Internet of Threats and Context Aware Security: Part Two
by Junaid Chaudhry, Security Research Institute, Edith Cowan University, Perth, Australia; Ahmed Ibrahim, Security Research Institute, Edith Cowan University; Ali Kashif Bashir
IEEE Internet Initiative eNewsletter, May 2017
In part one of this two-part article, we discussed fundamental issues with the Internet of Things (IoT). In this article, we present some of the technical issues with the IoT that could prove as the downfall of the IoT.
It is said the attack on Dyn was the cyber-attack that almost broke the internet into numerous islands on 21 October 2016, and is the largest one observed yet . Dyn is an organization that has both capacity and capability to process high volumes of data; it was an asynchronous yet persistent attack that flooded the Domain Name Servers at Dyn Inc.
There is a wide consensus on the fact that the volume of attack is going to grow in the future. To date, the large scale distributed denial of service (DDoS) attacks have been unilateral requests. These attacks rather gave up their sources, mostly reflectors or rogue edge routers, rather easily and were contained by the security engineers through isolation techniques, i.e., sinkholes  etc. Had they been multilateral requests, they would have been impossible to contain. Keeping the root servers down for a couple of hours to shed the load can be enough to change the border-less, free, and ubiquitous internet forever.
On one hand, the overwhelming popularity and high market penetration rates of the devices that are internet enabled break open new frontiers for the IT industry. It happens so because the internet enabled device manufacturers have software implementations confined to lower OSI layers stacks, which bring the cost down. The lack of standards in manufacturing quality, software quality, and quality assurance also play a major role in low device quality. On the other hand, since the IoT initiative is relatively new, there is a lack of protocols on how to amalgamate 50 billion more thin clients in IoT enabled devices into the already existing size of the internet .
In our research the ownership, functional restrictions, physical security, IoT-facilitated cyber-crimes, infrastructure, addressing, and usage are among the most troubled areas in IoT roll-outs and need immediate consideration. We classify these issues in the order of OSI layers in the following passages:
- The fundamental principle of the IoT initiative is to enable devices from different manufacturers to be able to communicate with each other without a gateway for protocol translation. A digital device is not made to last forever. It needs to be retired, i.e., replaced, discarded, recycled, etc., after its life span is over. Throughout this life span of a digital device, it must be maintained too. The maintenance plan cannot be developed in the absence of a deployment and manufacturing plan. The manufacturing and deployment plans must follow standards so that different vendors may find harmony in cross deployments. Since the IoT devices are typically not deployed within the four walls of an organization, an attacker can easily eavesdrop on the IoT traffic. The IoT devices generally have resource constraints. Therefore, manufacturers cannot take data encryption on board because the resource demands of an encryption scheme can be detrimental to their profit margins. We propose  that the information flowing from the IoT devices be so atomic in nature that to make a substantial use out of eavesdropping, the attackers need to eavesdrop on the considerably large population of the IoT devices of various kinds. An example of this argument can be temperature sensors. An attacker may eavesdrop on the temperature reading of one point, but unless he eavesdrops on all the temperature sensors of the power plant, he might not know where the boiler room might be. One can argue about the radio interference among IoT devices and advocate the use of adaptive radios; in our opinion, with the ubiquitous deployment considerations, restrictions on the scope of IoT devices and their coverage range can complicate things beyond repair in no time.
- One of the biggest shortcomings in IoT device deployment is poor implementation of auto configuration of the devices. Since IoT inherits a bulk of its security problems from the Transmission Control Protocol/Internet Protocol suit, the issues like Address Resolution Protocol spoofing, Contents Address Table-based attacks, Dynamic Host Configuration Protocol starvation, Hidden Node Attacks, Watering hole attacks, De-auth attacks, and the list goes on, are among common threats to the IoT. Because the attack space is so wide, it is very tempting to beef up and customize the Intrusion Detection systems. Customization, in principle, is discouraged in a pervasive deployment. We propose, as discussed in the previous section, that the IoT clusters should be atomic and small. The larger the cluster size, the more vulnerable it would be to attacks. The real value of IoT applications is in services that run devoid of underlying networking details. Hence, the value should be given to the quality of data. We are further researching a solution to overcome the data link layer security issues in the IoT. We also believe that there is a serious lack in competition in management protocols at lower layers, specifically at the data link layer in IoT. The classic protocols for flow control, error control, timeout protocols, etc. were designed for deterministic traffic flows. However, IoT devices broadcast in opportunistic fashion. In conclusion, these are exciting times for the IoT industry, but if by adopting TCP/IP as a lone ranger for the link layer problems, we can already see that it is not working out well for the IoT industry.
- We take the position of semantic quality in the Internet Protocol (IP) related issues in IoT enabled devices. An IP is an identity given to a device through which it can use some services provided by the internet. Our stance is how can a device with full OSI stack, in full compliance to standardization and security controls, be at the same service level as an IoT device with less than desired implementation and design? The process of IP recycling and converting all their product line in an “IP enabled product” by the manufacturers further complicates the issues. So, it is not about the new IoT devices. The problem has escalated to the older IP addresses too. The IEEE Standards Association (IEEE SA) has IEEE P2413, and many alike are working on developing specifications for a shared Machine-to-Machine (M2M) network layer to connect IoT devices globally. Maybe this is the solution we have all been waiting for. As proposed in , the IoT enabled devices must be deployed in domains. However, we propose that these domains should be soft domains and must be created on the fly and on a lease. This loosely coupled environment ensures cross domain functionality in a truly ubiquitous environment .
- The transport layer inherits the shortcomings of the TCP and User Datagram Protocol. At this stage, the industry is looking toward academia for more alternatives to the TCP and the UDP. The machine-to-machine layer that sits on top of the transport layer in IoT devices is still at its developmental stage. However, the smart applications layer running on top of it all has had a good run. A few experimental setups were built, but due to lack of business models and to some extent non-availability of mature technologies, the market trust in starting a new technology was minimal .
The situation has changed. New applications are being built , and we all are very excited about the IoT and the traction it brings for the IT market. There are still issues like IoT device ownership, refined business model, revenue sharing, device life cycle management, trust and security of personal data, privacy and reliable information delivery that we are working on and soon we shall overcome them all . In this article, we enumerated some burning issues with the IoT technology that needs addressing immediately. Until we address the issues mentioned above, the IoT will continue to be the Internet of Threats.
 Cyber Attacks on Dyn, http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/, Last accessed 24 February 2017.
 Internet of Things IoT: How the Next Evolution of the Internet Is Changing Everything by Cisco, http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf, Last Accessed 24 February 2017.
 Tommaso Pecorella, Luca Brilli * and Lorenzo Mucchi, The Role of Physical Layer Security in IoT: A Novel Perspective, Information 2016, 7(3), 49.
 Thomas Zachariah, Noah Klugman, Bradford Campbell, Joshua Adkins, Neal Jackson, and Prabal Dutta, The Internet of ThingsIoT Has a Gateway Problem, HotMobile’15, February 12–13, 2015.
 Chaudhry J. A., (2011) Autonomic service composition through context orientation approach. Journal of Theoretical and Applied Information Technology, 34 (1). pp. 50-56. ISSN 1992-8645.
 Junaid Chaudhry, Uvais Qidwai, Mehdi Miraz, Healthcare Data Security among ISO/IEEE 11073 Personal Health Devices through Statistical Fingerprinting, 9th IEEE-GCC Conference and Exhibition 2017.
 Chaudhry, Junaid; Park, Seungkyu; On Seamless Service Delivery, The 2nd International Conference on Natural Computation (ICNC'06) and the 3rd International Conference on Fuzzy Systems and Knowledge Discovery (FSKD'06), 253-261, 2006.
 Junaid Ahsenali Chaudhry, Seung-Kyu Park, Some enabling technologies for ubiquitous systems, Journal of computer Science, 2 (8), 627-633, 2006.
 Junaid Chaudhry, Uvais A Qidwai, Robert G Rittenhouse, Malrey Lee, Vulnerabilities and verification of cryptographic protocols and their future in wireless body area networks, Emerging Technologies (ICET), 2012 International Conference on, 1-5, 2012.
 Junaid Ahsenali Chaudhry, Usman Tariq, Mohammed Arif Amin, Robert G Rittenhouse, Sinkhole vulnerabilities in wireless sensor networks, International Journal of Security and Its Applications, 8 (1), 401-410, 2014.
Dr. Junaid Chaudhry
Dr. Junaid Chaudhry is an information security and computer networks enthusiast. Currently, Junaid is a key member of the Security Research Institute at Edith Cowan University where along with his team, is working on cutting edge cyber security solutions. He is also leading a startup of perfectionistic bunch of security researchers, digital forensics and information retrieval experts, penetration testers and bug hunters, interdisciplinary research aficionados, software coders, social scientists, medical science researchers that are passionate about making the world a better and more secure place. He has spent more than 5 years in designing, delivering, and researching in institutes at tertiary level, 6 years at research centres, and for the last 5 years he has been working in the information security industry. He worked at University of Amsterdam, Qatar University, Universiti Teknologi Malaysia, Univeristy of Hail, Univeristy of Trento, and University of South Pacific. He has also worked with Al-Jazeera, State of Qatar, Qatar Foundation, FBK, etc as consultant. Dr. Chaudhry has obtained training at teaching excellence from Harvard Business School, Univeristy of Amsterdam, Universiti Teknologi Malaysia, and maintains a certified professional status with Australian Computing Society. Junaid’s research interests are cross disciplinary research, malware analysis, anomalies detection, cyber hunting, and digital forensics. He has published more than 50 papers and have authored 3 international books.
Dr. Ahmed Ibrahim
Dr. Ahmed Ibrahim received his BSc. (Hons) in Computing from Staffordshire University in 2005, Master of Computer Security from Edith Cowan University in 2008, and Ph.D. from Edith Cowan University in 2016. Presently, he is a Post-Doctoral Research Fellow at the Edith Cowan University Security Research Institute. Ahmed’s Ph.D. research was focused on detecting covertly hidden content in digital images. His areas of research include Steganography, Steganalysis, Digital Forensics, Network Security, Image Processing, Language Technologies, Machine Learning, Protocol Classification, and Internet of Things. Ahmed has previously worked as a Security Consultant, Lecturer, and Tutor in Australia; and over 17 years of experience working in the industry, government, and academia in the Maldives.
Dr. Ali Kashif Bashir
Dr. Ali Kashif Bashir received his Ph.D. in Computer Science and Engineering from Korea University, South Korea. He is currently working for Graduate School of Information Science and Technology, Osaka University. Dr. Ali is a senior member of IEEE and an active member of ACM and IEICE. He has given several invited and keynote talks and is a reviewer of top journals and conferences. His research interests include: cloud computing (NFV/SDN), network virtualization, IoT, network security, wireless networks, etc. He is also serving as the IEEE Internet Technology Policy eNewsletters as editor-in-chief.
Dr. Rasheed Hussain received his B.S. in Computer Software Engineering from N-W.F.P University of Engineering and Technology, Peshawar, Pakistan in 2007, MS and PhD degrees in Computer Engineering from Hanyang University, South Korea in 2010 and February 2015, respectively. He also worked as a Postdoctoral Research Fellow in Hanyang University South Korea from March 2015 till August 2015. Furthermore, he worked as a Guest researcher in University of Amsterdam (UvA), Netherlands and consultant for Innopolis University, Russia from September 2015 till June 2016. Dr. Hussain is currently working as Assistant Professor at Innopolis University, Russia and establishing a new Masters program (Secure System and Network Engineering). He has authored and co-authored more than 45 papers in renowned national and international journals and conferences. He serves as reviewer for many journals from IEEE, Springer, Elsevier, and IET that include IEEE Sensors Journal, IEEE TVT, IEEE T-ITS, IEEE TIE, IEEE Comm. Magazine, Elsevier ADHOC, Elsevier JPDC, Elsevier VehCom, Springer WIRE, Springer JNSM, and many more. He also served as reviewer and/or TPC for renowned international conferences of repute including IEEE INFOCOM, IEEE GLOBECOM, IEEE VTC, IEEE VNC, IEEE ICC, IEEE PCCC, IEEE NoF, and many more.
Article Contributions Welcomed
IEEE Internet Policy Newsletter Editorial Board
Dr. Ali Kashif Bashir, Interim Editor-in- Chief
Dr. Syed Hassan Ahmed
Dr. Mudassar Ahmad
Dr. Onur Alparslan
Dr. Muhammad Bilal
Dr. Syed Ahmad Chan Bukhari
Dr. Ankur Chattopadhyay
Dr. Junaid Chaudhry
Dr. Waleed Ejaz
Dr. Yasir Faheem
Dr. Prasun Ghosal
Dr. Tahir Hameed
Dr. Y. Sinan Hanay
Dr. Shagufta Henna
Dr. Fatima Hussain
Dr. Rasheed Hussain
Dr. Saman Iftikhar
Dr. Stephan Jones
Dr. Mohammad Saud Khan
Dr. Jay Ramesh Merja
Dr. Mubashir Husain Rehmani
Dr. Hafiz Maher Ali Zeeshan
About: This newsletter features technical, policy, social, governmental, but not political commentary related to the internet. Its contents reflect the viewpoints of the authors and do not necessarily reflect the positions and views of IEEE. It is published by the IEEE Internet Initiative to enhance knowledge and promote discussion of the issues addressed.