Abstract
With the interconnectedness of heterogeneous IoT devices being deployed in smart living spaces, it is imperative to assure that connected devices are resilient against Denial-of-Service (DoS) attacks. DoS attacks may cause economic damage but may also jeopardize the life of individuals, e.g., in a smart home healthcare environment since there might be situations (e.g., heart attacks), when urgent and timely actions are crucial. To achieve a better understanding of the DoS attack scenario in the ever so private home environment, we conduct a vulnerability assessment of five commercial-off-the-shelf IoT devices: a gaming console, media player, lighting system, connected TV, and IP camera, that are typically found in a smart living space. This study was conducted using an automated vulnerability scanner – Open Vulnerability Assessment System (OpenVAS) – and focuses on semantic DoS attacks. The results of the conducted experiment indicate that the majority of the tested devices are prone to DoS attacks, in particular those caused by a failure to manage exceptional conditions, leading to a total compromise of their availability. To understand the root causes for successful attacks, we analyze the payload code, identify the weaknesses exploited, and propose some mitigations that can be adopted by smart living developers and consumers.
Similar content being viewed by others
Keywords
1 Introduction
The availability of affordable Internet-connected household devices, such as IP cameras, Wi-Fi-enabled light bulbs, and smart TVs, is stimulating the growth of smart living spaces, a typical case of which being the smart connected home. A smart connected home is a residence that uses IoT technologies, such as sensors, smart devices, and communication protocols, allowing for remote access, control, and management, typically via the Internet [12].
As much as we rely more on IoT devices in daily life, these devices are vulnerable to active cyberattacks such as Denial-of-service (DoS) [1]. DoS is typically described as a widely used attack vector by various malicious threat agents such as hackers, hacktivists, and thieves. Indeed, traditional DoS attacks on information systems can be threats to the smart home, given Internet-connected components [10]. Such attacks may be the first step in removing a smart home component from a network to exploit a vulnerability in its disconnected failure state [10].
The impact of a DoS attack may range from a nuisance to loss of revenues to even loss of life. As an example, in 2016, a major IoT-oriented malware, i.e., Mirai [24], caused severe monetary damage by exploiting devices, mostly consumer IoT devices such as IP cameras found in homes, and converting them into a botnet. Mirai had the capabilities to perform various types of Distributed Denial of Service (DDoS) attacks – DDoS is a DoS attack that uses a high number of hosts to make the DoS attack even more disruptive [11] – like DNS, UDP, STOMP, SYN, and ACK flooding [20]. In 2019, Kaspersky Lab indicated that DDoS attacks have escalated in the IoT by 84%, and their average duration increased by 4.21 times [25]. This highlights the insecurity of current IoT devices and justifies the importance of studying DoS attacks.
Research on DoS attacks tends to be primarily focused on attack detection techniques (e.g., anomaly-detection) and response mechanisms (e.g., distributed packet-filtering) [21]. To a lesser extent, fewer scholarly studies have been published that focus on the actual DoS attack scenario – crucial to determine the resilience of an IoT device. In fact, most of the available studies are made by professional penetration testers (cf. white paper “The IoT Threat Landscape and Top Smart Home Vulnerabilities in 2018” by Bitdefender [34]). The mentioned report [34] indicates that DoS is the most common vulnerability present in the smart home, followed by code execution and buffer overflow.
There are two broad categories of DoS attacks: semantic and flooding attacks [13, 21, 30]. Respectively, these are also called software exploits or application-based attacks and brute-force attacks in scholarly literature. While in flooding attacks a victim is sent a voluminous amount of network traffic to exhaust its bandwidth or computing resources, in semantic attacks packets that exercise specific software bugs (vulnerabilities) are sent to a victim’s operating system or application. Although flooding attacks are important, in this paper we focus on semantic attacks for three main reasons: i) these attacks can be an enabler for other security and privacy threats; ii) most of the existing studies target traditional computer devices or resources, e.g., application servers, and not consumer IoT devices; and iii) arguably, while devices are in theory always prone to flooding they may not be susceptible to software exploits if their software is updated. These characteristics make semantic DoS attacks interesting to study from a scientific perspective.
Specifically, we conduct an experiment on five commercial-off-the-shelf devices: a gaming console, media player, lighting system, connected TV, and IP camera. These consequently represent three different categories of smart living devices commonly found in a home – energy and resource management, entertainment systems, and security and safety. All the devices used in this paper are manufactured by established industry leaders. The assessment is done through vulnerability scanning. Vulnerability scanning is the process of detecting potential weaknesses on a computer, network or services. Specifically, we leverage Open Vulnerability Assessment System (OpenVAS)Footnote 1 framework. To understand the root causes for successful attacks, we analyze the payload code, identify the weaknesses exploited, and propose some mitigations that can be adopted by smart living developers and consumers.
The remainder of this paper is organized as follows. In Sect. 2, we provide an overview of a typical smart connected home architecture. Next, we summarize related work on DoS. The description of a DoS attack and the experiment design is elaborated on in Sect. 4. In Sect. 5, we summarize the achieved results. Subsequently, we discuss some implications of our findings and provide some guidance for mitigating such vulnerabilities in Sect. 6. Finally, in Sect. 7, we conclude and specify directions for future work.
2 Smart Connected Home Architecture
A smart connected home consists of heterogeneous devices. These typically exchange data about the state of the home, environment, and activities of residents.
Commonly, the IoT devices are connected to an IoT gateway, which is in turn connected to the residential Internet router. The gateway/router is the endpoint that connects the IoT devices to the Internet Service Provider (ISP). Some connected home devices, in particular, resourceful nodes such as certain smart TVs, may also have built-in gateway functionality allowing them to connect to the Internet router and sometimes to an ISP directly.
The connection between the gateway and router tends to be Ethernet or Wi-Fi based; whereas the communication between the IoT devices and the gateway usually leverages wireless protocols such as Zigbee, Z-wave, and Thread. These protocols are designed for power-efficiency making them ideal for battery-operated devices.
Users can interact with the IoT devices and manage their smart connected home devices through different platforms, most commonly through smartphones. The interaction modalities are in general two: i) directly interacting with them using the services provided by the gateway, and ii) accessing Internet cloud services that interact with the gateway and the connected IoT devices. Typically, the smart connected home relies on a cloud-based infrastructure.
These two scenarios are often present simultaneously to support local and remote interactions with the IoT devices. In Fig. 1, we provide a graphical overview of the smart connected home architecture.
3 Related Work
Karig and Lee [22] classify DoS attacks into five different categories: network-device level, OS level, application level, data flood, and protocol feature attack. This categorization is based on the attacked protocol level. The authors also provide countermeasures that mostly reflect the classification of attacks. This work is useful as a basis for understanding DoS attacks and their impact, however it falls short in elaborating on the causes of certain attack categories, e.g., application-based attacks.
Mirkovic and Reiher [29] group DDoS attacks into two categories: semantic and brute-force attacks. Brute-force attacks are related to the data flood attacks in Karig and Lee [22] classification as they involve the sending of a large volume of attack packets to a target, whereas the rest are non-flooding attacks. The authors also provide a taxonomy of defense mechanisms differentiating between preventive and reactive mechanisms. While this work is relevant for comprehending DoS attacks, it is primarily focused on DDoS attacks. DDoS attacks tend to be more related to brute-force attacks and have specific attack types such as DNS, NTP, Chargen, and SSDP, which may not be as relevant to DoS.
Bonguet and Bellaiche [11] classify DoS and DDoS attacks into two broad categories: overwhelm the resources and vulnerabilities. Respectively, these correspond to the brute-force and semantic attacks as described by Mirkovic and Reiher [29]. The authors present new types of DoS and DDoS attacks, in particular the XML-DoS and HTTP-DoS, that affect cloud computing. They also discuss some detection and mitigation techniques. In our case, we are mainly interested in investigating the causes of DoS attacks affecting devices found in smart living spaces.
The Open Web Application Security Project (OWASP) [33] focuses on the type of vulnerabilities at the application level allowing a malicious user to make certain functionality or, sometimes, the entire website unavailable. They identified eight test cases, such as buffer overflows, each leading to DoS. We leverage the work of OWASP indirectly by conducting an experiment on connected home devices.
In reviewing the existing work, we observe that the majority of the published work whilst providing a solid theoretical basis, it does not elaborate much on the method used for conducting a DoS attack. Specifically, we observe the shortage of such studies that test IoT devices against semantic DoS attacks aimed at the application and data processing layers. Except for a few, also most of these tend to run such tests on web applications, instead of services which may also include network and operating system-based software components. With the rise of increasingly targeted attacks and motivated attackers, we believe that semantic DoS attacks are likely to be exploited and thus are important to study. Finally, we observe that most of the mitigations proposed while generic enough, may not necessarily address certain discovered vulnerabilities. Thus, it is useful to investigate firsthand the causes of such attacks to propose more appropriate solutions.
4 Method
4.1 The DoS Attack
DoS attacks attempt to exhaust or disable access to resources at the victim. These resources are either network bandwidth, computing power, or operating system data structures. Effectively, DoS attacks can target all the different protocol layers of the TCP/IP protocol stack. In the home environment, DoS can occur directly at the IoT devices, at the residential router, and at cloud endpoints [16]. Typically, web servers embedded inside IoT devices are a frequent target of attacks.
In this work, we focus on semantic attacks. These attacks take advantage of specific bugs in network services that are running on a target host or by using such applications to drain the resources of their victim [22]. It is also possible that the attacker may have found points of high-algorithmic complexity and leverages them to consume all available resources on a remote host [14].
4.2 Experiment Setup
An experiment was devised to test IoT devices for their resiliency against DoS attacks. The experiment was conducted in April 2019, and it featured smart devices that had their firmware upgraded to the latest as detailed in [3].
The experimental platform is based on Liang et al. [26] framework which implemented a DoS attack method for IoT systems. Effectively, our experiment setup is an instance of the smart connected home architecture described in Sect. 2. Each smart device had embedded gateway functionality and was directly connected via its Wi-Fi interface to the router. The smartphone role is delegated to the PC. The router is in turn connected to the broadband modem via Ethernet.
A smart connected home is typically characterised by a mix of devices, but often contains a so-called starter kit with a few core devices that are typically manufactured by one supplier [36]. Our testbed devices are chosen to reflect this; however we selected devices that were produced by different vendors to have a more generic overview of devices’ exposure to DoS attacks. A schematic illustration of the setup is shown in Fig. 2 and consists of the following components:
-
PC: Portable workstation that reads data from smart devices, and furnishes data to users through the help of software applications. The PC, Windows 10, had virtualization software installed; specifically, Oracle VM VirtualBoxFootnote 2 – a free and open-source hosted hypervisor for x86 virtualization – that is used to host the “attacker platform”. The PC had one physical network card installed.
-
Attacker platform: A virtual machine installed with Kali LinuxFootnote 3 and OpenVAS vulnerability scanner. The attacker platform was connected to the Internet in order to install OpenVAS and later to download the latest vulnerability tests for that. Also, it was connected to the Local Area Network (LAN) in order to execute DoS attacks on the smart devices. Kali Linux was configured with the Network Address Translation (NAT) networking mode as a means for accessing the Internet alongside the smart devices.
-
Router: A networking device that forwards data packets between the connected devices and the Internet and assigns IP addresses to the PC and smart devices. In our case, the router was a Compal Router that connected the PC, smart devices, and the attacker platform in a LAN setup.
-
Smart devices: Five commercial-off-the-shelf IoT devices: a gaming console, media player, lighting system, connected TV, and IP camera [3]. The IP addresses for the devices were automatically assigned by the router using the Dynamic Host Control Protocol (DHCP).
Smart devices process data, which are transferred to the PC via the router. In reality, the role of the PC could be that of, for instance, a smartphone application or a web page that displays processed results from the smart devices. The components and their IP addresses are summarized in Table 1.
The network utility ping was used to check the connection between the PC and smart devices. This was used prior to running the vulnerability scans.
4.3 Vulnerability Scanning
Various security tools (scanners) exist that can assist in finding and analyzing security vulnerabilities. Tundis et al. [42] in their review of network vulnerabilities scanning tools, group such tools into two main categories: automatic scanning tools with publicly shared results and personal interaction-based scanning tools. Whereas in the former category tools automatically scan the Internet and render their results publicly, in the latter results are only returned to the tool operator. In our case, we rely on personal interaction-based scanning tools for ethical reasons and as the devices were not configured with a public IP address.
Three personal interaction-based scanning tools that are used by security researchers, e.g., in [18], are: Nessus, Metasploit Pro, and OpenVAS. Nessus is a proprietary vulnerability scanner produced by Tenable Network Security. Metasploit Pro is a security scanner that also allows for the exploitation of vulnerabilities (i.e., penetration testing). Both Nessus and Metasploit Pro are commercial tools that are used by various security professionals for security compliance and assessment purposes. OpenVAS is free software; effectively a fork of Nessus; for vulnerability scanning and management. In our case, given that OpenVAS is free, it offers a comprehensive vulnerability management platform with similar features to commercial tools, and that other security researchers have used it for similar purposes to our study, we rely on it as our scanner.
In the experiment, we assumed an attack model where the malicious threat agent is located inside the smart home network, having both physical and digital access to the connected devices and attacker platform. Nonetheless, we only consider semantic DoS exploits and not DoS caused by physically disabling a device.
For the experiment, we configured OpenVAS on Kali Linux according to its official documentation [38]. First, we ensured that Kali Linux was updated and then installed the latest OpenVAS through the command “openvas-setup”. Once the setup was completed, the command “netstat -antp” was entered to verify that OpenVAS’ requisite network services – in particular, its manager, scanner, and the Greenbone Security Assistant Daemon (GSAD) – were open and listening. Next, the command “openvas-start” was keyed to start all the services.
Once the services were successfully started, we connected to the OpenVAS web interface by pointing the web browser; in our case Mozilla Firefox; to it. Therein, we configured OpenVAS scanning to “Full and very deep ultimate” and used as input the port list “All TCP and Nmap 5.51 top 100 UDP” [19]. This allowed the scanner to test most of the smart devices’ network ports (in total 65,535 TCP ports and 99 UDP ports) for a broad range of vulnerability classes. Nonetheless, we limited the test cases to include solely DoS attacks, which at the time of the experiment, OpenVAS had 1,384 network tests for DoS.
4.4 Attack Introspection
After the scans were completed, results were displayed on the PC. For each successful attack, we inspected the attack payload, i.e., the exploit code, that resulted in the DoS attack to succeed. This was done to understand the mechanics of the attack.
Online security vulnerability databases were used as a source for getting details about the exploits and their code. In doing so, the following public databases were used: SecurityFocusFootnote 4, CVE DetailsFootnote 5, and VulnersFootnote 6. The aforementioned databases were used in tandem with the actual test case code as executed by OpenVAS.
Furthermore, to identify the root causes for an attack to succeed we leveraged the classification scheme employed by the National Vulnerability Database (NVD) of the National Institute of Standards and TechnologyFootnote 7. NVD has gained recognition from organizations such as MITRE CorporationFootnote 8 and has been used by researchers for similar purposes [2] to ours. This classification is based on the causes of vulnerabilities, grouping them into eight classes: input validation error, access validation error, exception condition error handling, environmental error, configuration error, race condition error, design error, and others [2].
5 Results
5.1 Smart Living Devices Vulnerabilities
Following the execution of vulnerability scanning as described in Sect. 4.3, a total of 13 DoS-related vulnerabilities were found to affect the tested smart living devices.
The device that was most prone to semantic DoS attacks was a gaming console. This had nine vulnerabilities, two of which reported as having critical severity. Critical severity indicates that the effects of exploiting the vulnerability can result in total compromise of the device.
One of the discovered vulnerabilities – Linksys WRT54G DoS – was rated with the most severe score (CVSS score: 10), allowing an intruder to “freeze” the gaming console web server simply by sending empty GET requests. This leads to a total compromise of confidentiality, integrity, and availability of the system. A similar high severity (CVSS score: 9.3) vulnerability – LiteServe URL Decoding DoS – was found in an IP camera device. Here, a remote web server could simply become unavailable by parsing a URL consisting of a long invalid string of % symbols.
Overall, seven of the thirteen vulnerabilities were ranked with medium severity – medium severity means that the vulnerability can reduce the performance or lead to a loss of some functionality to the targeted device – four ranked with critical severity, and two ranked as high severity. Furthermore, all discovered vulnerabilities did not require the attacker to authenticate to the victim host in order to exploit them. No DoS-related vulnerabilities were found to affect the tested lighting system and the media player.
While all the conducted attacks involved semantic attacks, certain vulnerabilities, while at a minority, compromised not only the high-level application (e.g., the administration console of an embedded web server) but as well the underlying operating system (e.g., Windows), and hardware (i.e., the device’s firmware). Only one vulnerability – HTTP Windows 98 MS/DOS device names DoS – targeted the operating system software.
Table 2 is a summary of discovered DoS-related vulnerabilities occurring on each category of tested smart devices. The severity follows the qualitative severity ranking scale as identified in CVSS v3.0 specification [15].
5.2 DoS Attack Characteristics
The outcome of the attack introspection stage described in Sect. 4.4 is summarized in Fig. 3.
From Fig. 3, we observe that most of the DoS-attacks target the high-level application and belong to the “Exception condition error handling” vulnerability class. Vulnerabilities in this class arise due to failures in responding to unexpected data or conditions.
The rest of the vulnerabilities correspond to “Input validation error” and “Design error”. Input validation error includes vulnerabilities that fail to verify the incorrect input (boundary condition error) and read/write operations involving an invalid memory address (buffer overflows). Design error are caused by improper design of the software structure. In Table 3, we summarize the characteristics of the attacks that exploited these vulnerability classes.
We observe that all of the attacks were remote exploits. Remote exploits work over a network, such as the Internet, exploiting the security vulnerability without requiring any prior access to the vulnerable system. This is in contrast to a local exploit which requires prior access to the vulnerable system.
The majority of the attacks required basic programming knowledge to develop. At a minimum, this required familiarity with the workings of the HTTP protocol (e.g., HTTP methods, in particular, the GET method) and network programming (e.g., TCP/IP socket management). This is needed to create and send specifically crafted packets to an IoT component.
Mostly, the attack payload was transferred to the connected device by manipulating the content of a legitimate HTTP header field, e.g., the “Content-Length” attribute, which specifies the length of the request body.
6 Discussion
6.1 The Impact of DoS Attacks
Even though the tested device types represent only around 6% of the available device categories in a smart connected home [12], the attained results already highlight the gravity of the current situation. This is especially as these represent on average around 25% of the number of available devices in a regular smart home [34], the devices belong to the three categories of functionality with the most device types [12], and because our test subjects are manufactured by international companies with overall high-security maturity. The majority of the remaining manufacturers are IoT startups that tend to prioritize simplicity and ease-of-use over security.
Due to the limited energy capacities and interconnectedness of IoT devices, the impact of DoS attacks can be severe. For instance, DoS attacks can cause battery-draining issues leading to node outages or a failure to report an emergency situation. This can happen as an example if an attacker targets an Internet-connected smoke detector, which consequently may disable the fire detection system and possibly leading to a fatality. In some cases, a successful DoS attack can also allow an attacker to lock down an entire building or access to a room, for instance, by making access to certain online authentication services, e.g., cloud service required by a smart lock, unavailable. In extreme cases, DoS attacks may lead to permanent damage to a system requiring a device replacement or re-installation of the hardware. This can happen as an example when fake data are sent to connected thermostats in an attempt to cause irreparable damage via extreme overheating.
Beyond, affecting the availability of a system, DoS attacks conducted at different architecture layers can compromise other security requirements such as accountability, auditability, and privacy [31]. For instance, when devices are offline, adversaries can use that window of time to hack sensitive information or infer more information. Furthermore, when a high number of hosts are combined, as in the case of DDoS, the effects could be even more disruptive. For instance, in 2016, a DDoS attack with compromised IoT devices targeting the DNS service provider Dyn, effectively took offline sites such as GitHub, Airbnb, and Amazon [28]. Overall, this resulted in reputation damage, diminished IT productivity, and revenue losses to different stakeholders.
6.2 On the Causes of DoS Attacks
Analyzing the software weaknesses that were exploited by the successful DoS attacks, we find that improper checks for unusual or exceptional conditions are the root cause of such vulnerabilities. This could be indicative that: i) IoT developers are making assumptions that certain events or conditions will never occur; ii) IoT developers are reusing software libraries without performing proper security testing; iii) IoT developers are not properly trained in software security; or iv) security is not a top priority for an organization. Moreover, this raises generic concerns about the way IoT devices are being developed.
Our study is similar in scope to that of Bonguet and Bellaiche [11]. However, instead of focusing on cloud computing DoS and DDoS, we focused specifically on consumer-based IoT devices. Moreover, we expanded on the semantic-based DoS attack category, which the aforementioned study classifies as “design flaws” and “software bugs” vulnerabilities, with vulnerability classes we identified firsthand. Analyzing the successful attacks, we observe the prevalence of HTTP GET DoS attacks where the application layer protocol HTTP is exploited. Interestingly, the HTTP GET DoS attacks did not have to be used repeatedly; for example by running the attack in a loop, as is required for instance, in an HTTP flood attack [27] and yet had the same consequences. This signals the dangers of these attacks and the challenges involved in detecting them. While HTTP flooding can trigger an alert about a possible intrusion since multiple HTTP requests are sent to a target device, the chance of detecting semantic DoS is relatively slim as only one request could be needed to achieve the same effect.
Many IoT devices share generic components from a relatively small set of manufacturers. This means that a vulnerability in one class of IoT hardware is likely to be repeated across a vast range of products. For instance, one of the vulnerabilities we discovered with the gaming console was targeting the open source MongooseFootnote 9 web server. Mongoose is identified as GitHub’s most popular embedded web server and multi-protocol networking library. With this, it is a likely threat that other IoT platforms are prone to the same security risk. This also makes us reflect on the state of the other IoT devices available in the smart home market, and in general, about security practices being adopted by companies. Especially, since most companies develop their software by reusing existing software libraries. This is indicative that besides the functionality aspects, vulnerabilities are automatically inherited, putting the customers at risk but also the vendor’s reputation at stake. A case in point, in DefCon’22 conference [35], a popular cloud-based Wi-Fi camera was revealed as using a vulnerable version of OpenSSL library – a widely used software library for applications to secure communications – with heartbleed vulnerability. Exploiting this could allow for possible eavesdropping on seemingly encrypted communications, steal private data, and impersonate services and users.
In this study, we have investigated how DoS attacks are conducted, and how exploit code violates security practices such as lack of input validation. We believe that it is relatively easy to exploit those weaknesses and potentially launch large-scale attacks without the knowledge of the owner. This is also amplified with the availability of automatic scanning tools with publicly shared results, such as ShodanFootnote 10 that simplify the process of discovering and exploiting Internet-connected devices. Furthermore, this is aggravated considering that some vendors offer services, oftentimes referred to as “stresser” or “booter” services, which can be used to perform, at a cost, unauthorized remote DoS attacks on Internet hosts.
6.3 Mitigating DoS Attacks
Protection against DoS and their distributed counterpart (DDoS) is a challenging task, especially for IoT architectures considering their constraints, e.g., in terms of battery, memory, and bandwidth. Limited research related solutions, e.g., [23], have been proposed for the protection of IoT against DoS attacks. However, such approaches do not focus on the application layer but are mainly dealing with network layer protection. This also concurs with reports from leading industry vendors which underscore the difficulty of defending against application attacks and simultaneously the rise of attacks in this category [32]. Hereunder, we present some approaches that can be adopted by smart living developers and end-users to prevent, detect, and react to semantic DoS attacks.
Data Controller Mitigations. This represents safeguards that can be adopted by IoT device manufacturers, IoT developers, and service providers.
-
Authentication mechanisms. This plays a critical role in the security of any IoT device and service. It is useful for detecting and blocking unauthorized devices and services [43]. Strong authentication can be applied potentially at the home gateway, with this device often acting as the gatekeeper mediating requests between connected devices, services, and users.
-
Input validation. As a secure coding principle, this helps in preventing against semantic based DoS attacks. Additionally, if input validation is performed properly, including on the HTTP headers, this can also help prevent against SQL injection, script injection, and command execution attacks.
-
Secure architecture. IoT devices need to sustain their availability under desired levels. Possibly, a robust architecture should leverage a defense-in-depth strategy, e.g., having multiple layers of controls at the device level, cloud level, and service level, and thus reducing the risk of having the entire system or stack becoming unavailable.
-
Secure configuration. IoT devices should be configured not to disclose information about the internal network, server software, and plug-ins/modules installed (e.g., banner information). Primarily, this is important as otherwise such information may get indexed and picked by online scanners which could then be used to conduct attacks.
-
Security testing: Code should be inspected for vulnerabilities before it gets released to consumers. Here, software auditing and penetration testing could be used, e.g., to detect test interfaces and weak configurations that could lead to compromise. Furthermore, a company may offer incentives, e.g., through bug bounty programs, especially to help discover zero-day vulnerabilities. At the same time, it is also key for vendors to release updates, possibly on a cyclical basis, to improve the security of their product.
Consumer Mitigations. This represents controls that can be adopted by end-users, in particular by the IoT device users.
-
Filtering. Filtering techniques, e.g., ingress/egress filtering or history-based filtering, to prevent unauthorized network traffic from entering into a protected network [27]. Filtering can be applied to residential routers and can also be used as a strategy to respond to DoS attacks.
-
Intrusion prevention/detection system. Intrusion prevention/detection mechanisms, such as the signature-based detection and anomaly-based detection, can be used to proactively block malicious traffic and threats from reaching IoT devices. This system could be a separate physical device connected to the residential Internet router.
-
Secure configurations. Operating system and server vendor-specific security configurations should be implemented where appropriate, including the disabling or removal of unnecessary users, groups, and default accounts.
-
Secure network services. To prevent unauthorized users from connecting to IoT devices and implanting an attack, remote access options (e.g., Telnet or SSH) to the router and other network devices, that may have it enabled for remote administration, should be disabled, or otherwise securely configured.
-
Secure overlay. This method involves the creation of an overlay network, typically through a firewall, on top of the IP network. This overlay network then acts as the entry point for the outside network ensuring that only trusted traffic can get entry to the protected network.
-
Security patches. IoT devices should be kept updated with the latest security patches as issued from the vendor regularly to ensure that the system is not affected by malware. When updates are not available some possible alternatives are: to put another control, e.g., a perimeter firewall or intrusion prevention/detection system in front of the vulnerable device; changing the IP address of the affected device; disabling the compromised feature; or replacing the hardware with a newer release.
Beyond the data controller and consumer-based mitigations, we also see the need for three other requirements that must be met to ensure the overall security and resiliency of IoT devices. First, more stringent regulations and potentially certification programs are needed for IoT device manufacturers. Second, the early integration of security from the design stage and to enforce a risk management strategy potentially as a joint effort of legislators, security experts, and manufacturers. Third, recognizing that classical security solutions are challenging to port to the IoT domain, it is crucial to increase security awareness among consumers. This could, for instance, be done through government initiatives, but also manufacturers can educate consumers about security.
7 Conclusion and Future Work
The growth and heterogeneity of connected devices being deployed in smart living spaces, in particular, inside homes, raises the importance of an assessment of their security.
In this paper, we conducted a vulnerability assessment focusing on the availability of Internet-connected devices. The experiment was carried out using OpenVAS and it featured five commercial-off-the-shelf IoT devices: a gaming console, media player, lighting system, connected TV, and IP camera. The attained results indicate that the majority of the tested devices are prone to severe forms of semantic DoS attacks. Exploiting these attacks may lead to a complete compromise of the security of the entire smart living system. This indicates the gravity of the current situation serving as a catalyst to raise awareness and stimulate further discussion of DoS related issues within the IoT community. Furthermore, to understand the root causes for successful attacks, we analyzed the payload code, profiled the attacks, and proposed some mitigations that can be adopted by smart living developers and consumers.
As part of future work, we intend to generalize this study in three areas. First, we plan to include a broader selection of devices, including routers. Routers tend to be one of the most vulnerable components that a successful attack can leverage to potentially disable legitimate access to the entire smart connected home. Second, we aim to consider an attack model where the malicious threat agent is located remotely behind a cloud or service provider infrastructure. Finally, we plan to research methods that can proactively allow for the detection of DoS attacks. Possibly, this will involve the use of machine learning to learn a baseline security profile for each device.
Notes
- 1.
https://www.openvas.org/ [accessed December 21, 2019].
- 2.
https://www.virtualbox.org/ [accessed December 21, 2019].
- 3.
https://www.kali.org/ [accessed December 21, 2019].
- 4.
https://www.securityfocus.com/ [accessed December 21, 2019].
- 5.
https://www.cvedetails.com/ [accessed December 21, 2019].
- 6.
https://vulners.com/ [accessed December 21, 2019].
- 7.
http://www.cve.mitre.org/ [accessed December 21, 2019].
- 8.
https://www.mitre.org/ [accessed December 21, 2019].
- 9.
https://cesanta.com/ [accessed December 21, 2019].
- 10.
https://www.shodan.io/ [accessed December 21, 2019].
References
Alanazi, S., Al-Muhtadi, J., Derhab, A., Saleem, K., AlRomi, A.N., Alholaibah, H.S., Rodrigues, J.J.: On resilience of wireless mesh routing protocol against DoS attacks in IoT-based ambient assisted living applications. In: 17th International Conference on E-health Networking, Application & Services (HealthCom), pp. 205–210. IEEE (2015)
Alhazmi, O.H., Woo, S.-W., Malaiya, Y.K.: Security vulnerability categories in major software systems. Commun. Netw. Inf. Secur. 2006, 138–143 (2006)
Andersson, S., Josefsson, O.: On the assessment of denial of service vulnerabilities affecting smart home systems (2019)
Arboi, M.: Format string on http method name. https://vulners.com/openvas/OPENVAS:11801
Arboi, M.: Http unfinished line denial. https://vulners.com/openvas/OPENVAS:136141256231011171
Arboi, M.: Http windows 98 MS/DOS device names DOS. https://vulners.com/openvas/OPENVAS:136141256231010930
Arboi, M.: Jigsaw webserver MS/DOS device DOS. https://vulners.com/openvas/OPENVAS:11047
Arboi, M.: Linksys WRT54G DOS. https://vulners.com/openvas/OPENVAS:136141256231011941
Arboi, M.: LiteServe URL decoding DOS. https://vulners.com/openvas/OPENVAS:11155
Barnard-Wills, D., Marinos, L., Portesi, S.: Threat landscape and good practice guide for smart home and converged media. In: European Union Agency for Network and Information Security (ENISA) (2014)
Bonguet, A., Bellaiche, M.: A survey of denial-of-service and distributed denial of service attacks and defenses in cloud computing. Future Internet 9(3), 43 (2017)
Bugeja, J., Davidsson, P., Jacobsson, A.: Functional classification and quantitative analysis of smart connected home devices. In: Global Internet of Things Summit (GIoTS), pp. 1–6. IEEE (2018)
Carl, G., Kesidis, G., Brooks, R.R., Rai, R.: Denial-of-service attack-detection techniques. IEEE Internet Comput. 10(1), 82–89 (2006)
Douligeris, C., Mitrokotsa, A.: DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput. Netw. 44(5), 643–666 (2004)
FIRST: Cvss v3.1 specification document. https://www.first.org/cvss/specification-document
Geneiatakis, D., Kounelis, I., Neisse, R., Nai-Fovino, I., Steri, G., Baldini, G.: Security and privacy issues for an IoT based smart home. In: 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO)
GmbH, G.N.: Mereo ‘get’ request remote buffer overflow vulnerability. https://vulners.com/openvas/OPENVAS:100776
Gordin, I., Graur, A., Potorac, A., Balan, D.: Security assessment of OpenStack cloud using outside and inside software tools. In: International Conference on Development and Application Systems (DAS), pp. 170–174. IEEE (2018)
Greenbone.net: 16. performance—greenbone security manager (gsm) 4 documentation. https://docs.greenbone.net/GSM-Manual/gos-4/en/performance.html#about-ports
Herzberg, B., Bekerman, D., Zeifman, I.: Breaking down mirai: An IoT DDoS botnet analysis. Incapsula Blog, Bots and DDoS, Security (2016)
Hussain, A., Heidemann, J., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 99–110. ACM (2003)
Karig, D., Lee, R.: Remote denial of service attacks and countermeasures. Princeton University Department of Electrical Engineering, Technical report CE-L2001-002, 17 (2001)
Kasinathan, P., Pastrone, C., Spirito, M.A., Vinkovits, M.: Denial-of-service detection in 6LoWPAN based internet of things. In: IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 600–607. IEEE (2013)
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017)
Kupreev, A.G.O., Badovskaya, E.: Ddos attacks in q1 2019—securelist. https://securelist.com/ddos-report-q1-2019/90792/
Liang, L., Zheng, K., Sheng, Q., Huang, X.: A denial of service attack method for an IoT system. In: 8th International Conference on Information Technology in Medicine and Education (ITME), pp. 360–364. IEEE (2016)
Mahjabin, T., Xiao, Y., Sun, G., Jiang, W.: A survey of distributed denial-of-service attack, prevention, and mitigation techniques. Int. J. Distrib. Sens. Netw. 13(12), 1550147717741463 (2017)
Mansfield-Devine, S.: DDoS goes mainstream: how headline-grabbing attacks could make this threat an organisation’s biggest nightmare. Netw. Secur. 2016(11), 7–13 (2016)
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)
Mosenia, A., Jha, N.K.: A comprehensive study of security of internet-of-things. IEEE Trans. Emerg. Top. Comput. 5(4), 586–602 (2016)
Muncaster, P.: DDoS attacks jump 18% YoY in Q2—infosecurity magazine. https://www.infosecurity-magazine.com/news/ddos-attacks-jump-18-yoy-in-q2/
OWASP: OWASP testing guide. https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Pascu, L.: The IoT threat landscape and top smart home vulnerabilities in 2018. https://www.bitdefender.com/files/News/CaseStudies/study/229/Bitdefender-Whitepaper-The-IoT-Threat-Landscape-and-Top-Smart-Home-Vulnerabilities-in-2018.pdf
Patrick Wardle, C.M.: Optical surgery; implanting a dropcam. https://www.defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf
Pătru, I.-I., Carabaş, M., Bărbulescu, M., Gheorghe, L.: Smart home IoT system. In: 15th RoEduNet Conference: Networking in Education and Research, pp. 1–6. IEEE (2016)
SecPod: Mongoose webserver content-length denial of service vulnerability. https://vulners.com/openvas/OPENVAS:1361412562310900268
Security, O.: Openvas 8.0 vulnerability scanning—kali linux. https://www.kali.org/penetration-testing/openvas-vulnerability-scanning
SecurityFocus: Apache mod\_access\_referer null pointer dereference denial of service vulnerability. https://www.securityfocus.com/bid/7375/exploit
SecurityFocus: IBM Tivoli policy director WebSeal denial of service vulnerability. https://www.securityfocus.com/bid/3685/exploit
SecurityFocus: Polycom ViaVideo denial of service vulnerability. https://www.securityfocus.com/bid/5962/exploit
Tundis, A., Mazurczyk, W., Mühlhäuser, M.: A review of network vulnerabilities scanning tools: types, capabilities and functioning. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, p. 65. ACM (2018)
Yoon, S., Park, H., Yoo, H.S.: Security issues on smarthome in IoT environment. In: Park, J., Stojmenovic, I., Jeong, H., Yi, G. (eds.) Computer Science and Its Applications, pp. 691–696. Springer, Heidelberg (2015)
Acknowledgments
This work has been carried out within the research profile “Internet of Things and People,” funded by the Knowledge Foundation and Malmö University in collaboration with 10 industrial partners.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Bugeja, J., Jacobsson, A., Spalazzese, R. (2020). On the Analysis of Semantic Denial-of-Service Attacks Affecting Smart Living Devices. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Intelligent Computing. SAI 2020. Advances in Intelligent Systems and Computing, vol 1229. Springer, Cham. https://doi.org/10.1007/978-3-030-52246-9_32
Download citation
DOI: https://doi.org/10.1007/978-3-030-52246-9_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-52245-2
Online ISBN: 978-3-030-52246-9
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)