Methodology
Explanation
Why we need to classify IoT devices?
IoT attacks started as early as 2016. Attacks were possible through IoT botnet, where malware gathered thousands of IoT devices to perpetuate the denial of services.
How can we classify an IoT device?
To classify an IoT device, we will create the IoT Device Dangerousness Rating System (IDRS) Index based on the North American Academic grading system (A, B, C, D, F). Given a calculated score, the GRAding Score (GRAS), we can assess the IoT Dangerousness by assigning it a grade. To evaluate the Dangerousness, we will use criteria scattered in different categories.
- Each criterion will have a CRIterion Score (CRIS) ranging from 1 to 3, where a lower value means less harmful.
- Each category will have a CATegory Score (CATS) that will equal the average of all CRIS. If our CATS is not a whole number, we round the score to the ceil (1.667 -> 2).
- The GRAS will equal the sum of all CATS.
We will have a number C of categories and V the number of values possible for CRIS. We can also use variations for the grading (+, neutral, -) if necessary. The GRAS will range from an interval I = [C; C * V] and a number of possibles values of N = C * (V - 1) + 1.
In our case, we have
- C = 3 categories
- V = 3 values possibles
- I = [C; C * V] = [3; 9]
- N = C * (V - 1) + 1 = 3 * (3 - 1) + 1 = 7 possibles values
Since we are using the North American Academic grading system, we have 5 possibles values, so we will need to add 2. For our 7 values, we will use A+, A, A-, B, C, D, and F.
| Grade | + | - | |
|---|---|---|---|
| A | 3 | 4 | 5 |
| B | 6 | ||
| C | 7 | ||
| D | 8 | ||
| F | 9 |
Example
Let's have an example
| Category 1 | 1 | 2 | 3 |
|---|---|---|---|
| Criterion 1 | Absent | Rare | Very common |
| Criterion 2 | Absent | Rare | Very common |
| Criterion 3 | Absent | Rare | Very common |
We will have a CATS for Category 1 of (1 + 2 + 3)/3 = 2
We then proceed in repeating the same operation for the remaining categories to be able to calculate the GRAS with the sum of all CATS.
| CATS | |
|---|---|
| Category 1 | 1 |
| Category 2 | 2 |
| Category 3 | 3 |
We will have a GRAS of 1 + 2 + 3 = 6. Furthermore, we can conclude that we have a grade of B.
Grade Calculator
To access the Grade Calculator
Categories
Device
| Criterion | 1 | 2 | 3 |
|---|---|---|---|
| Known hardware tampering | None | Rare | Very common |
| Known vulnerabilities | None | Rare | Very common |
| Prior attacks | None | Rare | Very common |
| Updatability | Very common | Rare | None |
Known hardware tampering
Known hardware tampering defines the resistance to physical modification of its hardware (ports, parts, power). It defines the resistance to the physical modification that modifies its responsibilities. It includes anything from connecting to exposed ports to interrupting the device’s power, device theft, removing parts, etc. (Elizalde, s.d.)
Known vulnerabilities
Known vulnerabilities defines if there are known vulnerabilities linked to the device type. The existence of vulnerabilities can be a major risk as they can give remote access to the device.
Prior attacks
Prior attacks defines the frequency that the device has been used in previous IoT attacks. When a device has been previously used in a botnet, it will become easy to hack the device in the future. The malware source code used on the device could also have been released on the internet. It can be accessed, reused, or modified by hackers for future attacks such as the Mirai malware and all of its variants. (Infosec, 2018)
Updatability
Updatability defines the frequency of software updates on an IoT device. The software can contain bugs and vulnerabilities that can affect its integrity and can be a risk if it is not updatable. (Internet Society, 2019)
System
| Criterion | 1 | 2 | 3 |
|---|---|---|---|
| Authentication with other systems | Full authentication | Partial authentication | No authentication |
| Communications | Encrypted with up-to-date encryption | Encrypted with obsolete encryption | Not encrypted |
| Storage | Encrypted with up-to-date encryption | Encrypted with obsolete encryption | Not encrypted |
Authentication with other systems
Authentication with other systems doesn’t allow communication with another system without prior authentication. Mutual authentication with other systems
Communications
Communications defines the level of encryption of the communications. Unencrypted communication can be intercepted through a packet analyzer. Plain-text HTTP protocol data can be intercepted by MitM (Man in the middle). This can be avoided by using HTTPS with SSL or TLS as 90% of data transactions by IoT devices are unencrypted, 41% no TLS, 41% TLS some connection, 18% TLS all traffic. (Constantin, 2019)(Desai, 2019)
Storage
Storage defines the level of encryption of the element stored in the device’s flash. To avoid unauthorized access to elements stored in the device’s flash.
User Authentication
| Criterion | 1 | 2 | 3 |
|---|---|---|---|
| Account management | Full | Basic | Absent |
| Authentication | Secure | Basic | Absent |
| Brute-force protection | Exist | Basic | Absent |
| Event logging | Access event logged | Partial logging | Absent |
| Passwords | Require change after setup with complexity requirements | Require change after setup | Default, common, easy to guess |
Account management
Account management defines the ability to create an account with less privilege, delete an account, modify a password.
Authentication
Authentication defines the level of authentication of a device. It can be defined by the presence of hard-coded usernames and passwords used by engineers for remote testing purposes (Sammonds, 2019). It can be defined by the security checks in the recovery procedure, otherwise, it allows the upload and installation of unsigned firmware images or reset the user accounts to factory settings without authentication.
Brute-force protection
Brute-force protection defines the level of brute-force protection against password dictionary access. It defines if a system can set a limit of failed authentication or not to reduce unauthorized access.
Event logging
Event logging defines a system that can log events, such as access events.
Passwords
Password defines the behavior of the systems towards pre-install passwords on the first setup. Default or common passwords are easy to guess, and one of many reasons how botnets can access and infect a lot of IoT devices. (Grau, s.d.)(Harner, 2018) They are susceptible to brute-force, as they can appear in password dictionaries. Pre-install and non-updatable passwords represent a risk. Systems can require users to change passwords, with complexity requirements, after setup or use a unique pre-install password.
