Taxonomy of IoT Attacks

loT may have significant economic and social benefits in society. However, privacy and security are the major issues that are remaining in loT applications. There are various applications in which security and privacy are often neglected or come in to the manufacturer's mind as a second thought. This is due to market competition, and cost deduction during the developments of the applications. Some potential attackers take this as an opportunity to take unauthorized access to the devices, data or the whole system. Security requirements can be mainly classified into three categories ClA-triad. Confidentiality provides limited access to an unauthorized users to access limited information. Integrity is the requirement of reliable services between sources and destinations. loT devices are more vulnerable compared to IT security techniques because of the availability of loT devices in an open environment. We can classify loT attacks in four categories [159]. Various attacks can target different layers in loT as shown in Figure 7.1.

Figure 7.1: Attack Classification of loT

Physical Layer Attacks (PLA)

The main objective of this layer is to collect information from the physical environment and transmit the information after converting it into digital signals. This layer is most vulnerable due to easy availability of the loT devices such as sensors, actuators, RFID, micro-operating systems. The information provided by these sensors can be about the location, motion, temperature, light, etc. The information collected from sensors is shared in a local network like Zigbee, or the Bluetooth based network. Several attacks can be triggered at this layer; some of them are:

Physical Node Tampering

In node tampering attack, devices could misbehave or even destroy the whole system, which is a big challenge for applications. This type of attack can be possible due to the availability and accessibility of physical devices so that an attacker could manipulate the circuit, glitch the clock, modify in the tag, or physically destroy the sensors [39]. For example, if a setup is created for a fire tracking system and placed somewhere in the forest to detect the fire, an attacker could get access to all sensors and manipulate the functionality of the system or circuitry board.

Malicious Node Injection

In this attack, an attacker can inject more than one malicious nodes in the existing system so that it can pass or manipulate the data to the authorized nodes. The objective of this attack is to have unauthorized access to the network or control the other devices accordingly. A malicious node can prevent the successful deliver)' of the original message and send a false message to the network [109]. This attack is also known as a man-in-the-middle attack. To detect the injection of a malicious node, a MOVE (Monitoring Verification) technique can be used to identify malicious behavior of nodes and decide whether a node is malicious or not.

RFID Tag Cloning

In this attack, an attacker creates a duplicate identity of the existing tags so that a false user can be treated as an authorized one who can access all data or manipulate the information. Some of the examples of tag cloning are bank ATM cloning, identity cards to access restricted areas, and confidential information. Each RFID tag has its unique EPC (Electronic Product Code) that is provided at the time of integration of the RFID tags by EPC global network [186]. A successful tag cloning may lead to several attacks, financial losses, or serious problems for commercial applications. Although RFID tags are based on cryptography and encryption may be able to prevent delay, some anti-cloning mechanisms are required, however, to support tag cloning detection.

Wireless Sensor Network Layer Attacks (NLA)

The flow of information among devices at the first layer and the third layer can be possible with the help of a wireless sensor network layer. Wireless network devices can communicate using wireless networks such as IEEE 802.15.4, Wi-Fi, BLE, LoRaWAN, and LTE. Several attacks can occur at this layer; some of them are:

Jamming Attack

In the perception node layer, radio signals can be jammed with a Radio Frequency transmitter. Jamming attack can be classified into three categories: i) Constant Jamming: In it attacker transmits continuous random bits so that readers can deny its services, ii) Deceptive Jamming: An attacker can be sent a continuous stream of packets to create abnormal operation of the system, iii) Random Jamming: In this attack, attacker quickly sends jamming signals to the devices. All these jamming attacks can be controlled using regulated transmitted power, and direct sequence spread spectrum [123].

Side Channel Attack

In this type of attack, an attacker can intercept important information using some tools. For instance, Nia et al. [289] described the side-channel attack which is based on electromagnetic (EM) radiation, released by an object which may have important information. Electromagnetic radiations can be classified into two categories: i) unintentionally generated electronic component can emit EM waves that may be used for side-channel information; ii) intentionally generated medical components that can use EM waves to transmit some data wirelessly [354]. The EM wave can be detected using some spectral analyzers that require static carrier signal of static amplitude. So, the unintentionally generated EM signals can remove demodulation.

MAC Spoofing

Whenever a personal area network is formed, a malicious attacker can spoof a MAC address during the encrypted key generation. Attackers can spoof MAC addresses that can disconnect legitimate users or modify information during transmission. There is no policy to prevent this attack; however, we can take long variables, special characters, and numbers for the pairing of the devices [266].

Data Sensing and Acquisition Layer Attacks (DSAL)

This layer provides cloud-like environment at the network edge that can filter data before moving to the Internet [104]. It can handle data explosion conditions that can occur on the Internet. This layer tries to save channel bandwidth because of the removal of ambiguity and duplicity in data. Although this layer is less vulnerable, there are some attacks can target the functionality of this layer.

Malicious Code

There is no sufficient validation scheme of the input in data acquisition. In such a case, an attacker inserts some malicious code or injects it to the service provider and then the desired action must be performed based on instructions.

A hardware component may be attached at the lower layer (data sensing and acquisition layer) to insert some malicious code which either tries to access user data or executes instructions to non-validate the process [74]. Pre-testing is a mechanism that can be helpful to handle these kinds of attacks.

Traffic Monitoring

The information collected from sensors and hardware components can be monitored by an attacker with a false identity or false node. Sensed data have common patterns in the data or sequence of similar events that can be aggregated to find out the information using some probability cases and patterns [164].

Inefficient Logging

To detect a hacking attempt by an unauthenticated user, logging is a mechanism that provides log events for unsuccessful attempts or application errors. If there are more unsuccessful attempts within a time frame, services of the system can be stopped. To encrypt the log files, we can prevent from inefficient logging detail [145].

Internet Layer Attacks (ILA)

Network layer is mainly responsible for connectivity among all devices and communication between hardware and the cloud server or end-user. This layer aggregates the data from different devices and provides routes for a specific device or the user through a gateway. This layer is vulnerable due to the global scope of the data; so several attacks can be possible at this layer.

Jamming Attack

Jammers of this layer are energy inefficient when compared to physical layer jamming attacks. In this attack, attackers focus to jam data packets and ACK messages as well [123]. Jamming of data packets depends on the type of MAC protocol used in communication between nodes, in which the attacker tried to manipulate some bits of packets by interfering with communication. It is one of the fatal attacks which can block the channel by generating false packets to introduce noise in the channel. loT is a field in which all physical devices have limited energy or power constrained so the jamming attacks can drain these resources. Regulated transmitted power and frequency hopping spread spectrum are the countermeasures for jamming attacks.

False Routing

An attacker tries to generate or transit false routing information to the nodes connected in the network. False routing can damage the packets or leak the information transmitted over the false link. Four scenarios can generate a false route: i) false route error message- if network protocols do not have any route up to destination node then it sends a route error message to the source and the link is broken. Every time this error message can truncate the communication among nodes, ii) Poisoning route-cache- If any packet contains route information in their header update route cache, it can exploit by suspicious node and send a spoofed packet with manipulated route information to mislead the packets, iii) Overflow routing table- A malicious node can generate a false node with overflow of routing information for non-existence paths, iv) Rushing attack- it is like a sink-hole attack that can absorb all packets of the network with false route information and control over the network with its modification [187].

Alteration and Spoofing

In a routing protocol, each node has its rank that increases from root to child. An attacker can modify the rank of any node to attract child node and network traffic towards the root node. Due to this attack, routes may not be optimized or a loop is created in the route that can detect with version number and rank authentication mechanism and Trust Anchor interconnection loop [306].

Service Layer Attacks (SLA)

The responsibility of the service layer is very important due to interfacing between network data and the application. An application interface, web service, cloud storage, and data centers are the major components at this layer. These services are provided by third-party vendors; that's why these are the most vulnerable parts of the loT applications. Although the service layer is provided by reliable sources, it has several security flaws and attacks. Some possible attacks are as follows:

Account Hijacking

Account Hijacking is one of the biggest challenges in cloud services. Several attacking mechanisms are used to access credentials of the users such as phishing with the password. These attacks take benefit of software vulnerability or clone identity. If an attacker can access credentials then it may harm the information, manipulate data, or can eavesdrop on the important information. A weak password, insufficient authorization, and inefficient input validation schemes are the main reasons to generate this attack. In June 2014, Amazon AWS failed to protect the administrative interface with an authentication scheme [291]. Dynamic credentials and access management guidance are two countermeasure techniques that can be used to prevent Account Hijacking.

VM Escape

Virtual machine programs (VM) can analyze the behavior of run-time data dynamically. So to detect any modern attack it requires VM memory and VM monitor [272]. In this attack, the attacker can access the memory which is beyond the access of tenant VM. An attacker can breach the isolation of VM and can manipulate other VMs. The major objective of this attack is to configure flexibility, and code complexity. Confidentiality, data integrity, and privacy are the major concerns of this attack. Trusted cloud computing and virtual datacenter are countermeasures techniques to handle VM escape [271 ].

Malicious VM Creation

An attacker could create a legitimate VM account that may have malicious code injected in a normal program that works as a self-explanatory code [271]. In this attack, the attacker can destroy some system files, user data, or damage the whole system by replicate viruses and worms. To construct a secure and high-performance network, Mirage is a single kernel cloud computing platform to deploy cloud services through applications.

Data Abstraction Layer Attacks (DALA)

In loT applications, data collected from several devices can be transmitted further; it may lead to the data explosion. Normalization, Consolidation, or indexing are the main techniques to improve data quality and network performance for further analysis of stored data. To improve the overall performance of the application, we require a faster response from cloud or data servers; the data abstraction layer is the key layer to provide this functionality. Amazon loT, Amazon Green-grass, Dell-Statistica, and Azure are some analytics tools that extract the data in real-time scenarios [406]. Although, this layer is less vulnerable, some attacks can be possible at this layer.

Malicious node Injection

This is one of the most common attacks which can occur at this layer, in which attacker can insert some malicious code in the form of a string that is sent to the SQL server for malfunctioning of the application. If any system does not have sufficient code checks, it may attract the attackers and inject some malicious code to misuse or disrupt the application. Cross side scripting can be used to inject the code and hijack the account of the user. Firewall or security checks are the countermeasure techniques for malicious code injection [109].

Improper Queries

In this attack, the attacker wants to gather possible information about the structure of the table and fields of the table. The attacker may generate some error message to gain access on the behalf of a legitimate user and gain full access to data. Some error messages which are received from the database can guide the attacker. After getting proper guidance, an attacker can damage the system or misuse it. Some predefined statements like PREPARE supported by many databases provide a template for SQL queries [74].

A Layered Internet of Things (loT) Security Framework Table 7.1: Attack Taxonomy

Malicious Insider

A malicious insider is a threat in which a current or former employee of the organization, having authorized access to the data, misuses or shares the data with some third party intentionally for personal benefits. It can affect the system's confidentiality and integrity of data or information. Malicious insiders are difficult to detect due to their authenticity and full accessibility of services. Cloud service provider's key management is different from the data storage unit in an encrypted way so that unauthorized access can be prevented. Auditable process, effective logging, Segregate departments are some countermeasures of this attack [159].

Interface Layer Attacks (ILA)

Some software or application programs are incorporated with cloud servers or APIs which provide an interface to the end-users. There is no common standard for this layer due to the heterogeneous behavior of applications. The security issues are different according to the application. There are two major issues of this layer, data theft and privacy. Additionally, some attacks are:

Reverse Engineering

In the application of loT, the attacker can analyze the software to gain sensitive information or some credentials of users. With the help of reverse engineering, the attacker can use the vulnerability of the programming errors and can leak or exploit the software or loT objects[297]. Tamper-proof software can prevent reverse engineering.

Reprogramming Attack

If an attacker reprograms any loT object from the remote site using a network programming system then it may misbehave from its normal functionality. If there is insufficient protection at the programming process, the attacker can modify all its functionality and control some parts of the application. This is the most dangerous attack at this layer because it can attack privacy, integrity, confidentiality and much more. So we have to apply a secure programming process to prevent reprogramming attacks [364].

DDoS Attack

Distributed Denial of Services is the attack in which an attacker temporarily instructs the number of Internet-enabled devices known as loT botnet and then sends continuous requests or packets to the server to access its services, so it may overwhelm the server and stop its proper functionality. A DDoS attack can exhaust the channel bandwidth or jam the server of loT objects. DDOS attacks are classified in two categories: i) reflection in this attack, (the attacker sends packets with false IP address); ii) amplification (a large number of packets can overwhelm the server). Internet firewall can periodically monitor the suspicious traffic to prevent DDoS attack [48].

An attack taxonomy depicted in Table 7.1 that contains attack behavior, its target device, and countermeasure techniques can be applied to deal with the particular attack.