IoT Hardware and Cybersecurity

A typical IoT architecture consists of the physical layer, which consists of IoT sensors and actuators, which may be connected in the form of a star, linear, mesh, or tree network topology. The IoT devices can process the data collected by the IoT sensors at the physical layer or can be sent to the fog/cloud computing layers for analysis through IoT access and Internet core networks. The Fog/cloud computing nodes perform lightweight or advanced analytics on the data, and the result may be sent to users for decision-making or to IoT actuators to perform a specific task or control a given system or process. This implies that in an IoT infrastructure, we may have IoT devices, wireless access points, gateways, fog computing nodes, internet routers and switches, telecommunication transmission equipment, cellular base stations, servers, databases, cloud computing nodes, mobile applications, and web applications. All these hardware devices and applications constitute attack surfaces that cybercriminals can target to compromise IoT devices.

In implementing IoT security, it is important to consider the kind of hardware found in IoT systems, from the IoT device level through the IoT networks, fog computing nodes, and Internet core networks to the cloud. Security of traditional Internet and cloud-based infrastructure is very complex but less challenging due to the massive amount of computing and communication resources that are deployed to handle cybersecurity algorithms and applications that are used to eliminate vulnerabilities, detect and prevent cyberattacks to ensure the confidentiality, integrity, and availability of data and information systems. In the case of IoT devices, the computing and communication resources are very limited due to the limited energy required to power the IoT device. Hence, energy-hungry and computationally expensive cybersecurity algorithms and applications can not be used to secure IoT nodes. This hardware limitation makes IoT devices vulnerable to cyberattacks and easy to compromise.

IoT devices are vulnerable to certain types of security attacks due to the nature of IoT hardware. Some of these vulnerabilities or weaknesses resulting from IoT hardware limitations include:

• The confidentiality and integrity of sensitive data collected by sensor devices can easily be compromised due to a lack of appropriate cryptographic algorithms or weak cryptographic algorithms. It is difficult to implement strong cryptographic algorithms that are difficult to be compromised by cybercriminals due to limited computing resources in IoT devices. IoT devices use microcontrollers for computing, which are not able to handle strong but computationally expensive cryptographic algorithms. This makes IoT devices vulnerable to man-in-the-middle attacks where the wireless IoT traffic can be captured by cybercriminals and analysed to have access to it if it is not encrypted or if the encryption scheme used is weak.
• Device manufacturers introduce some of the vulnerabilities of IoT devices. They are often focused on minimising the cost of the devices and the time to market, paying little or no attention to the security requirements or needs of the customers sometimes because customers are often concerned about the prices of the devices, their ease of use and functionalities. In this way, they sometimes ship devices with default passwords, no encryption algorithms implemented, and sometimes without any mechanisms for authentication. This makes the devices vulnerable to attacks.
• In some IoT deployments, the IoT devices share the same communication channels, making them vulnerable to packet collision attacks, where compromised IoT devices are used to create packet collisions on the channels, forcing the device to deplete its stored energy rapidly and may eventually shut down the device.
• Since the communication between the IoT devices and between the IoT devices and the access point or gateway is through wireless radio communication channels, the IoT devices are vulnerable to jamming attacks that are designed to force the IoT devices to deplete their stored energy rapidly.
• IoT devices are also vulnerable to flooding attacks that are designed to flood IoT devices with benign or useless packets so that they will spend more energy in processing these useless packets, rapidly depleting their stored energy and eventually shutting down the device.
• Since IoT devices are relatively easy to infect with malware, they are vulnerable to a kind of malware attack in which the attacker infects the device with malware that forces the device to perform more computations, rapidly depleting the energy stored in the device and eventually shutting it down.
• Another type of IoT hardware vulnerability is rout poisoning, in which the attacker creates routing loops, turns some devices into sinkholes, or increases routing paths with the aim of forcing the devices to spend more energy and eventually depleting their energy, reducing the lifetimes of some of the devices in the network.
• IoT devices can easily be infected and turned into botnets, which can then be used to conduct sophisticated large-scale attacks such as distributed denial of service attacks that can paralyse IT assets (servers and gateways) on a large scale.
• Another IoT hardware vulnerability is the lack of visibility. Many IoT devices are deployed without appropriate identification numbers (IP addresses), creating blind spots because the devices are not visible to security monitoring tools and can be exploited. Also, the fact that various devices may have different protocols makes it difficult to monitor all the devices within the network, making them weak points for the network.
• An inefficient firmware verification mechanism makes it possible to tamper with the firmware or reverse engineer it, making the device vulnerable to attacks. Attackers may illegally update the firmware of the device or tamper with it in such a way that they can easily capture the device and use it for further attacks.
• As a result of poor device management strategies, some organisations or individuals sometimes fail to attend to some devices to ensure that they are well-secured (failing to install necessary updates and patch security holes to gaps), leaving them vulnerable to attacks from cybercriminals.
• some hardware security vulnerabilities are hard to eliminate, such as side-channel attacks, reverse engineering of the hardware, malware infection, and data extraction, which could be exploited, resulting in a data breach.
• IoT devices are vulnerable to physical attacks where a criminal can destroy the device or vandalise the device and even access it manually.

IoT hardware attacks are the various ways that security weaknesses resulting from limitations in IoT hardware can be exploited to compromise the security of IoT data and systems. An attacker may install malware on IoT devices, manipulate their functionality, or exploit their weaknesses to gain access to steal or damage data, degrade the quality of services, or disrupt the services. An attack could conduct an IoT on devices with the aim of using them for a more sophisticated large-scale attack on ICT infrastructures and critical systems. There is an increase in the scale and frequency of IoT attacks due to the increase in IoT attack surfaces, the ease with which IoT devices can be compromised, and the integration of IoT devices into existing systems and critical infrastructure. Some of the common IoT hardware attacks include:

• Unauthorised access
• Emulation of fake IoT devices
• Identity Theft
• Injection of fake information
• Firmware-base attacks
• Eavesdropping and man-in-the-middle attacks
• Energy depletion attacks
• Brut-force attacks
• DoD/DDoD attacks
• Ransomware attacks
• Packet collision attacks
• Physical attack on the device

It is very difficult to eliminate IoT hardware vulnerabilities due to the hardware resource constraint of IoT devices. Some of the measures for securing IoT devices and mitigating the risk posed by IoT security vulnerabilities have been discussed in ^[1] and include the following:

• Implementing lightweight encryption schemes on IoT devices: The data stored in the IoT devices (e.g., device authentication data and other sensitive data) should be encrypted to ensure that its confidentiality and integrity are not compromised. The IoT data should be encrypted before being transmitted through any transmission medium. Since traditional cryptographic algorithms are computationally expensive and require strong and energy-hungry computing systems, it is preferable to implement lightweight cryptographic algorithms that require relatively less energy.
• Implementing robust authentication mechanisms on IoT devices: Rubost authentication mechanisms should be implemented to restrict access to IoT devices and to ensure that all IoT devices that connect to access points and servers are authenticated. This ensures that access to critical resources like access points, gateways, and servers can be controlled to ensure the authenticity of the communication. It is also important to avoid purchasing devices with hardcoded passwords, change default passwords, and create strong passwords for devices.
• Configuring firewalls to protect devices from traffic-based attacks: The perimeter of the network can be protected by implementing firewalls that reject malicious traffic at the edge of the network. That is, it allows only traffic from legitimate sources and blocks traffic from sources that are deemed to be malicious. It can also be used to segment the network so that the IoT network can be isolated from other networks and attacks on IoT networks can not be spread to other networks. Software firewalls can be configured on individual devices to restrict traffic from unauthorised sources from reaching the devices.
• Ensure that the software and hardware components are not compromised: The software and hardware components used in IoT devices should be well-tested to ensure that there are no security vulnerabilities in them that malicious attackers may exploit to compromise the security of the data and the devices. Security measures should be included at every stage of the device lifecycle to ensure that well-known vulnerabilities are resolved and that there are security strategies to ensure that the device and data security is not compromised.
• Implement dedicated security hardware to improve the security of the devices: Dedicated hardware components that are designed specifically to perform security-related functions (e.g., secure communications, energy-efficient cryptographic functions and key management) to ensure real-time security of the devices. Some dedicated hardware components can facilitate the implementation of secure boot process and authentication operations. Another advantage of using dedicated IoT security hardware is that some of them are designed with the goal of striking a balance between the IoT hardware constraint, energy consumption, and security.
• Always verify the validity and trustworthiness of the software and firmware of the IoT devices: Reliable mechanisms should be implemented to verify the validity and trustworthiness of the software and firmware of IoT devices. In this way, we can check if the software or the operating system of the device has been tampered with or manipulated in such a way that the device is vulnerable to attacks.
• Regular security checks and updates: Mechanisms should be implemented to check if the device has been tampered with. Also, the firmware and software of the device should be updated and regulated to patch any security holes.
• Regular security audits should be performed: The IoT network should be regularly audited using vulnerability scanning and security auditing tools to ensure that IoT vulnerabilities (including hardware vulnerabilities) and threats can be detected and resolved before criminals can exploit them.
• Enforcement of security policies: Sound security policies should be designed and enforced to ensure that the IoT device and data are not easily compromised. For example, the principle of security by design was implemented when designing and implementing IoT hardware and software. Also, all IoT devices must be identified, monitored continuously, and regularly audited to ensure that known vulnerabilities can be resolved on time. Also, attacks against IoT devices should be detected and blocked on time.