Assessing IoT Risk and Attack Detection

Organizations should employ a good risk assessment process from the development/design phase and apply the principle of least privilege coupled with firewalls, detection tools, and other security technologies to identify any anomalous behavior that results from their compromise and proactively fix the problem.

Basic IoT Communication Architecture

Figure 1: Basic IoT Communication Architecture


IoT devices and appliances on IP networks is becoming high on demand in today's everyday life and organizations. Most of the time these devices do not include any out of the box security features and sometimes, not even patched, hardened, or baselined.

This brings a great number of new vulnerabilities in any organization’s infrastructure and generates a predominant attack surface, which the adversaries can utilize to obtain non authorized access and compromise these devices. IoT devices are purpose-built with a narrow set of functions, allowing organizations to gather and monitor flow data and baseline normal traffic patterns.

Common Threats and Vulnerabilities

There are well-documented sources available all over the internet that identify common threats and vulnerabilities. One of the more assessed and trusted sources is the Open Web Application Security Project (OWASP). The OWASP Internet of Things Project currently maintains a list of what it considers the top IoT vulnerabilities (Figure 2).

This provides awareness into some vulnerabilities and security issues the industry is facing. Organizations can further enumerate this ‘top vulnerabilities’ list into a fuller list of vulnerabilities and threats simply by mapping the attack surface and identifying recent attacks. The ‘Device Network Services’ and ‘Network Traffic’ categories of the OWASP IoT Attack Surface Areas list brings to light other types of attacks, specifically on IoT networking, that include routing attacks, Denial of Service (DoS) attacks, and Sybil attacks, among others.

OWASP IoT Vulnerabilities Project

Figure 2: OWASP IoT Vulnerabilities Project

STRIDE Threat Model

Figure 3: STRIDE Threat Model

Threat Modeling

Threat modeling is an important process to identify threats from a more strategic standpoint. This typically includes several steps to systematically understand the system being modeled which subsequently identifies potential threats.

Preferably an IoT application or solution would be broken down based on function and categorized as a device, a field gateway, a cloud gateway or a service. Each is separated by its own trust boundary and has separate requirements around authentication (AuthN) and authorization (AuthZ), data used etc., which will affect the threat model process. Once the system has been modeled, each component can be measured for threats using the STRIDE model. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges.

Attack trees can also be used to create potential threats. Once the threats have been identified, an intrusion analyst can better understand what to implement and where.

Introducing Detection Solution Tools for IoT

IoT introduces additional complexity for security. Organizations are advised to monitor the data traffic to and from IoT devices in their network. Perimeter-based solutions are not adequate in today’s environment because users and apps can no longer be contained inside a company’s network, behind a clearly defined protective wall.

Intrusion detection tools can be one of the first layer of defense. One of the most significant security problems for embedded devices today is lack of know when a system is being attacked or to even know when it has been compromised. Most devices lack the logging and reporting capabilities used by enterprise security solutions (IDS, HIPS, AVs, etc...) to detect when a hacker or adversary is probing/recon or has penetrated a network or device.

6LoWPAN Communication with Internet

Figure 4. LoWPAN Communication with Internet

To see how a detection solution can help protect IoT devices, look at any typical embedded device supporting an administrative interface available over hypertext transfer protocol (HTTP) using a username and password for access control. An adversary discovering this device could use a script to perform a brute force attack, trying thousands of log-in attempts per hour until the script finds a username and password that are accepted. Most embedded devices would simply process each password attempt as it was received. Each time password validation fails, the device simply drops the request and continues its normal processing. It is not aware that it is under attack and, subsequently, cannot report the attack to a management system.

Most IoT devices will operate in a relatively static environment. The operations they perform, the amount of data they transmit and receive, and the other devices they communicate with, change infrequently. Significant changes in these basic behaviors are anomalies and may denote a cyber-attack.

An embedded IDS system provides detection and reporting of a few critical conditions, along with summary information on device operation. This may include information such as: Number of login attempts (successful and unsuccessful), notification of communication with new IP addresses, bandwidth use reports, and detection of port probing attempts.

These can be added to an IoT device using an embedded firewall with IDS capabilities. An embedded firewall that supports configurable rules provides event reporting for IDS, filters incoming traffic, and provides virtual network segmentation, thereby limiting the ability for the adversary to launch a cyber-attack against the device.

Intrusion detection in IoT environments will generally falls into one of two ranges; traditional IP networks and Low-power Wireless Personal Area Networks (LoWPANs). As with all network intrusion detection, both situations rely on a few things to be effective. This comprises understanding the IoT communication stack, where weaknesses exist, the capacity to capture traffic, and the capacity to detect attacks in action.

There are several network intrusion detection solutions available when it comes to the IoT environment, depending on the scenario. Some common tools include Snort, Bastille, BeeKeeper, and other LoWPAN based detection both open-source and commercial.


Organizations must stop deploying IoT devices and appliances as trusted end systems. In the other hand, they should employ a good risk assessment process from the development/design phase and apply the principle of least privilege couple with firewalls, detection tools, and other security technologies to identify any anomalous behavior that results from their compromise and proactively fix the problem. During the operational phase, collecting and analysis of flow data is the most efficient and effective mechanism to reduce the security risks associated with deploying IoT devices.