Security Flaws in IoT Devices: Investigation and Defense Mechanisms

The proliferation of Internet of Things (IoT) devices has led to massive generation of sensor data and increase in attack vectors. Traffic generated by these devices require more exploratory studies in order to determine the effective ways to secure transmitted data and avert exploitation by hackers. IoT devices susceptibility to direct or remote manipulation, secure channel used for message transmission and resilience of the underlying middleware (broker) to exploitation are very important issues that worth consideration. With more data ever being collected than before, the security of user’s information and devices identities are becoming a great concern. In this research work, we evaluate the vulnerabilities inherent in an IoT ecosystem design that was developed using Raspberry Pi, sensors and MQTT protocol. We also developed a real-time anomaly detection in sensor reading to avert dangerous situation and evaluate the effectiveness of our work.

networks. The authors discussed authentication methods and hardware security support for IoT. A broad overview of the security risks in IoT and possible counteractions was also discussed in a recent survey (Meneghello et al 2019). Specific security mechanisms adopted by most popular IoT communication protocols was presented and the authors analyzed some of the attacks against IoT devices. Safety necessities like secrecy, unity and substantiation for IoT was presented in another research work (Gurunath et al 2018). IoT threat analysis involving twelve kind of different attacks, use of botnet, security issues in IoT networks and power consumption issues were also discussed. An IoT security model that can be used by organization to plan a strategy and discourse about IoT security from end-to-end perspective was presented in a recent conference on pervasive computing and communications (Bugeja et al 2019). The authors proposed a conceptual framework that can be used to analyze, describe and measure overall security level of an IoT ecosystem. Concepts like security-by-design processes and standards, continuous and automated risk assessment, data and application threat modeling, security testing, continuous monitoring, and auditing were discussed in relation to an organization's security practices. A methodology for the development of a consumer security index (CSI) to aid consumer decision making and encourage greater security provision in the manufacture of IoT devices was suggested in a research work (Blythe et al 2018). The authors employed an online survey to identify consumer preferences and identified security features that consumer IoT devices should provide. They also developed a matrix of different classes of IoT devices and explored the use of natural language processing to extract data from device user manuals to identify security features provided by manufacturers. In one of our earlier works (Olumide & Tosun 2019), we explored the data being transmitted by six representative IoT devices and analyzed the data using a proxy server to capture both Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS) traffic. Sensitive information like user's information and IP addresses were identified in our data analysis. We suggested that IoT devices should not allow proxy connections and developed a machine learning algorithm to detect proxies using network connection information.
The need for a systematic and automated methodology that enables scalable testing approaches for security aspects in IoT ecosystem was discussed in a research paper on a project work that aimed to give scientists the ability to assess and compare different IoT security technologies (García et al 2018). The authors proposed a testbased risk assessment and security certification for IoT. A middleware architecture which provides an end-to-end security solution for contributors who upload sensing data was suggested in another recent work (Garg & Dave 2019). The proposed approach allows an end to end encryption of data to secure information in transit. The authors utilize a Representational State Transfer (REST) application programming interface (API) to communicate and exchange data. This provided an interface for user to register their IoT devices and securely access data collected by the device. During the process of collecting IoT information, the type and timing of the shared information so as to ensure confidentiality of the shared information and establish the rating of information sharing has also been addressed (Choi et al 2018). The authors discussed a functional requirement in the IoT information security sharing system and established functions to be performed between individuals in the reference model of the IoT information security sharing system. Security concerns like device cloning, sensitive data exposure, data tampering, denial of service, unauthorized device access and control were also discussed in (Naik & Maral 2017). However, the authors only focused on ways to mitigate IoT security challenges pertaining to device cloning and sensitive data exposure.

IoT System Design
In this work, we first developed an IoT system that monitors weather attributes so that users can decide if any extra time is needed for their commute. The system uses real-time processing of a combination of imagery and sensor data to fully describe the weather condition to the users. The users can then access all of this data via a MQTT app on their smartphone.
The weather sensor client Pi's purpose is to collect real-time weather data and transmit via MQTT to the broker Pi for further processing. The five different sensors on this Pi are a digital temperature sensor, digital humidity sensor, analog smoke detector, analog combustible gas detector, and analog CO detector. The digital sensors connect directly to the General-Purpose Input/Output (GPIO) pins of the Raspberry Pi while the analog sensors connect to an Analog to Digital (A2D) converter which then connects to the Raspberry Pi. The A2D converter is required since all of the GPIO pins on the Raspberry Pi are digital pins. The Pi will read the sensors and determine if the thresholds for the analog sensors has been exceeded. The Pi will then configure this information into a predetermined JavaScript Object Notation (JSON) format and transmit this JSON over MQTT to the broker Pi with the topic "iot/sensor_data" for further processing. This whole process will happen every 10 seconds.  figure 1 serves the purpose of image capturing and its analysis. It is used for visual confirmation of the atmospheric disposition of the area where the sensors are utilized for monitoring purposes. Using our python script, we automate image capturing via the Pi camera every 10 seconds and use the Google cloud platform for the image analysis. The cloud assisted method via the Google cloud platform helps in object identification in captured images using machine learning techniques. This helps in our evaluation of the current disposition of the atmospheric condition visually.

Fig 2: Phone MQTT message
The broker Pi's purpose is to collect the data that is being published from the weather sensor Pi with the topic "iot/sensor_data" and the camera sensor Pi with the topic "iot/camera_data" and make it where the user can gain access to this data via MQTT. When the user sends the word "data" to the topic "iot/get_command" the broker Pi will then send the data back to the phone via MQTT with the topic "iot/phone_message." as shown in figure 2.

Cyber Flaws Identification and Exploitation
Here, the purpose is to discover and then exploit vulnerabilities that will allow an adversary to alter any data that the system collects and sends. Also, a machine learning technique will be utilized to identify if any of the sensor data has been tampered with or modified.

Eavesdropping on the Broker Pi
Once an adversary has access to the network, they could use Wireshark to start collecting information about any devices on the network, especially the IoT devices. Here, Wireshark was installed directly on the broker IoT device itself so the client sensor data, client camera data, and user interaction with the client could be monitored.  figure  3. The MQTT messages that were observed include the broker Pi ping request to the online MQTT server, the data being sent from the camera client to the gateway Pi, the sensor data being sent from the sensor client Pi to the gateway Pi, and the user request from the MQTT client to the gateway Pi. There is so much useful information that an adversary can collect from just this one MQTT message. The available information that will be exposed include IP address of client Pi, IP address of broker Pi, port number MQTT message is sent through, MQTT topic and client Pi data.
The figure 4 shows the data gathered about the user's request acquired through eavesdropping. The advantage of using an online broker instead of installing the broker on the Raspberry Pi itself is that the user's IP address is not given in the transaction, thus protecting the privacy of the user. All of the information collected will later be used to find other vulnerabilities and launch attacks. Once the data has been received, a Nessus vulnerability scan was implemented to see what kind of exploits can be used on the system. Specifically, the vulnerability that was searched for entails using the default username and password to access the system when the Secure Shell (SSH) port is open. Using a tool named Metasploit on the Kali Linux operating system, Nmap scan was executed on both the client and gateway Pi to search for vulnerabilities. Using the command: nmap -sV .241 on the  figure 5. The first vulnerability that was discovered in the system was a default username and password that is used for the SSH login from a computer to a Raspberry Pi was still active. To exploit this vulnerability, the adversary has to be in the same internal network as the system that was intended to be exploited. If the adversary was on an external network, the remote SSH login could not be achieved. The issue with this vulnerability is that once the hackers connects with the SSH login, they have full access to the system and have the potential to alter any data, software, or setting of the IoT devices. In our experiment, using the default username: pi and default password: raspberry, we gained access to the system.

Vulnerability 2: Unencrypted MQTT Messages
Another vulnerability of the system that was discovered is the transmission of unencrypted MQTT messages between the IoT devices. An adversary can easily interpret the MQTT message payload. One attack that was done was to create a compromised IOT sensor client to send incorrect data to the gateway. This would be easy for the adversary to create since they could view the data structure that the sensory information is send and recreate it with incorrect information. To exploit this vulnerability, MQTT messages were sent using another Raspberry Pi with incorrect temperature values, such as the temperature being 5 degrees instead of 74 degrees, in the required JSON format to the gateway Pi with the topic "iot/sensor_data" will give the user inaccurate data. This type of attack represented an adversary gaining access to the network and creating adding a compromised client into the system with the purpose to give the user incorrect data.
In addition to the false data being sent, a DOS attack could be launched to not allow the correct data to be introduced to the system making it where only the incorrect data will be viewed. To replicate this type of attack, the additional Raspberry Pi was programmed to send the incorrect data in the required JSON format continuously to the gateway Pi with the topic "iot/sensor_data". This accomplished the task where the actual sensor data was never received by the gateway Pi. Even if it was received, it would be replaced by the incorrect data instantaneously.

Vulnerability 3: Physical Attack
Assuming that the adversary has access to the system they could launch a physical attack on the system. As shown in figure 6, all of the electrical components on the breadboard are connected to a 3.3 Volt Power source.

Fig 6: Vulnerable Physical System
One method a physical attack could be implemented is that the analog sensors could be disconnected from Journal of Information Engineering and Applications www.iiste.org ISSN 2224-5782 (print) ISSN 2225-0506 (online) Vol.10, No.1, 2020 the 3.3 Volt source and connect them to the 5 Volt source on the Raspberry Pi while still leaving the A2D converter connected to the 3.3 Volt source. The output data from the sensors as shown in figure 7, will give higher reading than the average, making the sensor reading inaccurate. Another way a physical attack could be implemented involves wiring the analog input of the A2D converter directly to the 3.3 Volt power supply. This will result in a situation where the sensor would always give a false detection of CO2 gas. Arguably, the most dangerous method a physical attack could be implemented entails connecting the analog input of the A2D converter directly to ground. This will make it unable to detect CO2 gas which could possibly harm user. All of these physical attacks would affect the reliability of the system.

System Protection Measures
As earlier identified, there are multiple vulnerabilities and attacks that can be implemented on the system. However, majority of these attacks can be prevented by adding protection measures and security mechanisms. Default Password This is actually the simplest solution to fix one of the vulnerabilities. This involves creating a new user and a unique password for that user. If the adversary wanted to gain access to the system, they will have to find the password through brute force or other password cracking techniques. Once this is done, an adversary cannot use the default username and password to access the system.

SSH Login
Another option to eliminate vulnerability is to turn off SSH login on the Pi or close the port all together. The SSH login ability was turned off once our experiments was completed so the adversary could not remote login to the system.

Hardware Interference
The hardware interference vulnerability can be solved by fabricating the circuit on a circuit board and enclosing the circuit in a case. This will increase the difficulty of creating hardware interference instead of just rewiring the circuit on the breadboard. A software prevention method would be to add a sensor which monitor the quality of transmitted data. The system will send an alert when the sensor data output is below a certain threshold, such as when the output of the sensor is grounded. The same will happen when the sensor data output is above the average by a certain threshold for a certain amount of time. For example, when the output of the sensor was wired high or 5 volts is applied to the sensor instead of 3.3 Volt thus inflating the values.

MQTT Interference
One prominent way to secure MQTT messages that are transmitted in plain text is to utilize encryption. Once the data was converted into JSON block format on the sensor client Pi, the messages would be encrypted and then sent over MQTT to the gateway Pi. The gateway Pi will then decrypt the messages and store the sensor data. A simple and least computationally expensive encryption algorithm involves converting the ASCII text in the string to hexadecimal (hex). A keyword string is used to encrypt the messages. The number of characters is counted in that keyword string and this number is subtracted from every hex character in MQTT message, thus creating an encrypted message. When a message is received by the broker Pi, the characters are counted in the keyword string and the number is added to every hex character in the MQTT message thus decrypting the message. This approach accomplished the goal of making it difficult for adversary to view data in plain text and easily craft an attack.

Real-time Anomaly Detection
Towards an intelligent security mechanism, an intrusion detection method using neural network to determine whether the sensor's state or data has been tampered with or altered was implemented. The features in the sensor data are Temperature, Humidity, Smoke detection, Combustible gas detection, CO detection, and Picture. Only Journal of Information Engineering and Applications www.iiste.org ISSN 2224-5782 (print) ISSN 2225-0506 (online) Vol.10, No.1, 2020 Temperature and Humidity, out of the six features have numerical values. Hence, the need to encode the nonnumeric values for the other four features into numeric values for machine learning computation. Since the values return by Smoke detection, Combustible gas detection and CO detection can either be "True" or "False", we encode 1 for "True" and -1 for "False". Concerning Picture, it can either return "Clear" or "Smoky". We encode -1 for "Clear" and 1 for "Smoky". A typical vector representation of the sensor reading looks like [ 76, 56, -1, -1, -1, -1] which are [Temperature, Humidity, Smoke detection, Combustible gas detection, CO detection, and Picture]. Concerning the huge numeric values for Temperature and Humidity which may outwit the other encoded values, we need to scale down the values so as to be in a range close to the encoded values. We performed feature scaling to reduce the huge numbers to values within the range 0 and 1, using the formula x = (x -xmin) / (xmax -xmin). The output based on the sensor's data can either be "Good" encoded with 0 or "Danger" encoded with 1. Using various possible combination, we formulate the training data. For example, a sample of the training data will look like [0.72, 0.58, -1, -1, -1, -1, 0], where the first six values will be for the xtrain data and last value i.e. 0 will be for the ytrain. We utilized the Multilayer Perceptron neural network (MLP) classifier for our machine learning work. In the machine learning classifier module, we subscribe to the MQTT topics that the sensor's reading was published to by the broker. Every new reading generated by the sensors serves as an instance of xtest that we use the MLP classifier for the detection of abnormality at any point in time.
However, it was noticed that the MLP classifier often misclassified largely due to overfitting and insufficient training data. We only had five sensors and we formulate our training data using different possible combination of sensor data reading scenario. Thus, we changed to decision tree which is a supervised learning method used for classification and regression. We used it to create a model that can classify any real-time sensor input data by learning simple decision rules inferred from our training data. Schematically, the decision tree can be illustrated showing all the decision rule that was implemented in the model. As shown in figure 8, we use a subset of the features to evaluate the safety condition in a smart home environment. During the Decision tree output results training phase, we trained the model using a dataset containing different possible values for the sensors. For every MQTT message that was published, we classify it in real-time to detect if there is a problem or if it is in good condition. As shown in figure 9, the classification outputs show the effectiveness of our approach.

Conclusion
Security is a major concern in IoT that needs to be addressed by all IoT device manufacturers and users. This study explored and investigated flaws inherent in an IoT system that was developed using Raspberry Pi, sensors and MQTT protocol for communication. Vulnerabilities were found in the system and active as well as passive attacks were executed to comprise the security of the IoT system. After discovering multiple vulnerabilities within the system and exploiting these vulnerabilities, protection measures were implemented to ensure data privacy and security of the system. Additionally, a real-time anomaly detection in streaming environmental sensor data was also developed to alert user of dangerous conditions so that appropriate measures can be taken for safety of lives and properties.