Protocol Vulnerabilities in IoT

IoT uses a variety of network communication to work with heterogeneous service. Wi-Fi, Bluetooth, Z-Wave, IEEE 802.15.4 and LTE are examples of IoT conventions. There are also some basic communication developments in IoT, such as Ultra-Wide Bandwidth (UWB), Near Field Communication (NFC) and RFID. Prior to the use of these protocols, potential threats in IoT conventions should be notable. As shown in figure 12, IoT basic conventions are presented first and their vulnerabilities are explained below.

Figure 12: IoT Protocol Stack 1. CoAP (Constrained Application Protocol)

The lightweight CoAP is an application layer convention clearly de-fined by IETF for restricted devices. In the client server architec-ture, this convention can be coordinated with GET, POST, PUT, and Delete HTTP counting. CoAP runs over UDP while with low over-head, and multicast communication is also enabled. It has two types of CON (Confirmable) and NON (Non-Confirmable) messages with a total length of 1400 bytes and a header length of 32 bits [47].

Datagram Transport Layer Security (DTLS) approved by CoAP is necessary for the protection of messages. Although DTLS is an ad-ditional layer of security for the safety of the application layer, there are ongoing discussions about the containment of DTLS. DTLS CoAP issues include a comprehensive DTLS header that does not fit into IEEE 80.2.15.4 MTU, high handshake, CoAP Intermediate mode con-tradiction, and toll-based computing.

The test performed in [48] shows that DoS attacks can be activated more than once by sending CoAP requests to a border switch in a smart home. As a result, 75% of the legitimate packets are misplaced by sending malicious requests every 500 ms, and the effectively pack-ets are destroyed by CoAP flooding. So, no effect on communication is observed under the DoS attack by empowering the protected mode of the transceivers.

2. MQTT (Message Queuing Telemetry Transport)

MQTT is a message protocol that connects devices to middleware and applications using a broker-based publish-subscribe protocol. In the publish-subscribe process, messages are transmitted from a provi-der to a subscriber based on a message parameter. In MQTT, the provider operates over TCP and transfers the message through three QoS phases. The supplier, the subscriber and the broker are three MQTT elements. For IoT and M2M (Machine to Machine) commu-nication, MQTT is an appropriate message convention requiring low capacity, memory and low transfer speed [49].

Figure 13: MQTT in IoT [50]

In the MQTT system, Ahmad et al [51] categorized IoT risk opera-tors into four groups:

3. Malicious Internal User: The client has legal access to the device and uses the device for malicious purposes. The malicious user who gets access to the MQTT broker may also give risk to attacks. Curi-ous User: The client or analyst in the IoT environment who wants to find the hole and vulnerabilities. Bad Manufacturer: The maker who takes off the open portal for the aggressors to get information about the devices or users to get access of device remotely. In order to dis-patch an attack or collect sensitive information, the enemy will inject a malicious code into the MQTT client or broker at that point. Exter-nal Attacker: Master programmer who performs malicious activity on any part of the MQTT-based framework.

Attackers in the MQTT-based IoT environment can submit DoS, spoof character, disclosure of information, privileges and alter infor-mation of data. Disturbing broker services can cause DoS within the

MQTT system, where the main task of the broker is to deliver mes-sages from the distributor to the subscribers. Attackers also trigger DoS by draining the MQTT client and broker by sending messages larger than 256 MB, which is the MQTT’s most extreme payload mea-sure. In addition, TCP focuses on MQTT, and TCP attacks such as consumption of bandwidth, SYN flood, etc. in DoS attacks. An unse-cured MQTT broker can generate a variety of IoT vulnerabilities. For example, the transfer of all information or confidential information to the public and the modification of the data stored in the broker or the launch of the DoS [52] may lead to an out-of-chance for the aggres-sor to hit a compromised broker. Despite the fact that MQTT relies on SSL / TLS for the security component, it is costly to enforce it on devices [53].

4. AMQP (Advanced Message Queueing Protocol)

A lightweight M2M communication protocol, that reinforces the pub-lication subscription architecture and requests for response. The AMQP system provides an “exchange” word for distributors and supporters to find them. The subscriber then makes the “queue” and attaches it to the “exchange” and by “binding” the trade messages must stick to the line. AMQP, like MQTT, runs over TCP and uses SSL / TLS and SALS for stability. It is connection-oriented and is known as a strong and stable protocol [54]. AMQP uses SSL / TLS-based TCP-based transmission encryption, there are still vulnerabilities that an attacker can use to intercept IoT communication. Because TCP / IP is a key protocol for AMQP, attackers have already misused TCP vul-nerabilities in many ways. In addition, AMQP is also susceptible to IoT frameworks [55].

5. XMPP (Extensible Messaging and Presence Protocol)

This protocol is based on XML (Extensible Markup Language) and provides real-time communication. XMPP can be configured as a client server and run on a TCP / IP stack. Since XMPP is based on XML, it can be used in a number of customized applications, such as time reporting, notification, communication between devices, objects, actu-ator sensors, etc. XMPP uses SASL and TLS [56] for secure authenti-cation and encryption purposes.

In [53], authors state that XMPP has failed to provide end-to-end se-cured communication for the deployment and implementation of IoT.

Unreliable XMPP is defenseless against attacks such as sniffing of password, unauthorized access to servers, embedding, erasing, replay-ing, and even more attacks.

6. ZigBee

The ZigBee is a set of communication protocols for transferring a low data rate in short range wireless network. The hundreds of com-panies of ZigBee Alliance [57] developed the ZigBee standard. Physi-cal Layer and Medium Access layer protocols are adopted by ZigBee.

Mostly ZigBee device frequency band is based on wireless range 868 MHz, 915 MHz, and 2.4 GHz. 250 K bits per second is a maximum data rate of ZigBee devices.

The ZigBee devices mainly is on battery power that consumes low power, low data rate and low cost, but the main requirement is bat-tery life. The total time that ZigBee applications spend with wireless devices are very limited, mostly the devices are in power saving mode, that is also called sleep mode. Due to this feature ZigBee devices can retain the battery life for several years [58].

Figure 14: Some Applications in ZigBee [59]

As an example of ZigBee is home based monitoring system of pa-tient. In the home monitoring system, the patient’s heart rate and blood pressure is monitored with wearable devices. The wearable devices relate to different sensors via ZigBee. All patient data is transmitted to the local server, i.e. a local personal computer. From this personal computer, data is initially analyzed inside the patient’s home. For the final decision, the data is transferred to patient’s physi-cian for further analysis on data [58].

The transmission is received in wireless network by any of devices.

The devices are bluetooth enable or any other devices. If the intruder’s

device is in the network, it will listen all the sensitive information via transmitted messages. The confidentiality problem is solved by ap-pling some encryption algorithm on the messages. IEEE 802.15.4 en-crypts the ongoing messages by Advanced Encryption Standard (AES) [58].

7. 6loWPAN

The 6LoWPAN (IPv6 over Low-Power Wireless Personal Area Net-work) is designed as physical layer and communication layer for MAC by IETF for low control and lossy systems that are compatible with IEEE 802.15.4 standard. The 6LoWPAN devices are known for their smaller bit rate, fast run, computational control of low power, and low-cost memory. Authors in [60] investigated the discovery of vulner-abilities in 6loWPAN using fuzzing methodology using Scapy. Fuzzing can be a highly automated method that is widely used to detect unex-pected error and flaws in network protocols that can be misused by an attacker.

Authors [61] propose that an attacker can misuse 6loWPAN routing mechanism and fragmentation in order to discard the correct prepa-ration of the actual part of the packet. It was considered that the constructed devices with tens of kilobytes of RAM, few MHz of compu-tational power and communication through low power of wireless and 6loWPAN are defenseless against the following attacks: Fragment du-plication attack on the 6loWPAN layer, in which the receiver is unable to distinguish the legitimate fragment from the spoofed fragment and has deal with all the parts it receives, on the same IPv6 that corre-sponds to the 6loWPAN tag and the MAC address of the receiver. For example; in the handshake packet of DTLS protocol the hacker inject the spoofed FRAGNs and inject this fragment to legitimate 6loWPAN packet. The attacker injects random payload with spoofed packet and add this packet in original packet. The attackers will block any packet with inject of fragment.

Another type of attack in 6loWPAN is Buffer Reservation attack, in which the attacker hits the memory of IoT devices. The purpose does not discriminate between the real and the attacking elements of this attack, as opposed to the previous attacks. The aggressor starts a single FRAGE1 with a few abnormal payloads to send a buffer reser-vation attack and coordinates it to the target node. If the target node buffer is not included as of now, the target node will get the FRAG1 that saves the buffer to reassemble the fragment packet of the at-tackers. The attacker either does not send the remaining FRAGNS at that point or saves the buffer resource by intermittently sending the FRAGNs to the timeout estimate of the target node. Therefore, no other part of packet can be processed for the function. The attackers identify their target node via the guide section used in 6loWPAN [61]

for both buffer reservation and fragment duplication of attack.

In another recent research [62] that classifies the safety risks of 6loWPAN as an end-to-end and hop-to-hop attack. The hop-to-hop attacks of 6loWPAN systems are triggered by inner malicious nodes that are harmed. This form of attack is attacked by radio hops, phys-ical link and routing discovery process. Tempering, battery exhaus-tion, wormhole, jamming, spoofing and selective forwarding attacks are triggered by unprotected equipment and the ability of the attacker to control the 6loWPAN layer. The end-to-end attack on WSN IPv6-based systems is caused by unauthorized external hardware. Attack-ing the end-to-end link is harmful to the whole network. End-to-end security is necessary because the hardware performs reassembly in IPv6 and bundle fragmentation to maintain a strategic distance from bundle modification and to reassemble the components. The attack of this group takes place between the end of IPv6 and the 6loWPAN boundary switch. Overwhelming the edge router, for example, by gen-erating large amounts of activity or impeding communication by in-fusing incorrect messages within the border router.

8. 802.15.4 Standard

The IEEE 802.15.4 physical layer standard is also becoming popu-lar with IoT development due to the use of low power. However, reli-able data communication could be a major challenge in the low power consumption protocol. Various approaches have been implemented to provide reliable communication over the different layers of the proto-col stack. These approaches are secure, which is a physical layer and upper layer encryption, and theoretical information security, which can be achieved through physical layer security strategies. The strate-gies for physical layer encryption rely on the information modulation.

At various protocols, sharing of security plans is for upper-level se-curity, such as end-to-end encryption, but they also do not prevent risks and attacks such as flood attacks, DoS and traffic inspections [63]. 802.15.4 is enabled by the MAC layer that offers security ser-vices such as confidentiality and integrity. However, these serser-vices may be achieved at the cost of the use of power, which is not easy for 802.4.15. For the transmission of secure data, a strategy for steganog-raphy method is proposed [64]. Low data rate over convert channel is a big drawback of this method.