if the attack aims a larger facility. [39] says, surface area of such social engineering attacks is as big as employees and users of corporation. Commonly the reception or the help desk is the target as they are easy to interact. Once attacker have extracted some information from one employee, it targets another with the attack been refined from previous information, thus having an advantage of trust. When aiming an individual, a good source of personal information is social media, which contains almost all of our data at one place from the address and current location to the name of the pet and if that's not enough there are tools which mine the information from social media into some useful data. As per [40] , social networks and online services lack measures to protect information. According to [41] , "IOT is enhancing data accesibility, which is further augmenting the attack landscape for cybercriminals seeking to develop convincing Social Engineering attacks." [42] classifies Social Engineering attack as human based and computer based. The best part of attack is that cybercriminals take up the recent topic for crafting mails so that they seem legitimate. For example, if in India subsidy on gas cylinder is hiked then phishing mails contain information related to this event thus gaining the trust of reader and luring him to check the attached malware named as 'subsidy_detail.pdf.rar'. In 2015, power grid in Ukraine was targeted by phising mails with BlackEnergy malware leaving 80,000 homes without electricity. This attack alone demonstrates the magnitude of damage which can be done by this simple attack. As for this attack, attacker doesn't require special tools for breaching the security neither it requires him to be a professional hacker. [40] states - "Social Engineering is challenging the security of all networks regardless of robustness of their firewalls, cryptography methods, intrusion detection and antivirus software systems." [39] states that the security experts defending our information cannot always predict attack vectors beforehand and refers the attack as 'unending well of creativity'. No hardware or software solutions are available against this attack and neither can be implemented in future, as Social Engineering attack exploits human psychology. [39] also suggests, Social Engineering defense cannot be just laid on developers as main threat in chain is user and to prevent such attacks his actions are needed to be controlled and monitored. Being aware can reduce the chances of being trapped to such attack and minimize the damage but cannot eliminate the possibility.

Botnets

Most severe DDoS attacks conducted in 2016 with botnet army of hundreds of thousands had major part of bots as compromised IOT devices which included security cameras, baby monitors, routers, etc. These attacks caused literature to analyse botnet attack vectors from a totally new perspective, as even web was not designed to handle such large-scale attacks. Thus, botnets not only threaten IOT but also possess a serious threat to well established technologies such as web. Earlier botnet attacks were not as effective as today, and the increased threat is contributed to addition of millions of vulnerable IOT devices on internet. Botnet is a network formed by devices compromised by malware. These bots are utilised for attacks such as identity thefts, unsolicited messaging, sending spam mails, DDoS attacks, manipulating online surveys, etc . They could be used to control host computer remotely and could be used to propagate worms or other types of malware [43]. Botnet attacks are although rare but they have the potential to cause a severe damage. In year 2016, world witnessed many such attacks with attack on DYN, DNS service provider to be most fatal. As per [44], at its peak, attack on DYN included 400,000 bots attacking DYN with 1.2 TBPS of traffic, not allowing it to respond genuine DNS requests rendering many sites such as Twitter , Github , etc unavailable. Later it was found that Mirai malware was used to build such a massive botnet army, most of which were IOT devices. Mirai malware conducts wide-ranging scans for IOT devices that have common or default usernames and passwords, then brute forces them with common combinations of usernames and passwords [45]. As per [46], IOT devices form a major part of botnets in recent cyber attacks and increased usage of IOT devices has attributed for such DDoS attacks. According to study conducted by HP, 70% of IOT devices are vulnerable. These studies demonstrate the extent of IOT devices being unsecured and predict a clear picture of future botnet army. According to [43] , " A bot is a software program(malware) installed in a vulnerable host that is capable of performing a series of actions, normally malicious. A botnet is a collection of bots connected to a command and control channel." IOT being a new technology, aiming to improve quality of life, is in huge demand which has caused a rush. Many manufacturers are in a hurry to enter market. Thus security in this hustle is either the last to be considered or is neglected totally, making IOT devices easy targets to such hijacks. And as more such vulnerable devices keep getting added to internet, the magnitude of threat keeps increasing. Attackers exploit these vulnerable devices to conduct large scale coordinated attacks such as DDoS. Botnet attacks cannot be detected by servers as in server's view its just a heavy traffic of requests, for which it wants to respond, resulting a crash. Thus such attacks can be detected only when they are underway and since attacks consist of thousands of IP addresses which also can be genuine requests, blocking all IP addresses is not a solution. As in IOT we have everything connected hence any malware spreads like an epidemic enslaving one device after another and increasing the network. Solutions could be developed if we can understand how bots communicate with servers, what technology they exploit to run and execute malicious codes, and how they coordinate bots for attacks [47]. As per [48] , [49] , honeynets and IDS could be a solution. Restarting the devices according to [50] , is a solution but if the device is placed in a critical location than just restarting the device can cause serious problems. In fields of smart health and smart grid restarting devices is not an easy task. For instance, restarting a pacemaker could be life-threatning. Although we have strengthened against Mirai by making our credentials strong but Mirai wont be the last malware. We need to think and predict attack vectors beforehand and make devices immune to such exploits.

RESULTS AND DISCUSSION

As IOT makes its way to the end users, its security holes create a void preventing its widespread adoption. The users want to upgrade to better quality of life but also want to avoid security and privacy risks. As discussed earlier, IOT is a framework that is vulnerable to a number of threats and developing the security mechanisms remains the prior goal. We have analysed various scenarios in the face of attacks thereby presenting a simple approach for manufacturers, vendors and also to the end users, for analysing and testing the security of devices. As we see throughout the methodology, that although these 5 attacks are completely different but still they directly or indirectly supplement other attacks. As DOS attack can be used to capture four-way handshake thus providing user an option to crack the password and enter into user's local network to launch more disruptive Man-in-the-middle attack. Although the attack social engineering seems very theoretical yet it poses the biggest risk as it does not require any specific tools or devices and can bypass various security measures with a least effort of tricking the end user. Data and Identity theft has been a problem since the beginning of web era so already essential countermeasures are present yet they need to be revised for IOT where data is the driving force, be it smart health or smart home. In this paper we have tried to evaluate the attack vectors still much research is needed to fill the gaps in area of cyber security of IOT.

CONCLUSION AND RECOMMENDATIONS

The use of smart devices is increasing and so is increasing fundamental security challenges and issues in the cyber field. In this study, we have analysed the risks in IOT and smart devices which can occur if the framework is not immune to such threats. We have assumed that, since IOT is a connected framework and contains many node points, security assessment is required before deployment. We have worked on studying and analysing most common attacks on IOT. We have learned about the vulnerabilities of smart devices, also simulated some attacks to get a better understanding of the shortcomings of cybersecurity in IOT. As the present methodology is not evaluated in IOT environment, at a later stage we aim to experiment the presented methodology practically. With our current study and knowledge we have assessed that in this smart and connected world of IOT, from producer to consumer, each having their own rules to play. It is better to prioritise security over quality of life. We conclude that in the area of cyber security of IOT much work remains to be done at both producers and users end. We hope that this study will be useful to provide better understanding of the threats in smart devices and IOT architecture.

ACKNOWLEDGEMENTS

I wish to express my sincere gratitude to my guide and mentor, Prof. Swades De for guiding and encouraging me during the course of my fellowship in IIT Delhi. I also take the opportunity to thank Mr Mayukh Roy Chowdhury for helping me in carrying out this project. I sincerely thank the coordinator of Summer Research Fellowship 2019, Mr CS Ravi Kumar for giving me the opportunity to embark on this project.

This study was done under Prof. Swades De, Department of Electrical Engineering, IIT Delhi. This work is funded and supported by Indian Academy of Sciences, Bengaluru.

References

  • Zoran Čekerevac, Zdenek Dvorak, Ludmila Prigoda, Petar Čekerevac, 2017, INTERNET OF THINGS AND THE MAN-IN-THE-MIDDLE ATTACKS – SECURITY AND ECONOMIC RISKS, MEST Journal, vol. 5, no. 2, pp. 15-5

  • Lea Toms, 2016, 5 Common Cyber Attacks in the IoT - Threat Alert on a Grand Scale. Available at - "https://www.globalsign.com/en/blog/five-common-cyber-attacks-in-the-iot/".

  • Mohamed Abomhara, Geir M. K�ien, , , 2015, Cyber Security and the Internet of Things: Vulnerabilities, Threats, Intruders and Attacks, Journal of Cyber Security and Mobility, vol. 4, no. 1, pp. 65-88

  • Warwick Ashford, 2019, Rapidly multiplying IoT cyber attacks use well-known weaknesses. Available at -  "https://www.computerweekly.com/news/252460756/Rapidly-multiplying-IoT-cyber-attacks-use-well-known-weaknesses".

  • Yang Lu, Li Da Xu, 2019, Internet of Things (IoT) Cybersecurity Research: A Review of Current Research Topics, IEEE Internet of Things Journal, vol. 6, no. 2, pp. 2103-2115

  • M. U.Farooq, Muhammad Waseem, Anjum Khairi, Sadia Mazhar, 2015, A Critical Analysis on the Security Concerns of Internet of Things (IoT), International Journal of Computer Applications, vol. 111, no. 7, pp. 1-6

  • Siham Al Hinai, Ajay Vikram Singh, 2017, Internet of things: Architecture, security challenges and solutions, 2017 International Conference on Infocom Technologies and Unmanned Systems (Trends and Future Directions) (ICTUS)

  • Shancang Li, Theo Tryfonas, Honglei Li, 2016, The Internet of Things: a security point of view, Internet Research, vol. 26, no. 2, pp. 337-359

  • Rwan Mahmoud, Tasneem Yousuf, Fadi Aloul, Imran Zualkernan, 2015, Internet of things (IoT) security: Current status, challenges and prospective measures, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST)

  • Mukrimah Nawir, Amiza Amir, Naimah Yaakob, Ong Bi Lynn, 2016, Internet of Things (IoT): Taxonomy of security attacks, 2016 3rd International Conference on Electronic Design (ICED)

  • Angelo Furfaro, Luciano Argento, Andrea Parise, Antonio Piccolo, 2017, Using virtual environments for the assessment of cybersecurity issues in IoT scenarios, Simulation Modelling Practice and Theory, vol. 73, pp. 43-54

  • Michelle Omoogun, Preetila Seeam, Visham Ramsurrun, Xavier Bellekens, Amar Seeam, 2017, When eHealth meets the internet of things: Pervasive security and privacy challenges, 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security)

  • Samuel Tweneboah-Koduah, Knud Erik Skouby, Reza Tadayoni, 2017, Cyber Security Threats to IoT Applications and Service Domains, Wireless Personal Communications, vol. 95, no. 1, pp. 169-185

  • Wei Zhou, Yan Jia, Anni Peng, Yuqing Zhang, Peng Liu, 2019, The Effect of IoT New Features on Security and Privacy: New Threats, Existing Solutions, and Challenges Yet to Be Solved, IEEE Internet of Things Journal, vol. 6, no. 2, pp. 1606-1616

  • Ioannis Stellios, Panayiotis Kotzanikolaou, Mihalis Psarakis, Cristina Alcaraz, Javier Lopez, 2018, A Survey of IoT-Enabled Cyberattacks: Assessing Attack Paths to Critical Infrastructures and Services, IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3453-3495

  • Abdullahi Arabo, 2015, Cyber Security Challenges within the Connected Home Ecosystem Futures, Procedia Computer Science, vol. 61, pp. 227-232

  • Finjan , 2018, IoT DoS Attacks – How Hacked IoT Devices Can Lead To Massive Denial of Service Attacks. Available at - "https://blog.finjan.com/iot-dos-attacks/".

  • Cong Bao, Xingren Guan, Qiankun Sheng, Kai Zheng, and Xin Huang, 2016, A Tool for Denial of Service Attack Testing in IoT. Available at - "http://etisconf.com/2016/wp-content/uploads/2016/08/6_1_Bao_Guan_Sheng_Zheng_Huang.pdf".

  • Shaker Alanazi, Jalal Al-Muhtadi, Abdelouahid Derhab, Kashif Saleem, Afnan N. AlRomi, Hanan S. Alholaibah, Joel J.P.C Rodrigues, 2015, On resilience of Wireless Mesh routing protocol against DoS attacks in IoT-based ambient assisted living applications, 2015 17th International Conference on E-health Networking, Application & Services (HealthCom)

  • Joseph Muniz, Aamir Lakhani, 2013, "Web Penetration Testing with Kali Linux".

  • Mauro Conti, Nicola Dragoni, Viktor Lesyk, 2016, A Survey of Man In The Middle Attacks, IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 18, NO. 3, THIRD QUARTER 2016.

  • David Sounthiraraj, Justin Sahs, Garrett Greenwood, Zhiqiang Lin, Latifur Khan, 2014, SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps, Proceedings 2014 Network and Distributed System Security Symposium

  • Thomas Demuth, Achim Leitner, 2019, Traffic Tricks - ARP spoofing and poisoning. Available at - "https://nnc3.com/mags/LM10/Magazine/Archive/2005/56/026-031_spoof/article.html".

  • Sonia Rachel, Subhashkar S, 2017, An Overview of the Man-In-The-Middle Attack, National Conference On Contemporary Research and Innovations in Computer Science (NCCRICS)- Dec 2017.

  • Avijit Mallik, 2019, MAN-IN-THE-MIDDLE-ATTACK: UNDERSTANDING IN SIMPLE WORDS, Cyberspace: Jurnal Pendidikan Teknologi Informasi, vol. 2, no. 2, pp. 109

  • Thawatchai Chomsiri, 2008, Sniffing Packets on LAN without ARP Spoofing, 2008 Third International Conference on Convergence and Hybrid Information Technology

  • Elisa Bertino, 2016, Data privacy for IoT systems: Concepts, approaches, and research directions, 2016 IEEE International Conference on Big Data (Big Data)

  • Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes - Security News - Trend Micro USA, 2018. Available at - "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101".

  • Elisa Bertino, 2016,  “Data Security and Privacy in the IoT”, https://openproceedings.org/2016/conf/edbt/paper-a.pdf

  • Anass Rghioui, Aziza Laarje, Fatiha Elouaai, Mohammed Bouhorma, 2015, Protecting E-healthcare Data Privacy for Internet of Things Based Wireless Body Area Network, Research Journal of Applied Sciences, Engineering and Technology, vol. 9, no. 10, pp. 876-885

  • Lea Toms, 2016, Data And Identity Theft in the IoT. Available at - "https://www.globalsign.com/en/blog/identity-theft-in-the-iot/".

  • Marco Gercke, 2007, Internet-related Identity Theft, part of the framework of the Project on Cybercrime of the council of Europe contributed to the conference "Identity Fraud and Theft - the logislistics of organised crime" held by the International Security Coordinating Office of the Ministry of Portugal in Tomar, Portugal.

  • Stilianos Vidalis, Olga Angelopoulou, 2014, Assessing Identity Theft in the Internet of Things.

  • Ingo Friese, Jorg Heuer, Ning Kong, 2014, Challenges from the Identities of Things: Introduction of the Identities of Things discussion group within Kantara initiative, 2014 IEEE World Forum on Internet of Things (WF-IoT)

  • M. Button, C. Lewis, and J. Tapley, 2009, Fraud typologies and the victims of fraud literature review.

  • Güvenlik Haberleri, 2019, Identity Theft and the Value of Your Personal Data. Available at - "https://www.trendmicro.com/vinfo/tr/security/news/online-privacy/identity-theft-and-the-value-of-your-personal-data".

  • Anshul Kumar, Mansi Chaudhary and Nagresh Kumar, 2015, Social Engineering Threats and Awareness: A Survey, European Journal of Advances in Engineering and Technology, 2015, 2(11): 15-19.

  • Ryan Heartfield, Diane Gan, 2016, Social Engineering in the Internet of Everything, Article in Cutter IT Journal · July 2016.

  • Nate Lord, 2019, Social Engineering Attacks: Common Techniques & How to Prevent an Attack. Available at - "https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-prevent-attack".

  • Ahmet Efe, Esra Aksöz, Neslihan Hanecioğlu, Şeyma Nur Yalman, 2018, Smart Security of IoT Against DDoS Attacks,International Journal of Innovative Engineering Applications 2, 2(2018), 35-43.

  • Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, Jeffrey Voas, 2017, DDoS in the IoT: Mirai and Other Botnets, Computer, vol. 50, no. 7, pp. 80-84

  • Roger Hallman, Josiah Bryan, Geancarlo Palavicini, Joseph Divita, Jose Romero-Mariona, 2017, IoDDoS — The Internet of Distributed Denial of Sevice Attacks - A Case Study of the Mirai Malware and IoT-Based Botnets, Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security

  • Sérgio S.C. Silva, Rodrigo M.P. Silva, Raquel C.G. Pinto, Ronaldo M. Salles, 2013, Botnets: A survey, Computer Networks, vol. 57, no. 2, pp. 378-403

  • Abhishek Raval, 2018, DoS, DDoS Attacks On IoT EnabledDevices Doubled In 2016. Available at - "https://www.expresscomputer.in/news/dos-ddos-attacks-on-iot-enabled-devices-doubled-in-2016/21588/".

  • Zeifman, I., Bekerman, D., and Herzberg, B. ,2016,  Breaking down mirai: An iot ddos botnet analysis. Available at https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (2016/11/01).

  • Kishore Angrishi, 2017,  Turning Internet of Things (IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets.

  • Ankur Lohachab, Bidhan Karambir, 2018, Critical Analysis of DDoS—An Emerging Security Threat over IoT Networks, Journal of Communications and Information Networks, vol. 3, no. 3, pp. 57-78

  • N. Provos, A virtual honeypot framework, Proceedings of the 13th Conference on USENIX Security Symposium SSYM’04, vol. 13,USENIX Association, Berkeley, CA, USA, 2004, p. 1.

  • P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy:Tracking Botnets (using honeynets to learn more about bots),Technical Report, The Honeynet Project, 2008.

  • Kim Crawley, 2019, What is Distributed Denial of Service and what do DDoS attacks look like? Available at- "https://www.alienvault.com/blogs/security-essentials/explain-what-ddos-is".

More
Written, reviewed, revised, proofed and published with