IoT Vulnerabilities: Simplified Models Identify Critical Clues

Smart cities, smart grid, self-driving cars, wearable health monitors all have one thing in common – they are likely to link to and depend on the somewhat elusive concept of the Internet of Things (IoT).

I say “elusive” because IoT means different things to different people. Its definition often depends on one’s domain-based perspective, the industry vertical in which one wishes to apply it or the use case in question. As yet, there is no universally accepted, formal, analytic or even descriptive set of building blocks that govern the operation, trustworthiness and lifecycle of IoT components.

Yet most agree that the sprawling nature of IoT as a network of networks and the criticality of its many use cases pose security challenges in a world rife with cyber attacks, intrusions and viruses. In cities, the grid, self-driving cars, even our personal health depend on securing networks of networks linked to the Internet, so we had better understand the inherent challenges.

This brief article lays out related concepts, which I will discuss in greater depth during an IoT panel discussion at IEEE’s Technology Time Machine conference in San Diego, on 20 October 2016. 

To Grasp Complexity, Simplify
One school of thought holds that simplifying the subject can assist those focused on security to better understand the IoT’s workings and, thus, its vulnerabilities. To do this, in my work at NIST, I created a model called the “Networks of ‘Things,’” (NoT), described in the linked report of the same name.

The NoT model was developed to assist researchers as they model simple problems as a precursor to understanding the challenges of securing larger, more complex networks. Thus the report does not offer solutions per se; rather it identifies building blocks and “elements” that must be addressed by security solutions. Yet I can share takeaways that will raise awareness of resulting vulnerabilities.

Two other audiences may find this brief report and its findings useful: the public/generalists, and the computer scientists, IT managers, networking specialists and networking and cloud computing software engineers most directly responsible for network security. Though we are well along in the cyber age, it behooves us all to gain a sense of the security challenges.

The NoT model is based on four fundamentals at the heart of the IoT – sensing, computing, communication and actuation. And the model has five building blocks, called “primitives,” which represent core components of distributed systems. These blocks or primitives – sensors, a communication channel, an aggregator, an eUtility (external utility, or cloud) and decision trigger – provide a useful vocabulary for comparing and discussing different NoTs. This in turn will aid our understanding of how the components of the IoT interoperate and thus enable us to compare the security risks and reliability tradeoffs of various models and use cases.

The NoT model and its primitives apply to most systems with large amounts of data, scalability concerns and heterogeneous elements, including those of unknown pedigree with possible nefarious intent or that simply present vulnerabilities.

Understanding Vulnerabilities
To our list of four fundamentals of the IoT and the five building blocks, or primitives, let’s add six elements that impact IoT trustworthiness to the five named primitives:

• Environment – the operational profile of an NoT
• Cost – time and money, that a specific NoT incurs in terms of the non-mitigated reliability and security risks
• Geographic location – physical place where a sensor or eUtility operates in
• Owner – person or organization or multiples thereof that owns a particular sensor, communication channel, aggregator, decision trigger, or eUtility
• Device ID – a unique identifier for a particular sensor, communication channel, aggregator, decision trigger, or eUtility
• Snapshot – an instant in time

These elements describe key contextual issues related to the trustworthiness of a specific NoT, and the primitives that are the building blocks of NoTs. Because “trustworthiness” is such a broad concept, I mainly focus on security and reliability. One example of a primitive – the sensor – and how it may be affected by security and reliability will illustrate the point about trustworthiness.

Think of sensor reliability in the following way: a car’s speed sensor is exposed to heat, water and dust from its environment and, over time, naturally occurring fatigue results in corrupt sensor data. In sensor security, a smart building’s temperature sensors are easily accessible and the system in question doesn’t provide a means for validating the firmware’s authenticity. An attacker substitutes the original firmware with one that responds to remote commands, making the sensor(s) part of a botnet, contributing to distributed denial-of-service (DDoS) attacks.

Combining Primitives, Elements, Trustworthiness
Simply put, primitives are the building blocks, objects with attributes. Elements are the less tangible trust factors impacting NoTs. Together, they form a design catalog for people and organizations interested in exploring, developing and implementing security measures for current and future IoT-based technologies.

Though the following takeaways may sound simple or obvious, I believe they will form the basis for designing security into highly complex, large-scale networks of networks.

• Known threats from previous genres of complex software-centric systems apply to NoTs.
• Security flaws and threats in NoTs may be exacerbated by the composition of 3rd party “things,” creating an emergent class of security “unknowns.”
• NoTs may have the ability to self-organize, self-modify and self-repair when artificial intelligence (AI) technologies are introduced. If true, NoTs could potentially rewire their security policy mechanisms and implementations, or disengage them altogether.
• “After the fact” forensics for millions of composed, heterogeneous “things,” is almost certainly not possible in linear time.
• ”Things” will be heterogeneous and counterfeiting of “things” may lead to seemingly nondeterministic behavior, making testing’s results appear chaotic. Counterfeit “things” may lead to illegitimate NoTs.
• Properly authenticating sensors may be a data integrity risk, as “things” may deliberately misidentify themselves.
• “Things” may be granted a nefarious and stealth connection capability, that is, coming and going in instantaneous time snapshots, leaving zero traceability. This is a “drop and run” mode for pushing external data into a NoT’s workflow. This may be mitigated by authentication, cryptography and, possibly, other methods.
• Actuators are “things” and, if fed malicious data, life-threatening consequences are possible.
• NoTs have workflows and data flows that are highly time-sensitive and, therefore, NoTs need communication and computation synchronization.

Here at NIST these efforts call for feedback, so if you have questions, concerns or contributions, please contact us. And learn more about this and the broader future of the IoT by attending the panel discussion at IEEE’s Technology Time Machine conference, #ieeettm, in San Diego, on October 20.