Impact and Mitigation of Cyberattacks on IoT devices: A Lens on Smart Home

This Master's thesis, undertaken at the University of Turku in conjunction with an internship at Alten France, delves into the escalating issue of cyberattacks on IoT devices. This burgeoning area has begun to permeate various sectors of society, most notably through consumer products in smart homes. The primary motivations behind this chosen topic are the increased prevalence of IoT devices in our everyday lives and the corresponding surge in cyber threats, alongside the topic's real-world applicability to my work at Alten France, which is heavily invested in digital technology and innovation. The thesis begins with a comprehensive exploration of the current landscape of IoT cyber threats, including various attack vectors and their impact on different types of IoT devices. The challenges of securing IoT devices are then examined, highlighting the limitations and vulnerabilities of the IoT infrastructure. The research analyzes the impacts of cyberattacks on individual users, organizations, and society at large. It covers a wide range of consequences, such as privacy violations, financial losses, disruptions to critical infrastructure, and effects such as eroded trust in digital systems. The latter segment of the thesis addresses potential solutions and preventive measures to mitigate these impacts. The research does not aim to propose new strategies but seeks to inform future mitigation efforts based on its thorough analysis. On the whole, this thesis presents a meticulous and extensive examination of the impacts of cyberattacks on IoT devices, with an emphasis on smart homes. It underscores the urgent requirement for bolstered cybersecurity measures in our increasingly interconnected world, highlighting the severe repercussions of neglecting this need. By deepening the understanding of the extensive impacts of these cyberattacks, this research contributes valuable insights to academic discussions and supplies essential information for policymakers and industry professionals to develop more secure and resilient IoT systems

The Applications of the Internet of things in the Medical Field

The Internet of Things (IoT) paradigm promises to make “things” include a more generic set of entities such as smart devices, sensors, human beings, and any other IoT objects to be accessible at anytime and anywhere. IoT varies widely in its applications, and one of its most beneficial uses is in the medical field. However, the large attack surface and vulnerabilities of IoT systems needs to be secured and protected. Security is a requirement for IoT systems in the medical field where the Health Insurance Portability and Accountability Act (HIPAA) applies. This work investigates various applications of IoT in healthcare and focuses on the security aspects of the two internet of medical things (IoMT) devices: the LifeWatch Mobile Cardiac Telemetry 3 Lead (MCT3L), and the remote patient monitoring system of the telehealth provider Vivify Health, as well as their implementations

The impact of cybersecurity on industrial processes. Understand the risks and how to mitigate the consequences

La ciberseguretat s'està convertint en un tema cada dia més important que les empreses no poden ignorar, sobretot perquè actualment la majoria d'atacs han evolucionat fins al punt de fer que l'antivirus i el tallafocs siguin insuficients per garantir la protecció de la pròpia organització, estimulant els responsables en la ciberseguretat a invertir. cada cop més per estar al dia amb les amenaces cada cop més complexes. S'ha arribat a un punt en què els atacants, donada la creixent dificultat per dur a terme ciberatacs a les xarxes informàtiques, han començat a plantejar-se la possibilitat d'orientar-se envers empreses manufactureres en els entorns on són més vulnerables, maquinària i xarxes industrials. Actualment aquestes han perdut la protecció per la segregació que tenien en els darrers anys, degut a la introducció massiva de l'IoT i als nous paradigmes de la indústria 4.0 que estan imposant l'obertura cap a sistemes externs com el núvol i una estreta integració amb els sistemes empresarials. Això és molt perillós perquè fins i tot s'ha exposat maquinària fràgil que podria perdre la disponibilitat fins i tot amb atacs simples o accions aparentment inofensives, basades en versions obsoletes de programari i sistemes operatius, que es comuniquen entre entre sí amb protocols de comunicació clars, sense autenticació, ni criptografia. Aquest projecte es posiciona en aquesta àrea i tracta de la seguretat d'una línia de panells de recent compra que s'ha d'inserir en una de les instal·lacions de producció de Fincantieri, respectant totes les polítiques de ciberseguretat corporativa, bones pràctiques, limitant l'augment al mínim de la superfície d'atac després de la seva inserció. Les activitats s'han centrat en l'anàlisi dels riscos potencials als quals podria estar exposat aquest sistema i la definició dels correctius. Tenint en compte l'entorn en el qual operem, no sempre és possible actuar sobre l'origen del problema i sovint s'han de trobar mesures alternatives.La ciberseguridad se está convirtiendo día a día en un tema cada vez más importante que las empresas no pueden ignorar, sobre todo porque hoy en día la mayoría de los ataques han evolucionado hasta el punto de hacer que los antivirus y firewall sean insuficientes para garantizar la protección de la propia organización, estimulando a los responsables en la ciberseguridad a invertir más y más para mantenerse al día con las amenazas cada vez más complejas. Se ha llegado a un punto en el que los atacantes, ante la creciente dificultad para realizar ciberataques en redes IT, han comenzado a apuntar las empresas manufactureras en los entornos donde son más vulnerables, maquinaria y redes industriales. Hoy en día estas redes han perdido la protección por la segregación que tenían en los últimos años, debido a la introducción masiva de IoT y los nuevos paradigmas de Industria 4.0 que están imponiendo la apertura hacia sistemas externos como la nube y una estrecha integración con los sistemas de negocios. Esto es muy peligroso porque incluso se ha expuesto maquinaria frágil que podría perder disponibilidad también con simples ataques o acciones aparentemente inofensivas, basadas en versiones obsoletas de software y sistemas operativos, que se comunican entre sí con protocolos de comunicación claros, sin autenticación ni criptografía. Este proyecto se posiciona en esta área y trata de la seguridad de una línea de paneles recientemente comprada que debe insertarse en uno de los sitios de producción de Fincantieri, respetando todas las políticas corporativas de ciberseguridad, las mejores prácticas, limitando al mínimo el aumento de la superficie de ataque para la empresa tras su inserción. Las actividades se centraron en el análisis de los riesgos a los que podría estar expuesto dicho sistema y la definición de remediación. Teniendo en cuenta el entorno en el que operamos, no siempre es posible actuar sobre el origen del problema y muchas veces se deben encontrar alternativas.Cybersecurity is becoming an increasingly important topic day after day that cannot be ignored anymore by companies, especially since nowadays most attacks have evolved to the point of making antivirus and firewalls insufficient to guarantee the protection of organizations, pushing who is deputed to cybersecurity to invest more and more to keep up with the increasingly complex threats. Security has reached a level that attackers, given the increasing difficulty in carrying out cyber-attacks in IT networks, have begun to consider the possibility of targeting manufacturing companies in environments where they are most vulnerable: industrial systems and networks. Nowadays these networks have lost the protection due to segregation they had in the past years because of the massive introduction of IoT and the new paradigms of Industry 4.0 that are imposing the opening towards external systems such as the cloud and a tight integration with the corporate systems. This is very dangerous because even fragile machinery that could lose availability even with simple attacks or apparently harmless actions has been exposed. These assets are often based on obsolete versions of software and operating systems that communicate each other with clear text communication protocols, without any authentication or cryptography. This project is positioned in this area and deals with securing a recently purchased panel line that has been inserted in one of Fincantieri's production sites, respecting all corporate cybersecurity policies, best practices, limiting the increase of the attack surface due to its insertion in the company to the minimum. The activities focused on the analysis of the potential risks to which this system could be exposed and the definition of remediation. Considering the environment in which it has been operated, it is not always possible to act on the source of the problem and alternative measures must often be found that limit the criticalities highlighted

Risk and threat mitigation techniques in internet of things (IoT) environments: a survey

Security in the Internet of Things (IoT) remains a predominant area of concern. Although several other surveys have been published on this topic in recent years, the broad spectrum that this area aims to cover, the rapid developments and the variety of concerns make it impossible to cover the topic adequately. This survey updates the state of the art covered in previous surveys and focuses on defences and mitigations against threats rather than on the threats alone, an area that is less extensively covered by other surveys. This survey has collated current research considering the dynamicity of the IoT environment, a topic missed in other surveys and warrants particular attention. To consider the IoT mobility, a life-cycle approach is adopted to the study of dynamic and mobile IoT environments and means of deploying defences against malicious actors aiming to compromise an IoT network and to evolve their attack laterally within it and from it. This survey takes a more comprehensive and detailed step by analysing a broad variety of methods for accomplishing each of the mitigation steps, presenting these uniquely by introducing a “defence-in-depth” approach that could significantly slow down the progress of an attack in the dynamic IoT environment. This survey sheds a light on leveraging redundancy as an inherent nature of multi-sensor IoT applications, to improve integrity and recovery. This study highlights the challenges of each mitigation step, emphasises novel perspectives, and reconnects the discussed mitigation steps to the ground principles they seek to implement

Security Assessment and Hardening of Fog Computing Systems

In recent years, there has been a shift in computing architectures, moving away from centralized cloud computing towards decentralized edge and fog computing. This shift is driven by factors such as the increasing volume of data generated at the edge, the growing demand for real-time processing and low-latency applications, and the need for improved privacy and data locality. Although this new paradigm offers numerous advantages, it also introduces significant security and reliability challenges. This paper aims to review the architectures and technologies employed in fog computing and identify opportunities for developing novel security assessment and security hardening techniques. These techniques include secure configuration and debloating to enhance the security of middleware, testing techniques to assess secure communication mechanisms, and automated rehosting to speed up the security testing of embedded firmware.Comment: 4 pages, Accepted for publication at The 34th IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW

Secure data exchange in Industrial Internet of Things

The use of the Industrial Internet of Things (IoT) is widespread, working as an enabler to implement large, scalable, reliable, and secure industrial environments. Although existing deployments do not meet security standards and have limited resources for each component which leads to several security breaches, such as trust between components, partner factories, or remote-control. These security failures can lead to critical outcomes, from theft of production information to forced production stoppages, accidents, including physical and others. The combination of blockchain-based solutions with IIoT environments is gaining momentum due to their resilience and security properties. However, chain-structured classic blockchain solutions are very resource-intensive and are not suitable for power-constrained IoT devices. To mitigate the mentioned security concerns, a secure architecture is proposed using a structured asynchronous blockchain DAG (Directed Acyclic Graph) that simultaneously provides security and transaction efficiency for the solution. The solution was modelled with special details in the use cases and sequence diagrams. Security concerns were integrated from the start, and a threat model was created using the STRIDE approach to test the security of the proposed solution. As a result, a flexible solution was been developed that significantly reduces the attack vectors in IIoT environments. The proposed architecture is versatile and flexible, is supported by an extensive security assessment, which allows it to be deployed in a variety of customizable industrial environments and scenarios, as well as to include future hardware and software extensions.This work has been supported by FCT – Fundação para a Ciência e Tecnologia within the Project Scope: UIDB/05757/2020.info:eu-repo/semantics/publishedVersio

The digital harms of smart home devices:a systematic literature review

The connection of home electronic devices to the internet allows remote control of physical devices and involves the collection of large volumes of data. With the increase in the uptake of Internet-of-Things home devices, it becomes critical to understand the digital harms of smart homes. We present a systematic literature review on the security and privacy harms of smart homes. PRISMA methodology is used to systematically review 63 studies published between January 2011 and October 2021; and a review of known cases is undertaken to illustrate the literature review findings with real-world scenarios. Published literature identifies that smart homes may pose threats to confidentiality (unwanted release of information), authentication (sensing information being falsified) and unauthorised access to system controls. Most existing studies focus on privacy intrusions as a prevalent form of harm against smart homes. Other types of harms that are less common in the literature include hacking, malware and DoS attacks. Digital harms, and data associated with these harms, may vary extensively across smart devices. Most studies propose technical measures to mitigate digital harms, while fewer consider social prevention mechanisms. We also identify salient gaps in research, and argue that these should be addressed in future crossdisciplinary research initiatives

Social engineering in the internet of everything

The Internet of Everything is becoming a reality, with fridges, smart TVs, cars, medical monitoring equipment and industrial control systems all communicating via the Internet. There have already been cases where smart toys have been exploited by hackers to steal personal information. Social engineering attacks on these devices which have little or no security are already a reality with hackers being quick to exploit any weakness in cyber space. This article reviews past cases, gives three scenarios which could lead to the owner of an IoT device giving private information to hackers and then proposes defence recommendations