IoT Fundamental Chapter 3 - The IoT Device Layer Attack Surface
Non-Discretionary access control
Access decisions are based on an individual's roles and responsibilities within the organization, also known as role-based access control (RBAC).
Attribute-based access control (ABAC)
Allows access based on attributes of the object (resource) be to accessed, the subject (user) accessing the resource, and environmental factors regarding how the object is to be accessed, such as time of day.
CISC
Processors have the ability to perform several operations with a single instruction. More transistors are necessary to store the more complex instructions. The additional transistors create more heat, require more power, and add to the cost of the processor. However, the use of complex instructions reduces the size of the program code.
Serial Peripheral Interface (SPI)
SPI is also used for communicating with devices on the same board. It may be used for communicating with EEPROM, flash, or other devices located as much as a few feet away. Extracting sensitive information is a very real possibility.
debug/boot mode
Sometimes this can be accessed using a keystroke combination. This is also possible in the case where attackers have access to the device board.
Compiled Code
Source code is written in a format that is readable with a text editor and then converted into machine code that is read and executed by the processor. Examples of compiled code languages include C, C++, Rust and Visual Basic.
Zigbee - 10-100 meters; low-power; low-data rate; offers basic encryption
10-100 meters; low-power; low-data rate; offers basic encryption
Embedded Devices
A product that contains a computing system designed for a special purpose. It's operating system is typically designed to run a single application. ATM machines, point-of sale terminals, smart appliances, such as dishwashers and refrigerators, may contain these.
RFC 7228
A sample of the full document (see image)
Embedded MultiMedia Card (eMMC)
A type of non-volatile memory that is often soldered directly to a system board (embedded), although removable versions are available. It is fast, low-power, and relatively inexpensive. Embedded types resist tampering and theft better than removable SD Card memory.
Two main provides of RISC processors.
ARM and MIPS
Smart Sensors
Able to communicate with devices using specialized protocols and interfaces. Devices that take information from a physical environment and use embedded microprocessors and wireless communication to monito.
big.LITTLE Computing
An ARM architecture that uses processors (cores) with differing processing capabilities and power requirements. The LITTLE processor uses less power when the task at hand does not require as much processing capability. The big processor provides the most compute performance, with the trade off being higher power requirements. Using this type of heterogeneous architecture can extend battery life in devices that are in remote locations.
Mandatory access control (MAC)
Applies the strictest access control and is typically used in military or mission critical applications. It assigns security level labels to information and provides users with access based on their security level clearance.
Non-Volatile Memory (EPROM and EEPROM)
Are considered non-volatile memory because they retain the information stored even when power is off. This type of memory is often used to store firmware, the bootloader, and other critical information required for the IoT device to operate. An attacker may be able to read the communication between the memory and the microcontroller.
Volatile Memory SRAM (Static Random Access Memory) and DRAM (Dynamic Random Access Memory)
Are used to hold the operating code and provide temporary storage while the device is running. After the device is powered down, all data in memory is lost.
Contain known hardware-based vulnerabilities:
Blu-Ray players Cameras Home automation devices Media players Music players NAS devices Printers Televisions VoIP hardware Medical devices Networking devices Android TV devices
Known Firmware Vulnerabilities:
Default Login Credentials Distributed Denial of Service (DDoS) attacks Out-of-Date Firmware Buffer Overflow Attacks Backdoor Installation
Interpreted Code
Each instruction is executed one after another. The interpreter translates the instruction into a form of machine code that can be performed by the processor. Python may currently be the most popular interpreted code language for IoT devices. Other interpreted languages that may be used include JavaScript, Perl, and PHP.
OWASP (Open Web Application Security Project)
Has compiled a list of vulnerabilities that should be addressed for each attack surface within the IoT system.
Constrained Devices
Have very limited power, memory, and processing cycles. The Internet Engineering Task Force (IETF) defined the classes for ____________________. (see image)
Heterogeneous Computing
Involves using more than one kind of processor with different capabilities. A common approach used by several manufactures employs the Graphics Processing Unit (GPU) to perform complex mathematical calculations or to handle encryption and decryption tasks.
Android Embedded
Is a lightweight Linux version primarily used in mobile devices, but it can also be used for IoT devices. It is designed to reduce power consumption and works with all of the common processors used in IoT devices.
OAuth 2.0 Authorization Framework
Is a standardized protocol for internet-based authentication and authorization specified in IETF RFC 6749. This protocol can be used for access control of IoT devices to make them more secure by having an authorization server handle the authorization of resources.
Joint Test Action Group (JTAG)
Is not a communication protocol, but rather a protocol to be used for testing and debugging. Providing access to the JTAG port could allow an attacker to reverse engineer the logic for the microcontroller.
Discretionary access control (DAC)
It allows users to control access to their data as owners of that data. DAC may use ACLs or other methods to specify which users or groups of users have access to the information.
LTE-M (Long Term Evolution for Machines)
Long range; uses cellular; most secure; offers NSA AES 256-bit security
SD Card
Often used to store data necessary for IoT operation or to store collected data. They could even include the entire operating system and configuration files necessary for operation. It must be protected from removal in order to keep an attacker from modifying the contents in any way, as well as protecting potentially sensitive data.
Busybox
Open source compiled executable that contains many of the core utilities that are usually found in Linux distributions.
Prototyping
The process of building a model that demonstrates the features of a proposed product, service, or system. RaspberryPi and Arduino are exampled of this.
Physical Vulnerabilities of Constrained Devices
Theft of the device Physical damage to the device Disabling the device, removing power source Disabling communication, disconnecting cables or other means of disruption
MIPS (Microprocessor without Interlocked Pipeline Stages)
This architecture is used for many processors in embedded systems as well as networking, mobile, and IoT devices. Are available in 32-bit and 64-bit implementations.
Universal Asynchronous Receiver-Transmitter (UART)
This interface could be used to communicate with other hardware peripheral devices. This attack surface may provide read/write access to the device using serial communication.
Inter-Integrated Circuit (I2C)
This is a serial data protocol used for short distance communication, often between chips on the same board. An attacker could potentially corrupt data or extract data that is being transferred.
ARM (Advanced RISC Machine)
This is an architecture generally licensed to other companies to design their own processor. These processors are available in both 32-bit and 64-bit architectures. The main CPU for the Raspberry Pi uses this architecture.
RISC
Typically have fewer transistors than CISC processors. Fewer transistors translate to lower cost, less power consumed, and less heat produced. These make for a good candidate for both mobile and IoT devices.
LoRa
Up to 10 kilometers; low-power; offers better encryption than Zigbee 64-128 bit
White-Fi (IEEE 802.11af)
Up to 100 meters; low power; WPA security
Public Key Cryptography
Was introduced in 1976 by Whitfield Diffie and Martin Hellman in order to solve the secure key management problem. In their concept, each person gets a pair of keys: one called the public key and the other called the private key. These two keys are mathematically related to each other.
Public Key Infrastructure (PKI)
With its Certificate Authority (CA) is needed to support large-scale distribution and identification of public encryption keys. The PKI framework facilitates a highly scalable trust relationship. PKI is used to prove the identity of the IoT device.
