Security Risks of IoT Devices: From Device Characteristics to Future Risk Score Predictions

In the last few years, a technological turnaround has taken place with the so-called Internet of Things (IoT). This has drastically changed the classic view of IT, which until the IoT era had largely consisted of fully-fledged and powerful desktop computers. Compared to classical computers, IoT devices are designed for a specific use. As a result, the hardware and form factor of these devices can be reduced, the price becomes more affordable and, hence, the number of applications increases. Thus, kitchen appliances, thermometers and oscilloscopes become “smarter” and are permanently networked with the Internet. This is taking on greater proportions due to the wide range of possible applications for IoT devices, such as the bring-your-own-device (BYOD) philosophy of many companies, the ever-increasing networking through home automation, the development of smart cities with sensors, and even through the communication of autonomous vehicles with their environment (V2X). IoT devices, however, consist of computer systems on a reduced scale, which - analogous to classical computer systems - are equally vulnerable to computer attacks. However, there is no trivial way to secure IoT devices by installing antivirus programs or anomaly detection. This is aggravated by the fact that IoT manufacturers often focus on implementing profitable functionalities instead of strengthening the security of the devices. In combination with the lack of standards, this leads to an unmanageable diversity of device models, which, for example in large heterogeneous networks, can neither be identified nor critically evaluated in sufficient time without the help of automation. The focus of this dissertation is to create security risk assessments for IoT devices in large heterogeneous networks to estimate their current and future device security risk. For this purpose, we deal with the following research questions: (i) How can device identification be improved to automatically identify different IoT device models in large-scale heterogeneous networks?, (ii) How can gathering of firmware and vulnerability information be automated for known vulnerabilities including patch detection to improve risk assessment results?, (iii) How can knowledge of software vulnerabilities serve to establish risk metrics including a future risk prediction?, and (iv) Do the solutions of research questions 1–3 scale to large heterogeneous networks? We investigate in two exemplary approaches to automate device identification through different information sources. In the following, we show how a data fusion process can be used to increase the device identification rate for a potentially large number of device identification mechanisms. For each device identification, the three most likely device models of being the device under test are further processed by downloading and analyzing their firmware images. This includes vulnerability detection of contained software up to the detection of whether and when manufacturers have fixed vulnerabilities. From the obtained information, the current and future device security risk indicator is calculated per device. In various visualizations, we show these resulting security risk indicators and the evidence for their calculations based on the user’s IT-security experience. The final result is a highly automated process - for technical and non-technical users - which allows a fast, detailed and traceable security assessment for IoT devices. In this work we develop SAFER, a framework for conducting security risk assessments of IoT devices. We evaluate SAFER in the large and heterogeneous network infrastructure of the European Organization for Nuclear Research (CERN), in which about 312,000 network devices are registered. We use SAFER to identify IoT devices in this network and evaluate them in a security critical way. To enable SAFER to provide a comprehensive risk assessment for its users, our framework only needs the host-name of a device to start. In order to evaluate if users can interpret SAFER’s risk assessments in a comprehensible manner, we conducted a study with 10 technical and 10 non-technical CERN employees. The contributions of our work include: (i) the application of a data fusion methodology to device identification mechanisms in order to improve the detection rate, (ii) the automation of the process from firmware acquisition to the automated detection if and when identified software vulnerabilities have been fixed by the device vendor, (iii) the automated calculation of current as well as predicting future risk indicators for IoT devices, and (iv) the evaluation of our SAFER system in its applicability to large heterogeneous networks.