The Internet of Things (IoT) is the interconnection of uniquely identifiable embedded computing devices within the existing Internet infrastructure. For example, in some households there are already several Internet connected devices such as gaming consoles, Network Attached Storage (NAS) boxes, Smart TVs, tablets, smartphones, and laptops. All of these devices may connect to the Internet using the same home router, which acts as a Wi-Fi Access Point and allows the devices to connect to the Internet. In the future, more and more home and office devices will be connected to the Internet. Devices such as toasters and refrigerators may contain Wi-Fi chips and computing power.
In addition to IoT devices in the home, there are IoT devices outside the home network. Some home IoT devices, such as mobile phones or wearable devices, can roam between public networks (e.g. a 3G or 4G network) and the home Wi-Fi. Some IoT devices (such as Internet connected automobiles) are likely to only have the capability of connecting to public networks.
From a security perspective, IoT devices are a challenge. Many such devices are based on old version of freeware operating systems, such as Linux. These may lack automatic update capability and, due to limitations posed by lack of proper user interface, they do not have robust systems for authentication and authorization. This means that a vulnerability found in an open source library (serious and widespread examples from 2014 include “goto fail” CVE-2014-1266, “heartbleed” CVE-2014-0160, and “shellshock” CVE-2014-6271) is unlikely to be patched on IoT devices and unauthenticated attack vectors are likely to exist.
Since IoT devices in the home network contain computing and communications resources and are vulnerable to known exploits, it is highly likely that malicious attackers will start to target various devices at home. Compromised IoT devices can be infected by malware and harnessed to money making schemes such as DDoS, Bitcoin mining, Clickfraud, sending spam and so on.
Most home routers use Network Address Translation (NAT) between the IoT device and the Internet. This means that IoT devices at home are not readily accessible from the Internet. Furthermore, as most IoT devices are not used for surfing the Internet or reading email, attacks such as drive-by-downloads are not able to compromise these devices. One of the driving forces behind the development of NAT was the limited number of IP addresses available. With the introduction of IPv6 there is no need to extend the IP address space. However, NAT and similar technologies that prevent outside-in connections are likely to remain in use, in order to protect the home network.
For a malicious attacker to be able to compromise IoT devices such as Smart TVs, NAS storage devices and so on, they are likely to first compromise a laptop, smartphone or other device that may be used for web browsing or reading emails. Examples of such attacks include drive-by-downloads or social engineering schemes. Once the laptop has been compromised, the attacker can then attack other IoT devices served by the same home router. It is also possible that IoT devices in the local area network (LAN) can be compromised without actually installing any malware on the bridgehead device (typically a laptop, tablet, or smartphone). This can be accomplished by a technique sometimes referred to as Browser port scanning in which a web browser on a device is used as a stepping stone to scan and attack vulnerable devices in the local network.
Since at least 2006, it has been a widely known problem that websites on the Internet can scan and access intranet servers of companies if their employees visit those web sites (see, for example, Grossman, J. “JavaScript malware, port scanning, and beyond. Posting to the websecurity mailing list” (July 2006), and Grossman, J. “Browser port scanning without JavaScript” (Aug. 1, 2007) (November 2006)). This can be accomplished with JavaScript and to an extent also with plain HTML. The same attack has applications in attacks against home users now that homes have multiple devices.
In this kind of an attack, a user browses to a web page controlled by the attacker. The web page contains JavaScript code that accesses hosts in private address ranges (172.16.x.x, 192.168.x.x and 10.x.x.x for IPv4 and fc00::/7 for IPv6). The attacker doesn't have to scan the whole address space because home routers tend to default to just a few subnets such as 10.0.1.0/24 and 192.168.1.0/24, and hosts at home today are likely to be found at the lower ranges (2-10) within those subnets. If hosts are found, they are fingerprinted. This may be achieved by pattern matching the http index page they provide. If any hosts are vulnerable to known hffp exploits (such as Shellshock Bash vulnerability, CVE-2014-6271), the JavaScript can launch an exploit and open a remote connection from the vulnerable host to the attacker thus defeating the outside-in blocking provided by NAT or firewall.
Browser port scanning can be prevented by preventing devices in the LAN from communicating with each other. If all IoT devices in the LAN are prevented from connecting to port 80 on other devices, most of these attacks could be prevented. If this is limited only to connections with a browser user-agent, the problem of preventing valid remote control apps from working is avoided.
However, typically the same device that is likely to be used as the bridgehead launching the JavaScript scans is also the device (e.g. a laptop or smartphone) that the legitimate user uses when accessing the admin (web) interfaces of the various devices at home. If connecting from devices such as laptops and smartphones is prevented or made more difficult, then users are unlikely to use the device or are likely to disable the security features that prevent or limit connection