Skip to main content
SpringerLink
Log in

Taxonomy of IoT Vulnerabilities

  • Chapter
  • First Online:
Cyber Threat Intelligence for the Internet of Things

Abstract

Although a plethora of security mechanisms currently exist aiming at enhancing IoT security, many research and operational problems remain unsolved, raising various concerns and thus undermining the confidence in the IoT paradigm. To put forward a new perspective related to IoT security, in this chapter, the taxonomy of IoT vulnerabilities in the context of various dimensions is given and potential future directions are discussed.

This chapter was partially adopted from Nataliia Neshenko, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum, and Nasir Ghani. Demystifying IoT Security: an Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations. IEEE Communications Surveys & Tutorials, 2019.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Kippo - ssh honeypot. https://github.com/desaster/kippo.

  2. Payatu. IoT security – part 3 (101 – IoT top ten vulnerabilities). https://payatu.com/iot-security-part-3-101-iot-top-ten-vulnerabilities/.

  3. Ala Al-Fuqaha, Mohsen Guizani, Mehdi Mohammadi, Mohammed Aledhari, and Moussa Ayyash. Internet of things: A survey on enabling technologies, protocols, and applications. IEEE Communications Surveys & Tutorials, 17(4):2347–2376, 2015.

    Article  Google Scholar 

  4. Fadele Ayotunde Alaba, Mazliza Othman, Ibrahim Abaker Targio Hashem, and Faiz Alotaibi. Internet of things security: A survey. Journal of Network and Computer Applications, 2017.

    Google Scholar 

  5. Andres Riancho. w3af - open source web application security scanner. www.w3af.org.

  6. Kishore Angrishi. Turning internet of things (IoT) into internet of vulnerabilities (IoV): Iot botnets. arXiv preprint arXiv:1702.03681, 2017.

    Google Scholar 

  7. Anonymous. Internet census 2012: Port scanning/0 using insecure embedded devices. URL http://internetcensus2012.bitbucket.org/paper.html, 2012.

  8. Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. Understanding the Mirai botnet. In 26th {USENIX} Security Symposium({USENIX} Security 17), pages 1093–1110, 2017.

    Google Scholar 

  9. Luigi Atzori, Antonio Iera, and Giacomo Morabito. The internet of things: A survey. Computer networks, 54(15):2787–2805, 2010.

    Article  Google Scholar 

  10. Luigi Atzori, Antonio Iera, and Giacomo Morabito. Understanding the internet of things: definition, potentials, and societal role of a fast evolving paradigm. Ad Hoc Networks, 2016.

    Google Scholar 

  11. Tuomas Aura. Cryptographically generated addresses (CGA). https://www.rfc-editor.org/info/rfc3972, 2005.

  12. V Balasubramanian, Nikolaos Kouvelas, K Chandra, RV Prasad, Artemios G Voyiatzis, and W Liu. A unified architecture for integrating energy harvesting iot devices with the mobile edge cloud. In 2018 IEEE 4th World Forum on Internet of Things (WF-IoT), pages 13–18. IEEE, 2018.

    Google Scholar 

  13. Zachry Basnight, Jonathan Butts, Juan Lopez, and Thomas Dube. Firmware modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 6(2):76–84, 2013.

    Article  Google Scholar 

  14. Boldizsár Bencsáth, Levente Buttyán, and Tamás Paulik. Xcs based hidden firmware modification on embedded devices. In Software, Telecommunications and Computer Networks (SoftCOM), 2011 19th International Conference on, pages 1–5. IEEE, 2011.

    Google Scholar 

  15. Alex Biryukov, Daniel Dinu, and Yann Le Corre. Side-channel attacks meet secure network protocols. In International Conference on Applied Cryptography and Network Security, pages 435–454. Springer, 2017.

    Google Scholar 

  16. Tamara Bonaci, Linda Bushnell, and Radha Poovendran. Node capture attacks in wireless sensor networks: A system theoretic approach. In Decision and Control (CDC), 2010 49th IEEE Conference on, pages 6765–6772. IEEE, 2010.

    Google Scholar 

  17. Hamid Bostani and Mansour Sheikhan. Hybrid of anomaly-based and specification-based IDS for internet of things using unsupervised OPF based on mapreduce approach. Computer Communications, 98:52–71, 2017.

    Article  Google Scholar 

  18. Elias Bou-Harb, Walter Lucia, Nicola Forti, Sean Weerakkody, Nasir Ghani, and Bruno Sinopoli. Cyber meets control: A novel federated approach for resilient cps leveraging real cyber threat intelligence. IEEE Communications Magazine, 55(5):198–204, 2017.

    Article  Google Scholar 

  19. BullGuard. http://www.dojo-labs.com/.

  20. Dániel István Buza, Ferenc Juhász, György Miru, Márk Félegyházi, and Tamás Holczer. Cryplh: Protecting smart energy systems from targeted attacks with a PLC honeypot. In International Workshop on Smart Grid Security, pages 181–192. Springer, 2014.

    Google Scholar 

  21. M Campagna. Sec 4: Elliptic curve Qu-Vanstone implicit certificate scheme (ECQV). vol, 4:32, 2013.

    Google Scholar 

  22. Cisco. The internet of things reference model. [Online]. Available: https://www.cisco.com/c/dam/global/en_ph/.../jim_green_cisco_connect.pdf. Accessed 2018-03-05.

  23. Bogdan Copos, Karl Levitt, Matt Bishop, and Jeff Rowe. Is anybody home? inferring activity from smart home network traffic. In Security and Privacy Workshops (SPW), 2016 IEEE, pages 245–251. IEEE, 2016.

    Google Scholar 

  24. Daniel G Costa, Ivanovitch Silva, Luiz Affonso Guedes, Francisco Vasques, and Paulo Portugal. Availability issues in wireless visual sensor networks. Sensors, 14(2):2795–2821, 2014.

    Article  Google Scholar 

  25. Andrei Costin, Jonas Zaddach, Aurélien Francillon, Davide Balzarotti, and Sophia Antipolis. A large-scale analysis of the security of embedded firmwares. In USENIX Security, pages 95–110, 2014.

    Google Scholar 

  26. Andrei Costin, Apostolis Zarras, and Aurélien Francillon. Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 437–448. ACM, 2016.

    Google Scholar 

  27. CRIMESIDER STAFF, CBS news. Baby monitor hacker delivers creepy message to child. https://www.cbsnews.com/news/baby-monitor-hacker-delivers-creepy-message-to-child/.

  28. Ang Cui, Michael Costello, and Salvatore J Stolfo. When firmware modifications attack: A case study of embedded exploitation. In NDSS, 2013.

    Google Scholar 

  29. Ang Cui and Salvatore J Stolfo. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In Proceedings of the 26th Annual Computer Security Applications Conference, pages 97–106. ACM, 2010.

    Google Scholar 

  30. Baojiang Cui, Shurui Liang, Shilei Chen, Bing Zhao, and Xiaobing Liang. A novel fuzzing method for Zigbee based on finite state machine. International Journal of Distributed Sensor Networks, 10(1):762891, 2014.

    Article  Google Scholar 

  31. CUJO. https://www.getcujo.com/.

  32. Jakub Czyz, Matthew J Luckie, Mark Allman, and Michael Bailey. Don’t forget to lock the back door! a characterization of ipv6 network security policy. In NDSS, 2016.

    Google Scholar 

  33. Li Da Xu, Wu He, and Shancang Li. Internet of things in industries: A survey. IEEE Transactions on Industrial Informatics, 10(4):2233–2243, 2014.

    Article  Google Scholar 

  34. Parwinder Kaur Dhillon and Sheetal Kalra. A lightweight biometrics based remote user authentication scheme for iot services. Journal of Information Security and Applications, 2017.

    Google Scholar 

  35. Seamus Dowling, Michael Schukat, and Hugh Melvin. A Zigbee honeypot to assess iot cyberattack behaviour. In Signals and Systems Conference (ISSC), 2017 28th Irish, pages 1–6. IEEE, 2017.

    Google Scholar 

  36. Adam Dunkels, Oliver Schmidt, Niclas Finne, Joakim Eriksson, Fredrik Österlind, Nicolas Tsiftes, and Mathilde Durvy. The Contiki OS: The operating system for the internet of things. Online], at http://www.contikios.org, 2011.

  37. Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J Alex Halderman. A search engine backed by internet-wide scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 542–553. ACM, 2015.

    Google Scholar 

  38. Zakir Durumeric, James Kasten, Michael Bailey, and J Alex Halderman. Analysis of the https certificate ecosystem. In Proceedings of the 2013 conference on Internet measurement conference, pages 291–304. ACM, 2013.

    Google Scholar 

  39. Ata Elahi and Adam Gschwender. ZigBee wireless sensor and control network. Pearson Education, 2009.

    Google Scholar 

  40. Haytham Elmiligi, Fayez Gebali, and M Watheq El-Kharashi. Multi-dimensional analysis of embedded systems security. Microprocessors and Microsystems, 41:29–36, 2016.

    Article  Google Scholar 

  41. Hewlett Packard Enterprise. Internet of things research study. Internet of Things Research Study, 2015.

    Google Scholar 

  42. Laurent Eschenauer and Virgil D Gligor. A key-management scheme for distributed sensor networks. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 41–47. ACM, 2002.

    Google Scholar 

  43. Claude Fachkha, Elias Bou-Harb, Anastasis Keliris, Nasir Memon, and Mustaque Ahamad. Internet-scale probing of cps: Inference, characterization and orchestration analysis. In Proceedings of NDSS, volume 17, 2017.

    Google Scholar 

  44. Shahin Farahani. ZigBee wireless networks and transceivers. newnes, 2011.

    Google Scholar 

  45. Qian Feng, Rundong Zhou, Chengcheng Xu, Yao Cheng, Brian Testa, and Heng Yin. Scalable graph-based bug search for firmware images. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 480–491. ACM, 2016.

    Google Scholar 

  46. Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. Flowfence: Practical data protection for emerging iot application frameworks. In USENIX Security Symposium, 2016.

    Google Scholar 

  47. David Formby, Preethi Srinivasan, Andrew Leonard, Jonathan Rogers, and Raheem Beyah. Who’s in control of your control system? device fingerprinting for cyber-physical systems. In Network and Distributed System Security Symposium (NDSS), 2016.

    Google Scholar 

  48. Justin E Forrester and Barton P Miller. An empirical study of the robustness of windows NT applications using random testing. In Proceedings of the 4th USENIX Windows System Symposium, pages 59–68. Seattle, 2000.

    Google Scholar 

  49. Lorenzo Franceschi-Bicchierai. Internet of things teddy bear leaked 2 million parent and kids message recordings, Feb 2017.

    Google Scholar 

  50. Angelo Furfaro, Luciano Argento, Andrea Parise, and Antonio Piccolo. Using virtual environments for the assessment of cybersecurity issues in iot scenarios. Simulation Modelling Practice and Theory, 73:43–54, 2017.

    Article  Google Scholar 

  51. Nataliia Neshenko, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum, and Nasir Ghani. Demystifying IoT Security: an Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations. IEEE Communications Surveys & Tutorials, 2019.

    Google Scholar 

  52. M. Galluscio, N. Neshenko, E. Bou-Harb, Y. Huang, N. Ghani, J. Crichigno, and G. Kaddoum. A first empirical look on internet-scale exploitations of iot devices. In 2017 IEEE 28th Annual International Symposium on Personal, Indoor, and Mobile Radio Communications (PIMRC), pages 1–7, Oct 2017.

    Google Scholar 

  53. Usha Devi Gandhi, Priyan Malarvizhi Kumar, R Varatharajan, Gunasekaran Manogaran, Revathi Sundarasekar, and Shreyas Kadu. Hiotpot: surveillance on iot devices against recent threats. Wireless personal communications, pages 1–16, 2018.

    Google Scholar 

  54. Oscar Garcia-Morchon, Sye Loong Keoh, Sandeep Kumar, Pedro Moreno-Sanchez, Francisco Vidal-Meca, and Jan Henrik Ziegeldorf. Securing the IP-based internet of things with HIP and DTLS. In Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks, pages 119–124. ACM, 2013.

    Google Scholar 

  55. Audrey A Gendreau and Michael Moorman. Survey of intrusion detection systems towards an end to end secure internet of things. In Future Internet of Things and Cloud (FiCloud), 2016 IEEE 4th International Conference on, pages 84–90. IEEE, 2016.

    Google Scholar 

  56. K. Georgiou, S. Xavier de Souza, and K. Eder. The iot energy challenge: A software perspective. IEEE Embedded Systems Letters, 10(3):53–56, Sep. 2018.

    Google Scholar 

  57. Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J Alex Halderman. Green lights forever: Analyzing the security of traffic infrastructure. WOOT, 14:7–7, 2014.

    Google Scholar 

  58. Ghada Glissa and Aref Meddeb. 6lowpan multi-layered security protocol based on IEEE 802.15. 4 security features. In Wireless Communications and Mobile Computing Conference (IWCMC), 2017 13th International, pages 264–269. IEEE, 2017.

    Google Scholar 

  59. Jorge Granjal, Edmundo Monteiro, and Jorge Sá Silva. Security for the internet of things: a survey of existing protocols and open research issues. IEEE Communications Surveys & Tutorials, 17(3):1294–1312, 2015.

    Article  Google Scholar 

  60. Juan Guarnizo, Amit Tambe, Suman Sankar Bunia, Martín Ochoa, Nils Tippenhauer, Asaf Shabtai, and Yuval Elovici. Siphon: Towards scalable high-interaction physical honeypots. arXiv preprint arXiv:1701.02446, 2017.

    Google Scholar 

  61. Jayavardhana Gubbi, Rajkumar Buyya, Slaven Marusic, and Marimuthu Palaniswami. Internet of things (iot): A vision, architectural elements, and future directions. Future generation computer systems, 29(7):1645–1660, 2013.

    Article  Google Scholar 

  62. Zimu Guo, Nima Karimian, Mark M Tehranipoor, and Domenic Forte. Hardware security meets biometrics for the age of iot. In Circuits and Systems (ISCAS), 2016 IEEE International Symposium on, pages 1318–1321. IEEE, 2016.

    Google Scholar 

  63. Ibbad Hafeez, Aaron Yi Ding, Lauri Suomalainen, Alexey Kirichenko, and Sasu Tarkoma. Securebox: Toward safer and smarter iot networks. In Proceedings of the 2016 ACM Workshop on Cloud-Assisted Networking, pages 55–60. ACM, 2016.

    Google Scholar 

  64. Xiali Hei, Xiaojiang Du, Jie Wu, and Fei Hu. Defending resource depletion attacks on implantable medical devices. In Global Telecommunications Conference (GLOBECOM 2010), 2010 IEEE, pages 1–5. IEEE, 2010.

    Google Scholar 

  65. Grant Ho, Derek Leung, Pratyush Mishra, Ashkan Hosseini, Dawn Song, and David Wagner. Smart locks: Lessons for securing commodity internet of things devices. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 461–472. ACM, 2016.

    Google Scholar 

  66. M Shamim Hossain, Ghulam Muhammad, Sk Md Mizanur Rahman, Wadood Abdul, Abdulhameed Alelaiwi, and Atif Alamri. Toward end-to-end biometrics-based security for iot infrastructure. IEEE Wireless Communications, 23(5):44–51, 2016.

    Article  Google Scholar 

  67. Inc IoT Defense. Rattrap. https://www.myrattrap.com/.

  68. Mian Ahmad Jan, Priyadarsi Nanda, Xiangjian He, Zhiyuan Tan, and Ren Ping Liu. A robust authentication scheme for observing resources in the internet of things environment. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on, pages 205–211. IEEE, 2014.

    Google Scholar 

  69. Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Zhuoqing Morley Mao, Atul Prakash, and Shanghai JiaoTong University. Contexlot: Towards providing contextual integrity to appified IoT platforms. In NDSS, 2017.

    Google Scholar 

  70. P. Kamalinejad, C. Mahapatra, Z. Sheng, S. Mirabbasi, V. C. M. Leung, and Y. L. Guan. Wireless energy harvesting for the internet of things. IEEE Communications Magazine, 53(6):102–108, June 2015.

    Article  Google Scholar 

  71. Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. Ddos in the iot: Mirai and other botnets. Computer, 50(7):80–84, 2017.

    Article  Google Scholar 

  72. C. Konstantinou and M. Maniatakos. Impact of firmware modification attacks on power systems field devices. In 2015 IEEE International Conference on Smart Grid Communications (SmartGridComm), pages 283–288, Nov 2015.

    Google Scholar 

  73. Thomas Kothmayr, Corinna Schmitt, Wen Hu, Michael Brünig, and Georg Carle. Dtls based security and two-way authentication for the internet of things. Ad Hoc Networks, 11(8):2710–2723, 2013.

    Article  Google Scholar 

  74. Abdelkader Lahmadi, Cesar Brandin, and Olivier Festor. A testing framework for discovering vulnerabilities in 6lowpan networks. In Distributed Computing in Sensor Systems (DCOSS), 2012 IEEE 8th International Conference on, pages 335–340. IEEE, 2012.

    Google Scholar 

  75. Chunxiao Li, Anand Raghunathan, and Niraj K Jha. Improving the trustworthiness of medical device software with formal verification methods. IEEE Embedded Systems Letters, 5(3):50–53, 2013.

    Article  Google Scholar 

  76. Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. You’ve got vulnerability: Exploring effective vulnerability notifications. In USENIX Security Symposium (Aug. 2016), 2016.

    Google Scholar 

  77. Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. Remedying web hijacking: Notification effectiveness and webmaster comprehension. In Proceedings of the 25th International Conference on World Wide Web, pages 1009–1019. International World Wide Web Conferences Steering Committee, 2016.

    Google Scholar 

  78. Gaoqi Liang, Junhua Zhao, Fengji Luo, Steven Weller, and Zhao Yang Dong. A review of false data injection attacks against modern power systems. IEEE Transactions on Smart Grid, 2017.

    Google Scholar 

  79. Samuel Litchfield, David Formby, Jonathan Rogers, Sakis Meliopoulos, and Raheem Beyah. Rethinking the honeypot for cyber-physical systems. IEEE Internet Computing, 20(5):9–17, 2016.

    Article  Google Scholar 

  80. Xuan Liu, Zhen Bao, Dan Lu, and Zuyi Li. Modeling of local false data injection attacks with reduced network information. IEEE Transactions on Smart Grid, 6(4):1686–1696, 2015.

    Article  Google Scholar 

  81. Yao Liu, Peng Ning, and Michael K Reiter. False data injection attacks against state estimation in electric power grids. ACM Transactions on Information and System Security (TISSEC), 14(1):13, 2011.

    Google Scholar 

  82. Luma. https://lumahome.com/.

  83. Rwan Mahmoud, Tasneem Yousuf, Fadi Aloul, and Imn Zualkernan. Internet of things (iot) security: Current status, challenges and prospective measures. In 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), pages 336–341. IEEE, 2015.

    Google Scholar 

  84. Linda Markowsky and George Markowsky. Scanning for vulnerable devices in the internet of things. In Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, volume 1, pages 463–467. IEEE, 2015.

    Google Scholar 

  85. Yair Meidan, Michael Bohadana, Asaf Shabtai, Juan David Guarnizo, Martín Ochoa, Nils Ole Tippenhauer, and Yuval Elovici. Profiliot: a machine learning approach for iot device identification based on network traffic analysis. In Proceedings of the symposium on applied computing, pages 506–509. ACM, 2017.

    Google Scholar 

  86. Carnegie Mellon. Cbmc. bounded model checking for software. http://www.cprover.org/cbmc/.

  87. Metropolitan.fi. Ddos attack halts heating in finland amidst winter. https://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter.

  88. Daniele Midi, Antonino Rullo, Anand Mudgerikar, and Elisa Bertino. Kalis—a system for knowledge-driven adaptable intrusion detection for the internet of things. In Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference on, pages 656–666. IEEE, 2017.

    Google Scholar 

  89. Andreas F Molisch, Kannan Balakrishnan, Chia-Chin Chong, Shahriar Emami, Andrew Fort, Johan Karedal, Juergen Kunisch, Hans Schantz, Ulrich Schuster, and Kai Siwiak. Ieee 802.15. 4a channel model-final report. IEEE P802, 15(04):0662, 2004.

    Google Scholar 

  90. Philipp Morgner, Stephan Mattejat, and Zinaida Benenson. All your bulbs are belong to us: Investigating the current state of security in connected lighting systems. arXiv preprint arXiv:1608.03732, 2016.

    Google Scholar 

  91. A. Mosenia and N. K. Jha. A comprehensive study of security of internet-of-things. IEEE Transactions on Emerging Topics in Computing, 5(4):586–602, Oct 2017.

    Article  Google Scholar 

  92. R Moskowitz, T Heer, P Jokela, and T Henderson. Host identity protocol version 2 (hipv2), 2015.

    Google Scholar 

  93. Fredrik Osterlind. A sensor network simulator for the Contiki OS. Swedish Institute of Computer Science (SICS), Tech. Rep. T2006-05, 2006.

    Google Scholar 

  94. Aafaf Ouaddah, Hajar Mousannif, Anas Abou Elkalam, and Abdellah Ait Ouahman. Access control in the internet of things: Big challenges and new opportunities. Computer Networks, 112:237–262, 2017.

    Article  Google Scholar 

  95. OWASP. Owasp zed attack proxy project. [Online]. Available: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project. Accessed 2018-03-05.

  96. Colin O’Flynn and Zhizhang Chen. Power analysis attacks against ieee 802.15. 4 nodes. In International Workshop on Constructive Side-Channel Analysis and Secure Design, pages 55–70. Springer, 2016.

    Google Scholar 

  97. Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. Iotpot: A novel honeypot for revealing current iot threats. Journal of Information Processing, 24(3):522–533, 2016.

    Article  Google Scholar 

  98. Chang-Seop Park. A secure and efficient ecqv implicit certificate issuance protocol for the internet of things applications. IEEE Sensors Journal, 2016.

    Google Scholar 

  99. Bryan Parno, Adrian Perrig, and Virgil Gligor. Distributed detection of node replication attacks in sensor networks. In Security and Privacy, 2005 IEEE Symposium on, pages 49–63. IEEE, 2005.

    Google Scholar 

  100. Amee A Patel and Sunil J Soni. A novel proposal for defending against vampire attack in WSN. In Communication Systems and Network Technologies (CSNT), 2015 Fifth International Conference on, pages 624–627. IEEE, 2015.

    Google Scholar 

  101. Mark Patton, Eric Gross, Ryan Chinn, Samantha Forbis, Leon Walker, and Hsinchun Chen. Uninvited connections: a study of vulnerable devices on the internet of things (iot). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 232–235. IEEE, 2014.

    Google Scholar 

  102. Charith Perera, Arkady Zaslavsky, Peter Christen, and Dimitrios Georgakopoulos. Context aware computing for the internet of things: A survey. IEEE Communications Surveys & Tutorials, 16(1):414–454, 2014.

    Article  Google Scholar 

  103. Nikolaos E Petroulakis, Elias Z Tragos, Alexandros G Fragkiadakis, and George Spanoudakis. A lightweight framework for secure life-logging in smart environments. Information Security Technical Report, 17(3):58–70, 2013.

    Article  Google Scholar 

  104. C. Pielli, F. Chiariotti, N. Laurenti, A. Zanella, and M. Zorzi. A game-theoretic analysis of energy-depleting jamming attacks. In 2017 International Conference on Computing, Networking and Communications (ICNC), pages 100–104, Jan 2017.

    Google Scholar 

  105. Pawani Porambage, Corinna Schmitt, Pardeep Kumar, Andrei Gurtov, and Mika Ylianttila. Pauthkey: A pervasive authentication protocol and key establishment scheme for wireless sensor networks in distributed iot applications. International Journal of Distributed Sensor Networks, 2014.

    Google Scholar 

  106. Open Web Application Security Project. Top 10 iot vulnerabilities (2014). [Online]. Available: https://www.owasp.org/index.php/Top_IoT_Vulnerabilities. Accessed 2018-03-05.

  107. Mumtaz Qabulio, Yasir Arfat Malkani, and Ayaz Keerio. A framework for securing mobile wireless sensor networks against physical attacks. In Emerging Technologies (ICET), 2016 International Conference on, pages 1–6. IEEE, 2016.

    Google Scholar 

  108. Pedram Radmand, Marc Domingo, Jaipal Singh, Joan Arnedo, Alex Talevski, Stig Petersen, and Simon Carlsen. Zigbee/Zigbee pro security assessment based on compromised cryptographic keys. In P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2010 International Conference on, pages 465–470. IEEE, 2010.

    Google Scholar 

  109. Radware Ltd. “brickerbot” results in PDoS attack. https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/.

  110. A. Rajan, J. Jithish, and S. Sankaran. Sybil attack in iot: Modelling and defenses. In 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), pages 2323–2327, Sept 2017.

    Google Scholar 

  111. Varshanth R Rao and Anil Kumar KM. Predictive node expiration based energy-aware source routing (PNEB ESR) protocol for wireless sensor networks. In Proceedings of the 7th ACM India Computing Conference, page 14. ACM, 2014.

    Google Scholar 

  112. Shahid Raza, Linus Wallgren, and Thiemo Voigt. Svelte: Real-time intrusion detection in the internet of things. Ad hoc networks, 11(8):2661–2674, 2013.

    Article  Google Scholar 

  113. Bradley Reaves and Thomas Morris. An open virtual testbed for industrial control system security research. International Journal of Information Security, 11(4):215–229, 2012.

    Article  Google Scholar 

  114. Eric Rescorla and Nagendra Modadugu. Datagram transport layer security version 1.2, 2012.

    Google Scholar 

  115. Rodrigo Roman, Cristina Alcaraz, Javier Lopez, and Nicolas Sklavos. Key management systems for sensor networks in the context of the internet of things. Computers & Electrical Engineering, 37(2):147–159, 2011.

    Article  Google Scholar 

  116. Rodrigo Roman, Jianying Zhou, and Javier Lopez. On the features and challenges of security and privacy in distributed internet of things. Computer Networks, 57(10):2266–2279, 2013.

    Article  Google Scholar 

  117. Eyal Ronen and Adi Shamir. Extended functionality attacks on iot devices: The case of smart lights. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 3–12. IEEE, 2016.

    Google Scholar 

  118. Masoud Rostami, Ari Juels, and Farinaz Koushanfar. Heart-to-heart (h2h): authentication for implanted medical devices. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1099–1112. ACM, 2013.

    Google Scholar 

  119. Vinay Sachidananda, Shachar Siboni, Asaf Shabtai, Jinghui Toh, Suhas Bhairav, and Yuval Elovici. Let the cat out of the bag: A holistic approach towards security analysis of the internet of things. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, pages 3–10. ACM, 2017.

    Google Scholar 

  120. Sarosys LLC. Arachni. web application security scanner framework. http://www.arachni-scanner.com/.

  121. Augustin P Sarr, Philippe Elbaz-Vincent, and Jean-Claude Bajard. A new security model for authenticated key agreement. In International Conference on Security and Cryptography for Networks, pages 219–234. Springer, 2010.

    Google Scholar 

  122. Carl Schuett, Jonathan Butts, and Stephen Dunlap. An evaluation of modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 7(1):61–68, 2014.

    Article  Google Scholar 

  123. Savio Sciancalepore, Angelo Capossele, Giuseppe Piro, Gennaro Boggia, and Giuseppe Bianchi. Key management protocol with implicit certificates for iot systems. In Proceedings of the 2015 Workshop on IoT challenges in Mobile and Industrial Systems, pages 37–42. ACM, 2015.

    Google Scholar 

  124. Hossein Shafagh, Anwar Hithnawi, Lukas Burkhalter, Pascal Fischli, and Simon Duquennoy. Secure sharing of partially homomorphic encrypted iot data. In Proceedings of the 15th ACM Conference on Embedded Network Sensor System. ACM, 2017.

    Google Scholar 

  125. Hossein Shafagh, Anwar Hithnawi, Andreas Dröscher, Simon Duquennoy, and Wen Hu. Talos: Encrypted query processing for the internet of things. In Proceedings of the 13th ACM Conference on Embedded Networked Sensor Systems, pages 197–210. ACM, 2015.

    Google Scholar 

  126. Zach Shelby and Carsten Bormann. 6LoWPAN: The wireless embedded Internet, volume 43. John Wiley & Sons, 2011.

    Google Scholar 

  127. ShodanⓇ. http://shodan.io.

  128. Dharmini Shreenivas, Shahid Raza, and Thiemo Voigt. Intrusion detection in the RPL-connected 6lowpan networks. In Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, pages 31–38. ACM, 2017.

    Google Scholar 

  129. Shachar Siboni, Asaf Shabtai, Nils O Tippenhauer, Jemin Lee, and Yuval Elovici. Advanced security testbed framework for wearable iot devices. ACM Transactions on Internet Technology (TOIT), 16(4):26, 2016.

    Google Scholar 

  130. Sabrina Sicari, Alessandra Rizzardi, Luigi Alfredo Grieco, and Alberto Coen-Porisini. Security, privacy and trust in internet of things: The road ahead. Computer Networks, 76:146–164, 2015.

    Article  Google Scholar 

  131. Marcos A Simplicio Jr, Marcos VM Silva, Renan CA Alves, and Tiago KC Shibata. Lightweight and escrow-less authenticated key agreement for the internet of things. Computer Communications, 2016.

    Google Scholar 

  132. Meriem Smache, Nadia El Mrabet, Jesus-Javier Gilquijano, Assia Tria, Emmanuel Riou, and Chaput Gregory. Modeling a node capture attack in a secure wireless sensor networks. In Internet of Things (WF-IoT), 2016 IEEE 3rd World Forum on, pages 188–193. IEEE, 2016.

    Google Scholar 

  133. Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. Hey, you have a problem: On the feasibility of large-scale web vulnerability notification. In USENIX Security Symposium (Aug. 2016), 2016.

    Google Scholar 

  134. Ali Tekeoglu and Ali Saman Tosun. Investigating security and privacy of a cloud-based wireless ip camera: Netcam. In Computer Communication and Networks (ICCCN), 2015 24th International Conference on, pages 1–6. IEEE, 2015.

    Google Scholar 

  135. Ali Tekeoglu and Ali Şaman Tosun. A testbed for security and privacy analysis of iot devices. In Mobile Ad Hoc and Sensor Systems (MASS), 2016 IEEE 13th International Conference on, pages 343–348. IEEE, 2016.

    Google Scholar 

  136. V. Thangavelu, D. M. Divakaran, R. Sairam, S. S. Bhunia, and M. Gurusamy. Deft: A distributed iot fingerprinting technique. IEEE Internet of Things Journal, pages 1–1, 2018.

    Google Scholar 

  137. Nanda Kumar Thanigaivelan, Ethiopia Nigussie, Rajeev Kumar Kanth, Seppo Virtanen, and Jouni Isoaho. Distributed internal anomaly detection system for internet-of-things. In Consumer Communications & Networking Conference (CCNC), 2016 13th IEEE Annual, pages 319–320. IEEE, 2016.

    Google Scholar 

  138. Wade Trappe, Richard Howard, and Robert S Moore. Low-energy security: Limits and opportunities in the internet of things. IEEE Security & Privacy, 13(1):14–21, 2015.

    Article  Google Scholar 

  139. Blase Ur, Jaeyeon Jung, and Stuart Schechter. The current state of access control for smart devices in homes. In Workshop on Home Usable Privacy and Security (HUPS). HUPS 2014, 2013.

    Google Scholar 

  140. U.S. Department of Homeland Security. Brickerbot permanent denial-of-service attack (update a). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A.

  141. Emmanouil Vasilomanolakis, Shreyas Srinivasa, Carlos Garcia Cordero, and Max Mühlhäuser. Multi-stage attack detection and signature generation with ICS honeypots. In IEEE/IFIP Workshop on Security for Emerging Distributed Network Technologies (DISSECT). IEEE, 2016.

    Google Scholar 

  142. Eugene Y Vasserman and Nicholas Hopper. Vampire attacks: draining life from wireless ad hoc sensor networks. IEEE transactions on mobile computing, 12(2):318–332, 2013.

    Article  Google Scholar 

  143. Niko Vidgren, Keijo Haataja, Jose Luis Patino-Andres, Juan Jose Ramirez-Sanchis, and Pekka Toivanen. Security threats in Zigbee-enabled systems: vulnerability evaluation, practical experiments, countermeasures, and lessons learned. In System Sciences (HICSS), 2013 46th Hawaii International Conference on, pages 5132–5138. IEEE, 2013.

    Google Scholar 

  144. Linus Wallgren, Shahid Raza, and Thiemo Voigt. Routing attacks and countermeasures in the rpl-based internet of things. International Journal of Distributed Sensor Networks, 9(8):794326, 2013.

    Article  Google Scholar 

  145. Chen Wang, Xiaonan Guo, Yan Wang, Yingying Chen, and Bo Liu. Friend or foe?: Your wearable devices reveal your personal pin. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 189–200. ACM, 2016.

    Google Scholar 

  146. He Wang, Ted Tsung-Te Lai, and Romit Roy Choudhury. Mole: Motion leaks through smartwatch sensors. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pages 155–166. ACM, 2015.

    Google Scholar 

  147. Rolf H Weber and Evelyne Studer. Cybersecurity in the internet of things: Legal aspects. Computer Law & Security Review, 32(5):715–728, 2016.

    Article  Google Scholar 

  148. Biao Wei, Guohong Liao, Weijie Li, and Zheng Gong. A practical one-time file encryption protocol for iot devices. In Computational Science and Engineering (CSE) and Embedded and Ubiquitous Computing (EUC), 2017 IEEE International Conference on, volume 2, pages 114–119. IEEE, 2017.

    Google Scholar 

  149. Yi Wei, Karthik Sukumar, Christian Vecchiola, Dileban Karunamoorthy, and Rajkumar Buyya. Aneka cloud application platform and its integration with windows azure. arXiv preprint arXiv:1103.2590, 2011.

    Google Scholar 

  150. Jacob Wurm, Khoa Hoang, Orlando Arias, Ahmad-Reza Sadeghi, and Yier Jin. Security analysis on consumer and industrial iot devices. In Design Automation Conference (ASP-DAC), 2016 21st Asia and South Pacific, pages 519–524. IEEE, 2016.

    Google Scholar 

  151. Kun Yang, Domenic Forte, and Mark M Tehranipoor. Protecting endpoint devices in iot supply chain. In Computer-Aided Design (ICCAD), 2015 IEEE/ACM International Conference on, pages 351–356. IEEE, 2015.

    Google Scholar 

  152. Lijun Yang, Chao Ding, Meng Wu, and Kun Wang. Robust detection of false data injection attacks for the data aggregation in internet of things based environmental surveillance. Computer Networks, 2017.

    Google Scholar 

  153. Y. Yang, X. Liu, and R. H. Deng. Lightweight break-glass access control system for healthcare internet-of-things. IEEE Transactions on Industrial Informatics, pages 1–1, 2017.

    Google Scholar 

  154. Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks, page 5. ACM, 2015.

    Google Scholar 

  155. Jonas Zaddach, Luca Bruno, Aurelien Francillon, and Davide Balzarotti. Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares. In NDSS, 2014.

    Google Scholar 

  156. Bruno Bogaz Zarpelão, Rodrigo Sanches Miani, Cláudio Toshio Kawakani, and Sean Carlisto de Alvarenga. A survey of intrusion detection in Internet of things. Journal of Network and Computer Applications, 2017.

    Google Scholar 

  157. Chi Zhang, Yanchao Zhang, and Yuguang Fang. Defending against physical destruction attacks on wireless sensor networks. In Military Communications Conference, 2006. MILCOM 2006. IEEE, pages 1–7. IEEE, 2006.

    Google Scholar 

  158. Nan Zhang, Soteris Demetriou, Xianghang Mi, Wenrui Diao, Kan Yuan, Peiyuan Zong, Feng Qian, XiaoFeng Wang, Kai Chen, Yuan Tian, et al. Understanding iot security through the data crystal ball: Where we are now and where we are going to be. arXiv preprint arXiv:1703.09809, 2017.

    Google Scholar 

  159. Jun Zhao. On resilience and connectivity of secure wireless sensor networks under node capture attacks. IEEE Transactions on Information Forensics and Security, 12(3):557–571, 2017.

    Article  Google Scholar 

  160. Charalambos Konstantinou and Michail Maniatakos Impact of firmware modification attacks on power systems field devices. Smart Grid Communications (SmartGridComm), 2015 IEEE International Conference on, 283–288, 2015.

    Google Scholar 

  161. YongBin Zhou and DengGuo Feng. Side-channel attacks: Ten years after its publication and the impacts on cryptographic module security testing. IACR Cryptology ePrint Archive, 2005:388, 2005.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Systems and Cyber Security, The University of Texas at San Antonio, San Antonio, TX, USA

    Elias Bou-Harb

  2. Computer & Electrical Engineering, Florida Atlantic University, Boca Raton, FL, USA

    Nataliia Neshenko

Authors
  1. Elias Bou-Harb
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nataliia Neshenko
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Bou-Harb, E., Neshenko, N. (2020). Taxonomy of IoT Vulnerabilities. In: Cyber Threat Intelligence for the Internet of Things. Springer, Cham. https://doi.org/10.1007/978-3-030-45858-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-45858-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45857-7

  • Online ISBN: 978-3-030-45858-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation