Bill Brown http://billbrown.info/ Thoughts and Reference Material On-line Wed, 01 Feb 2017 02:51:43 -0700 en hourly 1 Internet Of Things Risks: Smart Home Device Security Threats http://feedproxy.google.com/~r/BillBrown/~3/LIC1WoVkJxY/internet-of-things-risks-smart-home-device-security-threats.html https://billbrown.info/2017/01/31/research/internet-of-things-risks-smart-home-device-security-threats.html#respond Tue, 31 Jan 2017 19:49:18 +0000 https://billbrown.info/?p=74 Read more »]]> Abstract

The Internet of Things (IoT) devices connected to the Internet in 2015 is estimated to be five billion.  This number is seen growing to twenty-five billion within the next five years and thought to be the third wave of the Internet boom as described by O’Brien (2015).  This paper focuses on the security risks associated with smart home devices. Most consumers are unable to maintain smart home IoT devices. These device vulnerabilities are a safety hazard that motivated writing this paper.  Weak authentication & authorization methods are security risks to IoT devices.  Denial of service attacks (DoS) affects IoT device security and availability.  The research includes the creation of a home network and sampling ten smart home IoT products. Vulnerability tests were conducted using system analysis software to determine if passwords are encrypted or clear text and to understand if a Denial of Service attack stopped the IoT device from providing service.  Passwords were found to be clear text 60% of the time connecting from a web client to an IoT device.  A DoS attack vulnerability test found 70% of the devices unusable. Ideas to resolve security issues would be adoption of an IoT device certification standard adopted by the industry IoT manufactures.  Requirements to be put in place for manufacturers to release software updates through automated patching.  The consumer’s smart home IoT security risk are growing as online device use explode, and IoT manufacturers must be held responsible for protecting consumers security and privacy.

 

Table of Contents

  1. Author Note. 1
  2. Abstract 2
  1. Introduction. 5

Problem.. 5

Purpose. 6

Research Questions. 7

Significance of the Study. 7

Definition of Terms. 8

Limitations and Delimitations. 9

Assumptions. 9

  1. Literature Review.. 9

Architecture of Internet of Things. 10

Internet of Things Operating Systems. 11

Network Protocols. 11

Network Vulnerabilities. 11

Privacy Concerns. 12

Automated Software Updates. 12

  1. Hypothesis. 13

Introduction. 13

Research Questions. 13

Hypothesis. 14

Null Hypothesis. 14

Introduction. 14

IoT Sampling Size. 15

Research Method. 15

Software Used in Test 16

Data Collection Method. 17

Summary and Analysis. 19

Limitations of Study. 19

Introduction. 19

Sample. 20

Collected Data. 20

Statistics and Data Analysis. 21

  1. Discussion and Conclusion. 22
  2. References. 24
  3. Appendix. 26

 

Internet of Things Risks:  Smart Home Device Security Threats

Introduction

The computer revolution started years ago.  Back then computers were as large as two refrigerators and disk drives were the size of refrigerators.  They were cabled together with what were called bus and tag cables.  The connectors on the end of the bus and tag cables were as large as today’s five and a half inch hard drive, and the cables were the thicker than garden hoses.  Years have passed, and computers have continued to get smaller and faster.  A new computer term arrived, The Internet Of Things (IoT).

Research by Farooq, Waseem, Mazhar, Khairi, and Kamal (2015) discusses the evolution of the IoT.  They discuss that the term IoT arrived in 1982.  They inform us that the first IoT project was a modified coke machine, which was network-enabled and connected to the internet.   The coke machine was able to identify the number of drinks contained in the machine and whether the drinks were cold remotely over the Internet.  By the time 1991 rolled around, Mark Weiser, a visionary that worked at Parc Xerox, had a contemporary vision of IoT, back then called ubiquitous computing.  Weiser envisioned embedding microprocessors in everyday objects so they can communicate information.  Kevin Ashton, in 1999, proposed the term “Internet of Things” to describe a system of interconnected devices.  The idea of IoT is to allow the exchange of information between invisibly embedded different real world devices around us.

Problem

Barcena & Wueest (2015) discuss a research study by the Gartner Group. The research predicts more than 2.9 billion connected IoT devices in smart home environments in 2015.  These Internet-based devices could provide a large target for attackers to target network enabled smart homes.

Research by Barcena & Wueest (2015) discusses that repeat use of weak passwords in IoT devices is a common security issue. Many IoT devices do not have a keyboard and configuration is typically done remotely. Many of the device vendors do not force the user to change the devices’ default passwords on installation.  Some devices have unnecessary restrictions that can make the creation of long, complex passwords impossible.

Denial of Service attacks can affect the operations of an IoT.   Kolias, Stavrou, Voas, Bojanova, & Kuhn (2016) discuss that denial of service attacks such as jamming, eavesdropping, or message injection are common and can go unnoticed.  In a majority of cases, it is possible to manipulate media access control (MAC) layer messages execution by forging the transmission of the wireless protocol. The 802.11 Wi-Fi protocol is known to be susceptible to denial-of-service (DoS) and man-in-the-middle (MiM) attacks.  The secret key is also known to be cracked quickly.

As Asplund and Nadjm-Tehrani (2016) pointed out a quiet revolution that impacts several sectors, ranging from transport, home automation, energy, industrial control, and health services is undergoing with the addition of new networked devices leading to enhanced services. In this paper, the aim is to identify information security risks that are common over several smart home IoT devices.

Purpose

The goal of this study is to examine Internet of Things (IoT) device security threats using mixed method research.  Smart home IoT devices explored, and experiments will be conducted to understand the impact of authentication & authorization methods, denial of service attacks on IoT device security and quality of service quantitatively.  Analysis and interpretation of data collected will yield recommendations for implementing security for IoT devices.

Research Questions

This paper will address two issues regarding smart home IoT security risks. First, why does the implementation of weak authentication & authorization methods change security risks to IoT devices?  Second, does denial of service attacks affect IoT device security and availability?

Significance of the Study

The Internet of Things (IoT) is described by O’Brien (2015) as transforming and changing how we do business, go about daily activity and interact with others due to the undertaking of the rapid development of new software and hardware.  IoT is the third wave of the Internet boom.  Estimates and Predictions advise that up to five billion or more devices connected to the Internet.  In the next five years, there will be twenty-five billion devices actively connected to the Internet.  Sales from IoT are expected to exceed three hundred billion dollars.

 

O’Brien (2015) explained the IoT device application explosion is triggering concern about the security of the devices and the motives for which people’s personal data is collected and used.  This personal data collection raised concerns and increased risk that corrupt individuals or groups with an ulterior motive will intercept this private information.  Might IoT devices and products vulnerabilities trigger attacks against innocent consumers?  The response is most likely yes. Hewlett-Packard reported in 2014 that it found seventy percent of IoT devices at risk to attack.  The report found vulnerabilities include password security, encryption, and general lack of granular user access.

O’Brien (2015) conveyed that Federal Trade Commission (FTC) information identified that inexpensive IoT devices could be risky to buyers.  IoT device manufacturers lack monetary incentives to provide software updates and support for their product vulnerabilities.  Some examples of vulnerabilities identified by the FTC to customers are:

  • Data transmissions of one’s personal information by smart televisions could be exploited or compromised
  • Networks and systems attacked by IoT devices compromised used for denial-of-service attacks
  • Risks to personal and physical safety. An insulin pump was hacked remotely and changed the settings to deny the delivery of further medicine
  • Remote hacking of onboard automobile computer systems from another location

The significance of the study is to understand the security risks that are occurring in smart home IoT devices.  Then present a policy to be followed by device manufacturers to make smart home IoT devices secure. The study will increase consumers awareness of security risks smart home devices have when making a choice to install IoT devices on their home network.

Definition of Terms

Denial-of-service (DoS) – An attack that is intended to prevent legitimate users from accessing or having full use of a computer system, rather than attempting to destroy, steal, or modify information Plant & Murrell (2007).

Man-in-the-middle (MiM) – an account hijacking threat where the attacker can alter or intercept messages in communications between two parties (Farooq, Waseem, Mazhar, Khairi, and Kamal 2015).

Media access control (MAC)  – On an Ethernet LAN, each computer has a unique address (known as its MAC or hardware address), and all transmissions are strictly formatted to include source and destination addresses, plus error-detection codes to ensure that all collisions are detected (Plant & Murrell, 2007).

Limitations and Delimitations

A restriction or assumption for this research is that the network breached already occurred by a person or group.  They have breached the network and are now working to gain access to the smart home IoT devices.

Assumptions

Weak authentication & authorization methods on IoT devices increase the threat of device penetration or security because breaking into weak authentication & authorization(clear text HTTP post) devices will be easier and faster than breaking into then and IoT device with high or strong encryption(HTTPS or SSL) method.

An increase in denial of services attacks on IoT device will decrease the availability of the IoT devices because it will not allow the IoT device to function by flooding the communication ports.

 Literature Review

Many different industries use Internets of Things (IoT).  Lin & Bergmann (2016) point out a few that are disrupting the industry verticals.  Examples are smart home, industrial or manufacturing, automobile or transportation, healthcare, retail or merchandising and wellness and living.  IoT devices, in most cases, are usually low powered and slower CPU chipsets that collect data and transmit back to a place to be centralized and turned into actionable information.

Architecture of Internet of Things

Architecture and standards produced by the Internet Engineering Task Force (IETF) played a key role in standardizing IoT industry as discussed by Lin & Bergmann (2016) and Kumar & Patel (2014).  The layers adopted were the Application Layer (IETF, COAP), transport layer (UDP), network layer (IPv6, RPL), adaption layer (6LoWPAN), mac layer (802.15.4), and the physical layer (802.15.4).  Today after these standards have been adopted, most IoT’s are usually run on light-weight communication protocols because the environments are constrained.

Lin & Bergmann (2016) concluded there were three architectures for data collection methods in IoT.  They are middleware, cloud storage, and gateway architectures. The software layer called middleware sits between a low-level layer of devices and the high-level application layer. It usually provides a standard data exchange structure.  Data collection in the cloud gives IoT devices an easy place to monitor, collect, store and process data. Data analyzed in the cloud can trigger actions defined by manufacturer or users for IoT control.   The IoT gateway is the third example of data collection. This device runs on the network with other sensors and collects the data on that network centrally and then pushes the data to another location for analysis and processing.

Simply put by Lin & Bergmann (2016) informed the reader that the most common risks and attacks have three themes.  Confidentiality, authentication, and access.  Con?dentiality means allowing authorized users, both humans, and machines access to data.  Cryptography is key to achieving con?dentiality.  Authentication is verifying data is untampered with, and that the data can be veri?ed sent to the claimed author. Access refers to allowing authorized users to access data, communications infrastructure, and computing resources.

Internet of Things Operating Systems

Asim & Iqbal (2016) and Hahm, Baccelli, Petersen & Tsiftes (2016) identified common Operating Systems (OS) for IoT Environment are Mbed, RIOT, Contiki, and FreeRTOS. Integration of IoT to objects are possible via software along with Wireless Sensor Network (WSN)  and RFID technologies. Interactions with objects or devices get enabled through the OS. The OS for IoT occupies a few kilobytes of memory and has low power consumption. The OS for IoT has some unique security features to avoid compromise of usability and stability of the OS.  The OS for IoT is quite different compared to the regular operating system(Windows or Linux) because the goal is to use a low amount of resources, efficiently, when exchanging information between various devices. The IoT OS is still prone to third party attacks.  Encryption, intrusion detection, and data hiding techniques are used to protect IoT infrastructure.

Network Protocols

Lin & Bergmann (2016) discuss the creation of low power Internet-enabled network protocols by the Internet Engineering Task Force (IETF) working groups.  The following are the most used:

  1. IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN)
  2. IPv6 Routing Protocol for Low power and Lossy Networks (RPL)

These standards have played a significant role in the creation of light-weight communication protocols for constrained environments over the existing IP network.

Network Vulnerabilities

Asim & Iqbal (2016) identified Smurf, Black Hole, Sybil, Clone ID and Hello flooding vulnerabilities occurring on RPL networks.  The 6LoWPAN network has fragmentation, confidentiality and authentication vulnerabilities.   Lin & Bergmann (2016) consider the biggest vulnerability in Smart Home IoT devices is that homeowners cannot afford to hire security professionals to manage a complex smart home network.

Privacy Concerns

O’Brien (2015) discusses the liability that will occur more frequently as IoT devices get breached.  An example is an autonomous car driving down the road.  If the person that owns the autonomous car hits a person on the street, who is liable to pay for the injuries of the person hit?  Would it be the manufacturer that built the vehicle that was driving the car or the person who purchased the car?  These are interesting questions that will evolve with IoT devices in the years to come.

Automated Software Updates

One project discussed by Lin & Bergmann (2016) called Generic Extension for Internet-of-Things Architectures (GITAR), is meant to create a regular software patching or update system.  The idea is similar to the way Microsoft Windows Update gets software patches installed on the Windows operating systems.  The same would hold true for IoT manufacturers. They would integrate GITAR into the various IoT operating systems closing off the security vulnerabilities by automation of software updates before a breach occurs.  As the IoT industry continues to grow over the next few years, more automatic update and patching of devices and sensors will make it easier for all the device manufacturers across industries to upgrade the software on a regular basis and lower the security risks for all IoT devices.

Many research papers had common themes.  They were experiments on devices that discussed vulnerabilities or the overview of the IoT business outlining IoT Architecture and standards, operating systems used for IoT, methods of data collection and centralization, security vulnerabilities in current IoT environment and ideas around lowering security risks in the IoT device marketplace.

 

 

Hypothesis

Introduction

This research design will be an information security assessment of smart home IoT devices.  The evaluation conducted is defined in the research design and hypothesis of the document.   Scarfone, Souppaya, Cody, & Orebaugh (2008), in their paper, describes an information security assessment as a process of determining how effectively an entity assessment, an IoT device, in this case, meets specific security objectives. The paper identifies three types of evaluation methods used to accomplish the assessment.  They are testing, examination, and interviewing.  The process of exercising objects under stated conditions to equate real and projected behaviors is testing. The process of checking, inspecting, reviewing, witnessing, studying, or analyzing one or many objects to gain an understanding, reach an explanation, or find evidence is known as an examination.  Interviewing is leading a discussion with a person or team inside an organization or business which answers a question or questions, checks evidence, or creates and explanation. In this research design, we will be using testing and examination evaluation methods.

Research Questions

This research design will address two issues regarding smart home IoT security risks. First, why does the implementation of weak authentication & authorization methods change security risks to IoT devices?  The second research question is how a denial of service attack affects IoT device safety, security, and availability.

Hypothesis

Weak authentication & authorization methods on IoT devices increase the threat of device penetration or security because breaking into weak authentication & authorization(clear text HTTP post) devices will be easier and faster than breaking into then and IoT device with high or strong encryption(HTTPS or SSL) method.

An increase in denial of service attacks on IoT device will decrease the availability of the IoT devices because it will not allow the IoT device to function by flooding the communication ports.

Null Hypothesis

Weak authentication & authorization methods on IoT devices does not increase the threat of device penetration because breaking into weak authentication & authorization(clear text HTTP post) devices will be easier and faster than breaking into then and IoT device with high or strong encryption(HTTPS or SSL) method.

An increase in denial of service attacks on IoT device will not decrease the availability of the IoT devices because it will not allow the IoT device to function by flooding the communication ports.

Research Design

Introduction

The purpose of this research design is to conduct vulnerability tests on the smart home internet of things (IoT) devices and identify the security threats using mixed method research. Goel & Mehtre (2015), in their research paper, refer to vulnerabilities flaw in the application, which allows an attacker to harm the user of the application or gain elevated privileges.

A selected sampling of smart home IoT devices picked, and vulnerability tests carried out on the authentication & authorization methods and denial of service attacks on IoT device security and quality of service quantitatively.  Analysis and interpretation of data collected will yield results of the test.

 

IoT Sampling Size

The sampling size, as defined by Kumar (2014) is a process of picking a few, or a sample from a larger group (the sampling population) which is the basis for estimating or predicting the frequency of an unidentified piece of information, situation or outcome regarding the bigger group. A subgroup of the population that is studied is known as a sample.

This research design will select a sample of ten smart home IoT devices. Sample size for this research design use the following selection criteria:

  • Home users install the device, not professionals
  • Continuous IoT connection to the Internet
  • Device is accessible via web page to configure
  • The device uses a wireless connection

Research Method

The research instrument for testing the hypothesis’s of this paper will be software installed on the simulated home computer network.  The result of the literature review uncovered many discussions about vulnerabilities of smart home IoT devices.  None of the literature stated the method of collecting the raw data for a vulnerability discussed.  Asim & Iqbal (2016) discussed the IoT operating systems and security challenges, but there was no mention the process or steps that were taken to identify the vulnerability.  In this research method, we will describe the method planned for each hypothesis described.

This research method is a simple process. It will discuss the software to be used as the instrument or the software to conduct data collection, the home installation and configuration of the network router, IoT device installation on the network and data collection.  Last the data collection format for the data collected from each vulnerability test.  Then perform one test per hypothesis per smart home IoT device.

Network and Computer Environment Set-up.

For each smart home IoT device, we will need the following:

  1. Network router set-up defined in installation instructions
  2. The IoT device installed per manufactures installation instructions
  3. A computer to run diagnostic software and software for data collection
  4. Wireshark network sniffing software
  5. Denial of service emulation software
  6. Excel spreadsheet to record results

Software Used in Test

Software used during the data collection:

Wireshark.

Wireshark, a network analyzer or know by some as a network sniffer is one piece of software used.  Banerjee Vashishtha & Saxena (2010) describe this software as logging data packets.  Data packet holds information such as the protocol used, destination hardware address and much more information.  Unreliable packets detection occurs studying the contents.  This study design we will search for the user id and password sent from the web browser to the IoT device.

 Opnet Modeler Suite.

The Opnet Modeler suit is a product that can simulate a denial of service attack.  Bahl, Sharma,  & Verma (2012) describe a denial of service (DoS) attack as series of packets flooding the network that leaves a device unable to send and receive packets. The device is no longer able to perform the service it was designed to do(an example might be a webcam or thermostat).

Microsoft Excel.

Tracking, collection and graphing of data documented with Microsoft Excel.

Network Configuration.

Comcast Network will simulate a consumer’s network; The Surfboard SBG6782-AC will be set-up following the Comcast installation instructions contained in ARRIS Enterprises (2015).   ARRIS Enterprises (2015) Describes the specifications as a device with four products in one. Which includes:

  • DOCSIS 3.0 cable modem
  • Dual-Band Concurrent 802.11ac Wi-Fi Access Point
  • 4-Port Gigabit Ethernet Router and MoCA Technology
  • MoCA Technology

IoT Device Installation.

A sample of smart home IoT devices are complete, and devices purchased or on loan from the manufacturer.  The devices installed on the Comcast network as documented in the installation guide supplied.  Each IoT device installed according to the manufacturer instructions.

Data Collection Method

Two software vulnerability tests performed against each IoT device to collect data.  The data will assist in answering the research questions and hypothesis.

Network Analysis For User Id and Password.

Network traffic will be collected using Wireshark as the connection from the computer workstation to the smart home IoT device passes the user id and password over the network to log in.  The high-level process will include the following steps:

  1. Start Wireshark network sniffing
  2. Record default username and password to login into the IoT device
  3. Login with username and password
  4. Stop Wireshark sniffing software
  5. Save file off for data analysis

Denial of Service Attack.

Network traffic will be collected using Wireshark as the connection from the computer workstation to the smart home IoT devices passes the user id and password over the network to log in.  A simulated DoS attack started using Opnet Modeler Suite.  With a DoS attack in progress, the login processes are conducted again and confirm or deny a successful login.

The high-level process will include the following steps:

  1. Install IoT device
  2. Record default username and password to login into the IoT device
  3. Start Wireshark network sniffing
  4. Login to the site via URL supplied in documentation
  5. Log out of the site provided by the IoT device
  6. Save file off for data analysis
  7. Start a DoS simulation targeted at the IoT Device
  8. Repeat step 3 through 5
  9. Save file off for data analysis

Summary and Analysis

The data collected will be analyzed.   The data to be analyzed is from the Wireshark network logs, the DoS data gathered by the Opnet Modeler Suite, and the raw data recorded in the Excel spreadsheet.   The data will produce a report and discuss the findings for each IoT device.  The objective of the document is to describe for each IoT device tested:

  1. The password was cleartext or encrypted on login from the client to the IoT device URL
  2. The IoT device could be logged into from web client to IoT device URL while a DoS attack was in process

We also summarize the results to depict the percentages of the two tests described above.

Limitations of Study

A restriction or assumption for this research is that the network breached already occurred by a person or group.  The attackers have breached the user’s home network and are now working to gain access to the smart home IoT devices.

Another limitation of study could be the cost to buy the hardware if the manufacturers can not lend hardware for a security test.

Results

Introduction

The results of the research will cover the sample devices selection, the results and the analysis performed on the data.

 

Sample

A sampling of ten smart home IoT devices collected.  Selection criteria for the sample size are using only devices installed by the home user.  Other criteria for selecting the sample size were the user must log into the device via a URL to configure the device and device is always on, available, and communicating over the Internet wirelessly. Table 1 shows the sample devices used in data collection.

Table 1

NOTE: These is not valid data.  Ran out of time with the research Paper

Smart Home IoT Device Sample

Device
Name Type
ACTi IP Camera Web Camera
Dahua DVR DVR
Dahua Ip Camera Web Camera
Honeywell Wi-Fi Smart Thermostat Thermostat
IPX-DDK DVR DVR
Mobotix Network Camera Web Camera
Nest Camera Web Camera
Samsung Thermostat Thermostat
Swann 8-Channel 1080p DVR DVR
Vivotek IP Camera Web Camera

 

A summary of the device types selected in the sample are:

  • 5 Home web cameras
  • 3 Digital Video Recorders (DVR)
  • 2 Thermostats

 

Collected Data

NOTE: These is not valid data.  Ran out of time with the research Paper

Data collection for the IoT devices completed now the data most be coded and prepared for data analysis.  The first set of the data gathered in Table 2 includes the default user id and password obtained from each IoT device installation manual. Scanning of the raw network logs for the user id and password while the client logged into to the IoT device.    The data collected were the device name, user id, password and a Yes or No variable called Password Encrypted.  The value of Yes indicates the password is encrypted.  If No then the password was found to be in clear text in the log analysis.

The second data collection for the DoS attack on an IoT device is the use of Wireshark to sniff the network traffic and save two log files.  One log file with no DoS attack simulated and one log file saved after login in from client to IoT device during a simulated DoS attack on the IoT device using the Opnet Modeler Suite software.  DoS and login before a DoS service attack and a Login during a DoS attack.  This data is available in Table 2.  Both values were recorded as Yes if the login is successful and No if login is unsuccessful.

Table 2

Data Collection Results For Password Authentication and DoS Login

NOTE: These is not valid data.  Ran out of time with the research Paper

      Password DoS Login
Device Name User id Password Encrypted Before During
ACTi IP Camera admin 123456 No Yes No
Dahua DVR root 8888888 Yes Yes No
Dahua Ip Camera root 7ujMk0admin No Yes Yes
Honeywell Wi-Fi Smart Thermostat admin hwadmin Yes Yes No
IPX-DDK DVR supervisor supervisor No Yes No
Mobotix Network Camera admin meinsm No Yes No
Nest Camera nestadmin 54321 Yes Yes Yes
Samsung Thermostat sadmin temp123 No Yes No
Swann 8-Channel 1080p DVR admin VideoIQ Yes Yes No
Vivotek IP Camera root zipper No Yes Yes

 

Statistics and Data Analysis

NOTE: These is not valid data.  Ran out of time with the research Paper

All ten devices were attached to the network and tested.  The results of the research found that clear text authentication & authorization methods on IoT devices occurred 60% of the time. The other 40% had an encryption applied to the password. The results confirmed the hypotheses set-up to test was true.

While a simulated DoS attack occurred, 70% of the time, the login to the IoT device failed from a web browser client.  These results confirm the hypothesis that the DoS flooded the communication ports of the devices and stopped the device from providing any services.

Discussion and Conclusion

Resolving the security issues of IoT devices is achievable.  Many IoT devices are installed with default passwords and have no requirement to change the password on the first login to the device. This paper examined IoT security threats.  It questioned if the implementation of weak authentication & authorization methods changes security risks to IoT devices.  The paper also examined another research problem, which was to find out if denial of service attacks affect IoT device security and availability.

The purpose of the paper was to identify if IoT devices use clear text or encrypted passwords when authenticating the login into the IoT device and discover if a DoS on IoT devices affect its service.

The research method sample included ten smart home IoT devices vulnerability tested with specific a data collection method on a network installed with a default configuration.  For each device, two vulnerability tests were conducted to identify security risks in the smart home IoT products.

The research results supported both hypotheses.  A majority or 70% of IoT devices services are dysfunctional with a simulated DoS attack in progress.  More than half of the devices or 60% of them use clear text when a login in occurs from a web client to the IoT device.  From a consumer’s perspective, this is a high risk for devices that take on crucial functions in a home such as heating and cooling or monitoring security.

The results of the literature review found much of the existing research outlined know vulnerabilities that can occur.  None of the research papers reviewed conducted vulnerability test that collected data on devices and outlined results.  Further research should be carried out in the future on the most popular smart home IoT products. Once done consumers need an awareness of the security risks, they may encounter before purchasing smart home IoT merchandise off the shelf.

IoT device security certification testing and standards adoption is paramount to be put in place by the IoT manufacturers or the governing body for IoT manufacturers. As more and more consumer smart home IoT devices come online, the security risk is growing, and IoT manufacturers must be held accountable for protecting consumers security, privacy and held legally libel from breaches that should be prevented by automated product patching.  This paper is one step towards exposing consumers to the manufacturer’s security vulnerabilities and the hope that future research continues to conduct simple vulnerability tests which increase the legal liabilities and force changes to the way devices manufacturers produce products in the future.

 

References

Asim, M., & Iqbal, W. (2016). IoT operating systems and security challenges. International Journal of Computer Science and Information Security, 14(7), 314-318. Retrieved from http://search.proquest.com.ezproxy2.apus.edu/docview/1815514758?accountid=8289

ARRIS Enterprises. (2015). Surfboard SBG6782-AC Wireless Gateway with MoCA User Guide. [PDF]. Retrieved from

http://surfboard.com/wp-content/uploads/2016/05/ARRIS_SURFboard_SBG6782-AC_User_Guide.pdf

Asplund, M., & Nadjm-Tehrani, S. (2016). Attitudes and perceptions of IoT security in critical societal services. IEEE Access, 4, 2130-2138. doi:10.1109/ACCESS.2016.2560919

Bahl, N., Sharma, A. K., & Verma, H. K. (2012). On denial of service attacks for wireless sensor networks. International Journal of Computer Applications, 43(6), 43-47. doi:10.5120/6111-8348

Banerjee, U., Vashishtha, A., & Saxena, M. (2010). Evaluation of the capabilities of WireShark as a tool for intrusion detection. International Journal of Computer Applications, 6(7) doi:http://dx.doi.org.ezproxy1.apus.edu/10.5120/1092-1427

Barcena, M. B., & Wueest, C. (2015, March 12). Insecurity in the Internet of Things [PDF Document]. Retrieved from https://www.symantec.com/content/dam/symantec/docs/white-papers/insecurity-in-the-internet-of-things-en.pdf

Farooq, M. U., Waseem, M., Mazhar, S., Khairi, A., & Kamal, T. (2015). A review on internet of things (IoT). International Journal of Computer Applications, 113(1) doi:http://dx.doi.org.ezproxy2.apus.edu/10.5120/19787-1571

 

Goel, J. N., & Mehtre, B. M. (2015). Vulnerability assessment & penetration testing as a cyber defence technology. Procedia Computer Science, 57, 710-715. doi:10.1016/j.procs.2015.07.458

Kolias, C., Stavrou, A., Voas, J., Bojanova, I., & Kuhn, R. (2016). Learning internet-of-things security “hands-on”. IEEE Security & Privacy, 14(1), 37-46. doi:10.1109/MSP.2016.4

Kumar, R. (2014). Research methodology: A step-by-step guide for beginners (4th ed.). Los Angeles, CA: SAGE Publications.

Kumar, J. S., & Patel, D. R. (2014). A survey on internet of things: Security and privacy issues. International Journal of Computer Applications, 90(11) doi:http://dx.doi.org.ezproxy1.apus.edu/10.5120/15764-4454

Lin, H., & Bergmann, N. W. (2016). IoT privacy and security challenges for smart home environments. Information, 7(3), 44. doi:http://dx.doi.org.ezproxy1.apus.edu/10.3390/info703004

O’Brien, H. M. (2015, 10). The internet of things: The inevitable collision with product liability. The Licensing Journal, 35, 6-12. Retrieved from http://search.proquest.com.ezproxy1.apus.edu/docview/1729721023?accountid=8289

Plant, R. T., & Murrell, S. (2007). An Executive’s Guide to Information Technology: Principles, Business Models, and Terminology. Cambridge: Cambridge University Press.

Scarfone K., Souppaya M., Cody A., Orebaugh A. (2008) Technical Guide To Information Security Testing and Assessment (NIST Special Publication800-115). National Institute of Standards and Technology. Retrieved from:                        http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf.

]]>
https://billbrown.info/2017/01/31/research/internet-of-things-risks-smart-home-device-security-threats.html/feed 0 https://billbrown.info/2017/01/31/research/internet-of-things-risks-smart-home-device-security-threats.html
Google Zeitgeist 2010 Reveals The Top Internet Searches For The Year http://feedproxy.google.com/~r/BillBrown/~3/Qw0Gf9Sbf8k/google-zeitgeist-2010-reveals-the-top-internet-searches-for-the-year.html https://billbrown.info/2010/12/09/search-engine/google-zeitgeist-2010-reveals-the-top-internet-searches-for-the-year.html#respond Thu, 09 Dec 2010 16:07:04 +0000 https://billbrown.info/2010/12/09/search-engine/google-zeitgeist-2010-reveals-the-top-internet-searches-for-the-year.html Read more »]]> Always Interesting what people are searching for on the Internet.   Google Zeitgeist list the most searched words for 2010.  All Zeitgeist New Zealand’s Zeitgeist‘sIpad’s popular for sure world wide and Christchurch Earthquake seems to be up there in NZ.

Fastest Rising Worldwide

  1. chatroulette
  2. ipad
  3. justin bieber
  4. nick minaj
  5. friv
  6. myxer
  7. katy perry
  8. twitter
  9. gamezer
  10. facebook

Fastest Rising in New Zealand

  1. grabone
  2. chatroulette
  3. christchurch earthquake
  4. justin bieber
  5. geonet
  6. fifa
  7. facebook login
  8. youtube music
  9. lotto results
  10. avata
]]>
https://billbrown.info/2010/12/09/search-engine/google-zeitgeist-2010-reveals-the-top-internet-searches-for-the-year.html/feed 0 https://billbrown.info/2010/12/09/search-engine/google-zeitgeist-2010-reveals-the-top-internet-searches-for-the-year.html
NZiDev This weekend http://feedproxy.google.com/~r/BillBrown/~3/ikDag--QqwI/nzidev-this-weekend.html https://billbrown.info/2010/12/05/new-zealand/nzidev-this-weekend.html#respond Sun, 05 Dec 2010 00:24:51 +0000 https://billbrown.info/2010/12/05/new-zealand/nzidev-this-weekend.html Attended  NZiDev this weekend.   A barcamp.   First one.  Really liked the format of barcamp where folks of conference drive the topics and than experts and newbies arrive in the room to interact.   Amazing bunch of folks. Inspires me to get moving onto something new.

]]>
https://billbrown.info/2010/12/05/new-zealand/nzidev-this-weekend.html/feed 0 https://billbrown.info/2010/12/05/new-zealand/nzidev-this-weekend.html
Removing Oracle RAC from Windows X64 http://feedproxy.google.com/~r/BillBrown/~3/-61q9t2fhsg/removing-oracle-rac-from-windows-x64.html https://billbrown.info/2008/05/17/software/oracle-rac/removing-oracle-rac-from-windows-x64.html#respond Sat, 17 May 2008 17:25:06 +0000 https://billbrown.info/2008/05/17/software/oracle-rac/removing-oracle-rac-from-windows-x64.html Read more »]]>

I had to remove Oracle 11g and reinstall Oracle 10gRel2 for a client recently.

1a, b and d are required if you are using RAW devices for your OCR and Votedisk If you are using OCFS for these files, skip to step 1c followed by 1e.

1. Remove the partitions that have been initialized for ocrcfg and votedsk

b. Stop windows services on each cluster node and set them to manual. So if nodes reboot while you tidying up the services will not attempt to start all by themselves.

OracleCSService
OracleCRService
OracleEVMService

c. Delete the partition using that was created

d. It is advisable to remove and recreate your logical drives on top of extended partitions at this time
from Windows Disk Management.

2. Execute the Oracle Universal Installer to remove all software from the CRS home

3. Run the Oracle Universal Installer to remove the empty CRS home and clean up the inventory file

4. Remove Oracle binaries using Windows explorer (right mouse click delete), both the CRS home and the files located in

c:\program files\oracle

5. Be sure to check the registry for each cluster node be sure all oracle services have been removed from windows server:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and any others

Example Oracle Services that should not exist anymore

OracleCSService
OracleEVMService
OracleCRService
OracleObjectService
OracleClusterVolumeService
OraFenceService

6. Using Windows explorer, be sure %systemroot%\windows\system32\drivers\ocfs.sys, %systemroot%\windows\system32\drivers\orafencedrv.sys, %systemroot%\windows\system32\drivers\orafenceservice.sys are removed

7. Reboot all servers in your RAC configuration

Once the reboot has completed start the with Oracle Clusterware re-installation

]]>
https://billbrown.info/2008/05/17/software/oracle-rac/removing-oracle-rac-from-windows-x64.html/feed 0 https://billbrown.info/2008/05/17/software/oracle-rac/removing-oracle-rac-from-windows-x64.html
Settling In http://feedproxy.google.com/~r/BillBrown/~3/Gf1Dbfw8g-E/settling-in.html https://billbrown.info/2008/05/17/colorado/settling-in.html#respond Sat, 17 May 2008 04:04:38 +0000 https://billbrown.info/2008/05/17/colorado/settling-in.html Read more »]]>

Have been in Christchurch New Zealand since 27th Apr 2008. Getting bearings on which way is the sea and which way are the alps. Surfers looked pretty cold off the pier in Christchurch but seemed to be enjoying the surf in the cold fall water and wind. We have lived in 2 different house in the short time we have been here but enjoying the change in culture. Goodbye Boulder Colorado.. Hello Christchurch New Zealand

]]>
https://billbrown.info/2008/05/17/colorado/settling-in.html/feed 0 https://billbrown.info/2008/05/17/colorado/settling-in.html
Coldfusion Nested Cfloop or Cfloop within a Cfloop http://feedproxy.google.com/~r/BillBrown/~3/i9M3IPi_1qM/coldfusion-nested-cfloop-or-cfloop-within-a-cfloop.html https://billbrown.info/2008/01/28/software/coldfusion/coldfusion-nested-cfloop-or-cfloop-within-a-cfloop.html#respond Mon, 28 Jan 2008 17:10:04 +0000 https://billbrown.info/2008/01/28/software/coldfusion/coldfusion-nested-cfloop-or-cfloop-within-a-cfloop.html Read more »]]> Coldfusion Cfloop within a cfloop or gives interesting results. I couldn’t believe it was a bug. But looks to be true once tested. Thanks to Blog of Jehiah Czebotar who bailed me out of this issue after looking at it for some time with eyes crossed and debugging.

Here is the summary from Jehiah blog post. Thanks Again Jehiah!

There is a bug in the processing of nested cfloop tags in Macromedia Cfloop ColdFusion MX, as the example below shows. I have developed a workaround for this which is also below.

Example of Problem


<cfloop query="outerqueryset">
    <cfloop query="innerqueryset">
        <cfoutput>#outerqueryset.column1# #innerqueryset.column1#<br></cfoutput>
    </cfloop>
</cfloop>

‘outerqueryset.column1‘ results in the first record’s data being displayed regardless of current iteration in the outer loop.

Workaround

The workaround is to force the display of the current row, by accessing it via array.

<cfloop query="outerqueryset">
    <cfloop query="innerqueryset">
        <cfoutput>#outerqueryset.column1[outerqueryset.currentrow]# #innerqueryset.column1#</cfoutput>
    </cfloop>
</cfloop

]]>
https://billbrown.info/2008/01/28/software/coldfusion/coldfusion-nested-cfloop-or-cfloop-within-a-cfloop.html/feed 0 https://billbrown.info/2008/01/28/software/coldfusion/coldfusion-nested-cfloop-or-cfloop-within-a-cfloop.html
oracle rac running on vmware esx using lefthand networks san http://feedproxy.google.com/~r/BillBrown/~3/Gxyd8Jz7b80/oracle-rac-running-on-vmware-esx-using-lefthand-networks-san.html https://billbrown.info/2007/05/06/software/oracle-rac/oracle-rac-running-on-vmware-esx-using-lefthand-networks-san.html#respond Sun, 06 May 2007 09:37:30 +0000 https://billbrown.info/2007/05/06/software/oracle-rac/oracle-rac-running-on-vmware-esx-using-lefthand-networks-san.html Read more »]]>

I am interested to find out from vmware and oracle why Oracle RAC running on Red Hat under vmware esx is not supported by either company yet. I have spoke to both companies and there seems to be an indication that they will be certifying it soon. But no official response as to when.

If anybody is running in a production environment. I would like to here from you on experiences or issues. Thanks.

]]>
https://billbrown.info/2007/05/06/software/oracle-rac/oracle-rac-running-on-vmware-esx-using-lefthand-networks-san.html/feed 0 https://billbrown.info/2007/05/06/software/oracle-rac/oracle-rac-running-on-vmware-esx-using-lefthand-networks-san.html
Colorado Anti-Junk Mail Legislation Halted – Consumers can still stop junk mail privately http://feedproxy.google.com/~r/BillBrown/~3/ia3PNefY6Ss/colorado-anti-junk-mail-legislation-halted-consumers-can-still-stop-junk-mail-privately.html https://billbrown.info/2007/03/19/junk-mail/colorado-anti-junk-mail-legislation-halted-consumers-can-still-stop-junk-mail-privately.html#respond Mon, 19 Mar 2007 21:56:52 +0000 https://billbrown.info/2007/03/19/junk-mail/colorado-anti-junk-mail-legislation-halted-consumers-can-still-stop-junk-mail-privately.html BOULDER, COLO. “ Mar. 19, 2007 “ Legislative efforts to allow consumers to eliminate junk mail from their mailboxes have been halted in Colorado. But Coloradoans still have options, such as StopTheJunkMail.com, to remove themselves from mass mailing lists. Stopthejunkmail.com wants consumers everywhere to know that even though similar efforts throughout the country are being stifled, they can still opt-out of getting direct mail using the company’s private service.

The bill, sponsored by state Rep. Sara Gagliardi, a freshman Democrat from Arvada, faced opposition from businesses, unions and postal workers whose livelihoods depend on the multibillion-dollar direct mail industry. Gagliardi said she introduced the bill to address environmental concerns and the threat of identity theft that accompanies direct mail. The proposal would have allowed Coloradoans to sign up on a “do not mail” list, similar to the “no call” list that stops telephone solicitations.

Having the option to stop receiving unsolicited mail, while easing the conscience of the “green-minded” population, would have resulted in Postal Service layoffs. Approximately half of the 12.5 million pieces of mail delivered in the state are classified as direct mail, and account for one-third of their operating budget.

Similar legislation is pending in Arkansas, Connecticut, Hawaii, Maryland, Michigan, Missouri, Montana, New York, Texas, Washington and Vermont. While Coloradoans no longer have a state-sponsored option for reducing unsolicited mail, they can still say no to junk in the mailbox by using stopthejunkmail.com’s service, as can any consumer – nationwide – who is tired of sifting through piles of unwanted mail.

Stopthejunkmail.com, a Boulder, Colo. based company, was founded in 2001 as a convenient, cost-effective way for subscribers to opt out of receiving unsolicited mail.

For a nominal fee, stopthejunkmail.com will remove subscriber information from select mailing lists and through a partnership with American Forests Organization will plant a tree in an effort to repopulate forests being depleted by junk mail production.

For more information about stopthejunkmail.com, and how it’s filling the void left by the recently terminated legislation, please contact Margot Brown at 866.769.5885 or media@stopthejunkmail.com.

]]>
https://billbrown.info/2007/03/19/junk-mail/colorado-anti-junk-mail-legislation-halted-consumers-can-still-stop-junk-mail-privately.html/feed 0 https://billbrown.info/2007/03/19/junk-mail/colorado-anti-junk-mail-legislation-halted-consumers-can-still-stop-junk-mail-privately.html
Survey Shows Consumer Opinions on Junk Mail http://feedproxy.google.com/~r/BillBrown/~3/TZ2liYESS2Q/survey-shows-consumer-opinions-on-junk-mail.html https://billbrown.info/2007/03/13/junk-mail/survey-shows-consumer-opinions-on-junk-mail.html#respond Tue, 13 Mar 2007 15:16:08 +0000 https://billbrown.info/2007/03/13/junk-mail/survey-shows-consumer-opinions-on-junk-mail.html Read more »]]>

Survey Shows Consumer Opinions on Junk Mail

BOULDER, COLO. – Mar. 7, 2007 – Consumers think they are getting too much junk mail according to StopTheJunkMail.com’s 2006 fourth quarter survey. Results show that the majority of survey participants receive at least 6-10 catalogs per week, almost all of which are discarded immediately, leaving many to question the impact of direct mail on their homes and businesses, as well as the environment.

StopTheJunkMail.com releases their consumer opinion survey quarterly in an effort to determine how best to control or eliminate the nuisance and environmental impact of junk mail. The survey is given anonymously to a nationwide sampling of consumers to accurately show attitudes toward unwanted mail.

The survey also asks consumers what they believe are direct mail’s “worst offenders” with banks at the top of the list, followed by catalogs and coupons. The top three cancelled catalogs during the last quarter were Lands’ End, Wine Country Gift Baskets and Herrington. Direct mail lists that consumers most asked to be removed from included the Direct Marketing Association, Experian and Equifax.

While the overall findings show that most people don’t appreciate and immediately throw away unwanted mail, they wouldn’t mind the occasional catalog or direct mail offer if they could control the frequency. One-third of survey participants wouldn’t mind getting catalogs once every three months, while the majority still says they would rather get a catalog once or twice a year with e-updates, or shop online exclusively.

Almost half of all survey participants claim to be concerned about the environmental impact of junk mail – not a surprising statistic in light of the “green awareness” sprouting up in more and more businesses everyday. StopTheJunkMail.com’s environmentally friendly opt-out service is a hassle-free way for individuals to make a positive impact on the environment, while lightening their mail load.

To view a copy of the survey results or get more information on StopTheJunkMail.com, please contact Margot Brown at 866.769.5885 or media@stopthejunkmail.com.

———————————————————————————-

StopTheJunkMail.com, a Boulder, Colo. based company, was founded in 2001 as a convenient, cost-effective way for subscribers to opt out of receiving unsolicited mail. For a nominal fee, StopTheJunkMail.com will remove subscriber information from select mailing lists and plant a tree in an effort to repopulate forests being depleted by junk mail production.

]]>
https://billbrown.info/2007/03/13/junk-mail/survey-shows-consumer-opinions-on-junk-mail.html/feed 0 https://billbrown.info/2007/03/13/junk-mail/survey-shows-consumer-opinions-on-junk-mail.html
Turn Off Disable Oracle Recycle Bin http://feedproxy.google.com/~r/BillBrown/~3/bENKHQqzxPs/turn-off-disable-oracle-recycle-bin.html Thu, 04 Jan 2007 16:15:13 +0000 https://billbrown.info/2007/01/04/software/oracle-rac/turn-off-disable-oracle-recycle-bin.html Read more »]]> In a comment today about the Empty Oracle Recycle Bin , A person wanted to know how one turns off or disables the Oracle Recycle Bin?In ORACLE 10G Release 1 there is a knob to turn to disable the behavior of recycling bin. The “_recyclebin” which defaults to TRUE. We can disable it by setting it to FALSE.

Command to disable that would be:

ALTER SYSTEM SET “_recyclebin”= FALSE SCOPE=BOTH;

ORACLE 10g RELEASE 2 the following syntax to turn the recycle bin off is:

ALTER SESSION SET recyclebin = OFF;

ALTER SYSTEM SET recyclebin = OFF;

The dropped objects that where in the recyclebin will remain there even when the recyclebin parameter is set to off.

Keep your oracle database clean and green!

]]>
https://billbrown.info/2007/01/04/software/oracle-rac/turn-off-disable-oracle-recycle-bin.html