Vulnerability Analysis of Network Routers in IoT Environment

Sve većom pojavom uređaja interneta stvari u svakodnevnom životu lokalne mreže diljem svijeta se pretvaraju u IoT okruženja čime se povećava potencijalna površina za napad od strane malicioznih aktera. S druge strane unutar takvih IoT okruženja se pojavljuje potreba za sve većim brojem mrežnih usmjernika kako bi se povećao kapacitet mreže. Ranjivosti u tim mrežnim usmjernicima u takvim situacijama direktno utječe na sigurnost cjelokupnog IoT okruženja. Na tri različita mrežna usmjernika je bila provedena detekcija i analiza ranjivosti pomoću programskih alata, ali i pomoću pristupa fizičkom sučelju na tiskanoj pločici na samim uređajima. Na temelju rezultata napravljena je komparativna analiza kako bi se mogla procijeniti potencijalna šteta unutar IoT okruženja i zatim je dan prijedlog načina zaštite usmjernika unutar IoT okruženja.With the ever-increasing occurrence of internet devices in the everyday life local networks around the world are transformed into IoT environments, thus increasing the potential surface for attack by malicious actors. On the other hand, within such IoT environments there is a need for an increasing number of network routers to increase network capacity. Vulnerabilities in these network routers in such situations directly affect the security of an entire IoT environment. Three different network routers have been tested and analyzed for vulnerabilities using program tools, as well as by accessing a physical interface on a circuit board of a device. Based on the results, a comparative analysis was carried out to assess potential damage within the IoT environment and then a proposal was made on how to protect the routers within such IoT environment

A hybrid methodology to assess cyber resilience of IoT in energy management and connected sites

Cyber threats and vulnerabilities present an increasing risk to the safe and frictionless execution of business operations. Bad actors (“hackers”), including state actors, are increasingly targeting the operational technologies (OTs) and industrial control systems (ICSs) used to protect critical national infrastructure (CNI). Minimisations of cyber risk, attack surfaces, data immutability, and interoperability of IoT are some of the main challenges of today’s CNI. Cyber security risk assessment is one of the basic and most important activities to identify and quantify cyber security threats and vulnerabilities. This research presents a novel i-TRACE security-by-design CNI methodology that encompasses CNI key performance indicators (KPIs) and metrics to combat the growing vicarious nature of remote, well-planned, and well-executed cyber-attacks against CNI, as recently exemplified in the current Ukraine conflict (2014–present) on both sides. The proposed methodology offers a hybrid method that specifically identifies the steps required (typically undertaken by those responsible for detecting, deterring, and disrupting cyber attacks on CNI). Furthermore, we present a novel, advanced, and resilient approach that leverages digital twins and distributed ledger technologies for our chosen i-TRACE use cases of energy management and connected sites. The key steps required to achieve the desired level of interoperability and immutability of data are identified, thereby reducing the risk of CNI-specific cyber attacks and minimising the attack vectors and surfaces. Hence, this research aims to provide an extra level of safety for CNI and OT human operatives, i.e., those tasked with and responsible for detecting, deterring, disrupting, and mitigating these cyber-attacks. Our evaluations and comparisons clearly demonstrate that i-TRACE has significant intrinsic advantages compared to existing “state-of-the-art” mechanisms

A principled approach to measuring the IoT ecosystem

Internet of Things (IoT) devices combine network connectivity, cheap hardware, and actuation to provide new ways to interface with the world. In spite of this growth, little work has been done to measure the network properties of IoT devices. Such measurements can help to inform systems designers and security researchers of IoT networking behavior in practice to guide future research. Unfortunately, properly measuring the IoT ecosystem is not trivial. Devices may have different capabilities and behaviors, which require both active measurements and passive observation to quantify. Furthermore, the IoT devices that are connected to the public Internet may vary from those connected inside home networks, requiring both an external and internal vantage point to draw measurements from. In this thesis, we demonstrate how IoT measurements drawn from a single vantage point or mesaurement technique lead to a biased view of the network services in the IoT ecosystem. To do this, we conduct several real-world IoT measurements, drawn from both inside and outside home networks using active and passive monitoring. First, we leverage active scanning and passive observation in understanding the Mirai botnet---chiefly, we report on the devices it infected, the command and control infrastructure behind the botnet, and how the malware evolved over time. We then conduct active measurements from inside 16M home networks spanning 83M devices from 11~geographic regions to survey the IoT devices installed around the world. We demonstrate how these measurements can uncover the device types that are most at risk and the vendors who manufacture the weakest devices. We compare our measurements with passive external observation by detecting compromised scanning behavior from smart homes. We find that while passive external observation can drive insight about compromised networks, it offers little by way of concrete device attribution. We next compare our results from active external scanning with active internal scanning and show how relying solely on external scanning for IoT measurements under-reports security important IoT protocols, potentially skewing the services investigated by the security community. Finally, we conduct passive measurements of 275~smart home networks to investigate IoT behavior. We find that IoT device behavior varies by type and devices regularly communicate over a myriad of bespoke ports, in many cases to speak standard protocols (e.g., HTTP). Finally, we observe that devices regularly offer active services (e.g., Telnet, rpcbind) that are rarely, if ever, used in actual communication, demonstrating the need for both active and passive measurements to properly compare device capabilities and behaviors. Our results highlight the need for a confluence of measurement perspectives to comprehensively understand IoT ecosystem. We conclude with recommendations for future measurements of IoT devices as well as directions for the systems and security community informed by our work

Automated analysis of security protocol implementations

Security protocols, or cryptographic protocols, are crucial to the functioning of today’s technology-dependant society. They are a fundamental innovation, without which much of our online activity, mobile communication and even transport signalling would not be possible. The reason for their importance is simple, communication over shared or publicly accessible networks is vulnerable to interception, manipulation, and impersonation. It is the role of security protocols to prevent this, allowing for safe and secure communication. Our reliance on these protocols for such critical tasks, means it is essential to engineer them with great care, just like we do with bridges or a safety-critical aircraft engine control system, for example. As with all types of engineering, there are two key elements to this process – design and implementation. In this thesis we produce techniques to analyse the latter. In particular, we develop automated tooling which helps to identify incorrect or vulnerable behaviour in the implementations of security protocols. The techniques we present follow a theme of trying to infer as much as we can about the protocol logic implemented in a system, with as little access to it’s inner workings as possible. In general, we do this through observations of protocol messages on the network, executing the system, but treating it as a black-box. Within this particular framework, we design two new techniques – one which identifies a specific vulnerability in TLS/SSL, and another, more general approach, which systematically extracts a protocol behaviour model from protocols like the WiFi security handshakes. We then argue that it his framework limits the potential of model extraction, and proceed to develop a solution to this problem by utilising grey-box insights. Our proposed approach, which we test on a variety of security protocols, represents a paradigm shift in the well established model learning field. Throughout this thesis, as well as presenting general results from testing the efficacy of our tools, we also present a number of vulnerabilities we discover in the process. This ranges from major banking apps vulnerable to Man-In-The-Middle attacks, to CVE assigned ciphersuite downgrades in popular WiFi routers

The Security of IP-based Video Surveillance Systems

IP-based Surveillance systems protect industrial facilities, railways, gas stations, and even one's own home. Therefore, unauthorized access to these systems has serious security implications. In this survey, we analyze the system's (1) threat agents, (2) attack goals, (3) practical attacks, (4) possible attack outcomes, and (5) provide example attack vectors

Fog computing security: a review of current applications and security solutions

Fog computing is a new paradigm that extends the Cloud platform model by providing computing resources on the edges of a network. It can be described as a cloud-like platform having similar data, computation, storage and application services, but is fundamentally different in that it is decentralized. In addition, Fog systems are capable of processing large amounts of data locally, operate on-premise, are fully portable, and can be installed on heterogeneous hardware. These features make the Fog platform highly suitable for time and location-sensitive applications. For example, Internet of Things (IoT) devices are required to quickly process a large amount of data. This wide range of functionality driven applications intensifies many security issues regarding data, virtualization, segregation, network, malware and monitoring. This paper surveys existing literature on Fog computing applications to identify common security gaps. Similar technologies like Edge computing, Cloudlets and Micro-data centres have also been included to provide a holistic review process. The majority of Fog applications are motivated by the desire for functionality and end-user requirements, while the security aspects are often ignored or considered as an afterthought. This paper also determines the impact of those security issues and possible solutions, providing future security-relevant directions to those responsible for designing, developing, and maintaining Fog systems

Backdoor detection systems for embedded devices

A system is said to contain a backdoor when it intentionally includes a means to trigger the execution of functionality that serves to subvert its expected security. Unfortunately, such constructs are pervasive in software and systems today, particularly in the firmware of commodity embedded systems and “Internet of Things” devices. The work presented in this thesis concerns itself with the problem of detecting backdoor-like constructs, specifically those present in embedded device firmware, which, as we show, presents additional challenges in devising detection methodologies. The term “backdoor”, while used throughout the academic literature, by industry, and in the media, lacks a rigorous definition, which exacerbates the challenges in their detection. To this end, we present such a definition, as well as a framework, which serves as a basis for their discovery, devising new detection techniques and evaluating the current state-of-the-art. Further, we present two backdoor detection methodologies, as well as corresponding tools which implement those approaches. Both of these methods serve to automate many of the currently manual aspects of backdoor identification and discovery. And, in both cases, we demonstrate that our approaches are capable of analysing device firmware at scale and can be used to discover previously undocumented real-world backdoors

Anomaly Detection in BACnet/IP managed Building Automation Systems

Building Automation Systems (BAS) are a collection of devices and software which manage the operation of building services. The BAS market is expected to be a $19.25 billion USD industry by 2023, as a core feature of both the Internet of Things and Smart City technologies. However, securing these systems from cyber security threats is an emerging research area. Since initial deployment, BAS have evolved from isolated standalone networks to heterogeneous, interconnected networks allowing external connectivity through the Internet. The most prominent BAS protocol is BACnet/IP, which is estimated to hold 54.6% of world market share. BACnet/IP security features are often not implemented in BAS deployments, leaving systems unprotected against known network threats. This research investigated methods of detecting anomalous network traffic in BACnet/IP managed BAS in an effort to combat threats posed to these systems. This research explored the threats facing BACnet/IP devices, through analysis of Internet accessible BACnet devices, vendor-defined device specifications, investigation of the BACnet specification, and known network attacks identified in the surrounding literature. The collected data were used to construct a threat matrix, which was applied to models of BACnet devices to evaluate potential exposure. Further, two potential unknown vulnerabilities were identified and explored using state modelling and device simulation. A simulation environment and attack framework were constructed to generate both normal and malicious network traffic to explore the application of machine learning algorithms to identify both known and unknown network anomalies. To identify network patterns between the generated normal and malicious network traffic, unsupervised clustering, graph analysis with an unsupervised community detection algorithm, and time series analysis were used. The explored methods identified distinguishable network patterns for frequency-based known network attacks when compared to normal network traffic. However, as stand-alone methods for anomaly detection, these methods were found insufficient. Subsequently, Artificial Neural Networks and Hidden Markov Models were explored and found capable of detecting known network attacks. Further, Hidden Markov Models were also capable of detecting unknown network attacks in the generated datasets. The classification accuracy of the Hidden Markov Models was evaluated using the Matthews Correlation Coefficient which accounts for imbalanced class sizes and assess both positive and negative classification ability for deriving its metric. The Hidden Markov Models were found capable of repeatedly detecting both known and unknown BACnet/IP attacks with True Positive Rates greater than 0.99 and Matthews Correlation Coefficients greater than 0.8 for five of six evaluated hosts. This research identified and evaluated a range of methods capable of identifying anomalies in simulated BACnet/IP network traffic. Further, this research found that Hidden Markov Models were accurate at classifying both known and unknown attacks in the evaluated BACnet/IP managed BAS network

Using machine learning to guide automated intrusion response

Traditionally Intrusion Response Systems (IRSs) have had a strong reliance on net-work administrators to perform various responses for a network. Though this is expected, particularly with networks containing sensitive data, it is not completely practical, considering the ever-growing demand for speed, scalability, and automation in computer networks. This work presents a proof of concept automated IRS that provides both for networks containing sensitive data and high-speed networks, by using basic responses for complex attacks, and by using reinforcement learning for direct attacks. Responses for the latter are done by creating a response system that is able to learn from the effectiveness of its own responses. This work is evaluated in its effectiveness against the deactivation issue, which is concerned with the problem of automatically deactivating network responses after they've been activated by an IRS. All tests are conducted using an emulated network, that was de-signed to replicate real network behaviour. Simulated attacks were used to train the IRS. Results of training were evaluated at intervals of 100, 500, 1000 and 2000 at-tacks. The findings of this work indicate that while applying reinforcement learning to IRSs is feasible, adjustments may still be required to improve its performance