TY - JOUR
T1 - Consumer, Commercial and Industrial IoT (In)Security: Attack Taxonomy and Case Studies
AU - Xenofontos, Christos
AU - Zografopoulos, Ioannis
AU - Konstantinou, Charalambos
AU - Jolfaei, Alireza
AU - Khan, Muhammad Khurram
AU - Choo, Kim-Kwang Raymond
N1 - KAUST Repository Item: Exported on 2021-06-10
PY - 2021
Y1 - 2021
N2 - Internet of Things (IoT) devices are becoming ubiquitous in our lives, with applications spanning from the consumer domain to commercial and industrial systems. The steep growth and vast adoption of IoT devices reinforce the importance of sound and robust cybersecurity practices during the device development life-cycles. IoT-related vulnerabilities, if successfully exploited can affect, not only the device itself, but also the application field in which the IoT device operates. Evidently, identifying and addressing every single vulnerability is an arduous, if not impossible, task. Attack taxonomies can assist in classifying attacks and their corresponding vulnerabilities. Security countermeasures and best practices can then be leveraged to mitigate threats and vulnerabilities before they emerge into catastrophic attacks and ensure overall secure IoT operation. Therefore, in this paper, we provide an attack taxonomy which takes into consideration the different layers of IoT stack, i.e., device, infrastructure, communication, and service, and each layer’s designated characteristics which can be exploited by adversaries. Furthermore, using nine real-world cybersecurity incidents, that had targeted IoT devices deployed in the consumer, commercial, and industrial sectors, we describe the IoT-related vulnerabilities, exploitation procedures, attacks, impacts, and potential mitigation mechanisms and protection strategies. These (and many other) incidents highlight the underlying security concerns of IoT systems and demonstrate the potential attack impacts of such connected ecosystems, while the proposed taxonomy provides a systematic procedure to categorize attacks based on the affected layer and corresponding impact.
AB - Internet of Things (IoT) devices are becoming ubiquitous in our lives, with applications spanning from the consumer domain to commercial and industrial systems. The steep growth and vast adoption of IoT devices reinforce the importance of sound and robust cybersecurity practices during the device development life-cycles. IoT-related vulnerabilities, if successfully exploited can affect, not only the device itself, but also the application field in which the IoT device operates. Evidently, identifying and addressing every single vulnerability is an arduous, if not impossible, task. Attack taxonomies can assist in classifying attacks and their corresponding vulnerabilities. Security countermeasures and best practices can then be leveraged to mitigate threats and vulnerabilities before they emerge into catastrophic attacks and ensure overall secure IoT operation. Therefore, in this paper, we provide an attack taxonomy which takes into consideration the different layers of IoT stack, i.e., device, infrastructure, communication, and service, and each layer’s designated characteristics which can be exploited by adversaries. Furthermore, using nine real-world cybersecurity incidents, that had targeted IoT devices deployed in the consumer, commercial, and industrial sectors, we describe the IoT-related vulnerabilities, exploitation procedures, attacks, impacts, and potential mitigation mechanisms and protection strategies. These (and many other) incidents highlight the underlying security concerns of IoT systems and demonstrate the potential attack impacts of such connected ecosystems, while the proposed taxonomy provides a systematic procedure to categorize attacks based on the affected layer and corresponding impact.
UR - http://hdl.handle.net/10754/669494
UR - https://ieeexplore.ieee.org/document/9430606/
UR - http://www.scopus.com/inward/record.url?scp=85105879222&partnerID=8YFLogxK
U2 - 10.1109/JIOT.2021.3079916
DO - 10.1109/JIOT.2021.3079916
M3 - Article
SN - 2372-2541
SP - 1
EP - 1
JO - IEEE Internet of Things Journal
JF - IEEE Internet of Things Journal
ER -