With the development of 5G technology and the popularity of IPv6, the Internet of Things (IoT) industry has entered a period of rapid growth. IoT applications across various industries have surged, particularly in the industrial and power sectors. The intelligent and informational transformation of traditional industrial and power facilities through IoT technology and devices has been incorporated into government resolutions. Emerging terms such as Industrial IoT, Ubiquitous Power IoT, and AIOT have become familiar favorites in the investment market. It can be said that IoT technology has become an important means for industrial upgrading in China.
However, any information technology has its inherent security issues. Since the birth of information technology, security problems have loomed like the sword of Damocles, constantly threatening the interests of the information industry. The IoT field is no exception, and due to its inherent shortcomings such as the number, types, architecture, operating systems, access networking, and interconnection protocols of devices, it has become a hotspot for rampant security issues. This article aims to analyze various security problems in the IoT and their defense technologies.
1. Numerous Devices
Since most IoT devices are sensor and data collection devices, their deployment numbers are quite large. Especially in urban networking environments, the number of measurement points can reach tens of millions. Such a large number of devices naturally becomes a breeding ground for malicious programs. Moreover, most IoT devices lack protective systems, and their systems are simple and uniform. Once the defenses of their network are breached, countless devices can be instantly hijacked and turned into “zombies,” not only losing control but also being “deceived” into launching DDoS attacks, with their attack power and destructive capability being chilling.
2. Diverse Device Types
Another prominent feature of the IoT field is the exceptionally diverse types of devices and numerous manufacturers. IoT can be found in various industries and fields, including communications, security, industrial, power, energy, environmental dynamics, emergency, and medical sectors, which have become the foundation for the development of IoT industry and technology, spreading like wildfire. The threshold for defining IoT is particularly low; even a small smoke detector can be considered an IoT device. The diversity of device types poses significant challenges for security protection, as almost every type of device has its inherent security vulnerabilities, making the customization of security protection for each device quite substantial.
3. Broad Architecture
IoT devices encompass almost all processor architectures, from ARM, MIPS, PowerPC, Alpha, UltraSPARC to X86/X64, and even a vast number of microcontroller systems. Each architecture has its compatible operating systems and boot characteristics, meaning that each architecture has an environment for malicious programs to thrive. Generally speaking, IoT devices are designed to be simple with single functions, primarily based on RISC (Reduced Instruction Set Computing) architectures, which are sufficient to meet the execution efficiency requirements of upper-layer operating system machine instructions. However, with the recent introduction and implementation of the concept of “software-defined” technology, software-defined IoT has gradually become a consensus in the industry. Its purpose is to run software-defined IoT services in a general computing environment (based on X86/X64 architecture and general operating systems), leading to an increasing share of CISC (Complex Instruction Set Computing) processors in the IoT field, exacerbating security issues arising from architecture.Some malicious programs do not seek compatibility across all architectures but specifically target devices of certain architectures, employing clever and precise attack methods. Once a device is attacked for the first time, it generally has no immunity. More seriously, processors of these architectures frequently expose their own vulnerabilities. For example, the “EternalBlue” series of vulnerabilities that erupted in 2017 exploited the SMB vulnerability of X86-based Windows systems to gain the highest system privileges. Hackers used this vulnerability to develop the WannaCry ransomware. In 2018, the “Meltdown” and “Spectre” vulnerabilities targeted the branch prediction execution mechanisms of lower-level X86 CPUs, using these mechanisms for side-channel attacks to obtain data in memory. The first two variants of this method are referred to as “Meltdown,” while the third variant is called “Spectre.” As IoT manufacturers generally have no defense against lower-level attacks, they can only become victims and targets for ransom, and can only serve as accomplices in DDoS attacks.
4. Varied Operating Systems
Corresponding to the architecture, the operating systems of IoT devices are also exceptionally diverse. Larger device manufacturers generally provide customized operating systems. However, most of these operating systems are based on Linux, with modifications made on this foundation, primarily focusing on system slimming, such as reducing communication protocol stack drivers, eliminating file systems and disk drivers, and streamlining some non-essential kernel components and services. However, there are no fundamental changes to core kernel mechanisms such as system calls, thread scheduling, memory allocation, and IO management. This consistency provides a broad parasitic space for malicious programs while also offering a generalized operating mechanism for resisting malicious programs.
5. Diverse Access Methods
The access networking methods for IoT devices are also diverse, broadly categorized into wired and wireless communication methods. Wireless communication can be further divided into short-range communication, long-range cellular communication, and long-range non-cellular communication, with specific communication protocols as shown in Table 1.
Table 1: IoT Device Access MethodsRegardless of the method used, the final aggregation will occur through Ethernet, as Ethernet is the most extensive, stable, and widely applicable networking method in the communication architecture. In most IoT environments, it generally operates within a campus local area network, where security gateways or firewall devices are deployed at the entrances and exits. In operator environments, since IoT devices primarily undertake the task of reporting measurement data, private network penetration methods are often used under the current IPv4 system, while in IPv6 environments, each device will have a unique IP address. For IoT devices that do not support TCP/IP, they generally connect to Ethernet through edge gateways acting as proxies.Due to the widespread use of Ethernet, it inevitably becomes a universal carrier for network attacks (this does not mean that other networking methods do not experience network attacks). The vast majority of DDoS attacks occur in Ethernet environments. Currently, attack methods are emerging one after another, but defense methods are relatively inadequate and often focus on traffic diversion and closing entry points, which gives a somewhat passive impression of being beaten. There are very few countermeasures for tracing attacks.
6. Numerous Interconnection Protocols
There are relatively few large-scale systems of IoT devices, mostly seen in industries such as communications and video surveillance. Video surveillance companies are concentrated, and authoritative industry associations have led the GB28181, Onvif, H.323, H.245 interconnection protocols, which have become the default standards in the industry, relying on long-standing RFC standards such as SIP/RTSP/RTP/RTCP. However, many IoT devices have simple functions, and the definitions of north-south protocols are often inconsistent. Additionally, due to the diverse access methods of IoT devices, while considering issues such as power consumption, self-sustainability, and self-maintenance, their application layer protocols are simpler and more lightweight, making the interaction process more straightforward, which provides opportunities for malicious programs targeting data security and protocol security.
Table 2: Comparison of IoT Application Layer ProtocolsOn December 23, 2015, three power supply areas under the Kyivoblenergo power plant in Ukraine experienced a blackout, and all repair and assistance calls were unable to be answered. It was later determined that this was caused by an attack initiated by the malicious code BlackEnergy, which had previously spread through emails to the plant’s internal network. The BlackEnergy code is suspected to have been developed by a Russian hacker organization specifically to attack data collection and supervisory control (SCADA) systems. Additionally, during this attack, the attackers launched a DDoS attack on the repair system, successfully blocking the plant’s emergency response capabilities. This was a typical attack event targeting the power IoT, where the attackers employed a combination of code implantation and DDoS attacks to cause terrifying consequences. Learning from history, we must pay more attention to the security issues of IoT.
Author:Tan Zhe Shenzhen Liwei Zhili Technology Co., Ltd.
Excerpted from “China Security” magazine
