Social Engineering in The Internet of Everything: Cutter IT Journal July 2016
Social Engineering in The Internet of Everything: Cutter IT Journal July 2016
Social Engineering in The Internet of Everything: Cutter IT Journal July 2016
net/publication/305495988
CITATIONS READS
6 2,177
2 authors:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Ryan Heartfield on 15 April 2018.
It is well known that social engineering attacks are The more effective such cyber-physical attacks prove,1
designed to target the user-computer interface, rather the more the deception attack surface continues to
than exploiting a system’s technical vulnerability, to grow. For example, in the near future, fake tire pressure
enable attackers to deceive a user into performing an alerts shown on a car’s dashboard or gas leakage warn-
action that will breach a system’s information security. ings on a smart heating system’s GUI may be used to
They are a pervasive and existential threat to computer achieve deception in a manner not too dissimilar to
systems, because in any system, the user-computer current scareware pop-up alerts experienced by today’s
interface is always vulnerable to abuse by authorized mobile and desktop users. In the extreme, attackers
users, with or without their knowledge. may even begin to target medical devices (such as pace-
makers or mechanical insulin-delivering syringes) via
Historically, social engineering exploitations in com-
near field communications or wireless sensor networks,
puter systems were limited to traditional Internet
in an approach analogous to ransomware. This has
communications such as email and website platforms.
already occurred through the IoT using conventional
However, in the Internet of Things (IoT), the threat
hacking techniques (SSH vulnerabilities and unpatched
landscape includes vehicles, industrial control systems,
systems with default hardwired passwords) and is com-
and even smart home appliances. Add to this mix naive
monly known as a MEDIJACK attack. The major prob-
users and default passwords that are extremely weak
lem with these devices is that they remain unpatched
and easily guessed, and the threat becomes greater. As a
throughout their lifetime, and at the moment this is also
result, the effects of a deception-based attack will now
the situation within the IoT. Figure 1 provide a snap-
no longer be limited to cyberspace (stealing informa-
shot of the potential IoT social engineering threat space.
tion, compromising a system, crashing a Web service,
etc.), but can also result in physical impacts, including:
Damage to manufacturing plants Would Your Fridge Lie to You?
Disruption of train and tram signaling, causing Prior to the advent of the IoT, an email or instant mes-
death and injury sage purporting to originate from your fridge would
Discharge of sewage from water treatment plants seem ludicrous. Nowadays, however, the concept does
not seem so absurd. In fact, it is exactly this change in
Damage to nuclear power plants (e.g., Stuxnet) our expectations about the way we use technology and
In December 2014, a German steel mill furnace sus- the increasing capabilities of system-to-system commu-
tained damage when hackers used targeted phishing nication that poses the most risk. Today’s users expect
emails to capture user credentials, thereby gaining greater visibility and control over their environment,
access to the back office and ultimately the production leading to a proliferation of distributed interfaces
network, with devastating consequences. Another attached to what were traditionally isolated systems,
example occurred when households in Ukraine suffered sharing new types of data across a cyber-physical
a blackout on 23 December 2015 caused by an attack boundary. The result is an ever-richer user experience,
that brought down the power grid. Again, the attackers but also an augmented attack surface at the disposal of
used phishing emails to trick users at the electric willing cybercriminals. And as cybercriminals tend to
company into clicking on an attachment in an email, go in search of low-hanging fruit in order to exploit a
ostensibly from the prime minister of Ukraine. This is system, the user is now more than ever a soft target.
thought to be the first cyberattack that brought down Since attackers may not always have physical access to
an entire power grid, leaving 80,000 homes without IoT devices to exploit them directly, they can instead
electricity.
target the distributed functionality and associated a conventional exploitation such as system compromise
behavior integrated into new and existing systems. or theft of banking credentials. It is not a great leap to
For example, it would not be unreasonable to imagine envision that your fridge could be held to ransom by
an attacker crafting a spoofed instant message from a ransomware. Pay up, or your fridge won’t turn on.
user’s refrigerator (see Figure 2), reporting that it is run-
Unlike phishing emails claiming to originate from
ning low on milk and asking whether the user would
financial institutions and banks (which have existed
like to place an order with an Amazon-style “one-click”
for nearly 30 years), users are not sensitive to malicious
ordering button — which conveniently leads to a drive-
behavior originating from home/city automation sys-
by download. But how did the attacker know the user’s
tems, smart devices, or social media platforms that pro-
milk was low? Well, in the IoT they simply sniffed
vide access to e-health, emergency, or public services.
seemingly unimportant, unencrypted sensor node
To a large extent, this is because the physical appear-
data sent from the fridge to the home automation con-
ance of such systems does not require significant change
troller, which connects to the user over the Internet via
to become compatible with the Internet of Things; nor-
their home broadband router. Here, the attacker has
mally it is only the data these platforms generate that
exploited platform functionality that interfaces with
is shared. Specifically, the IoT is enhancing data accessi-
the IoT device (in this case, a fridge) by manipulating
bility, which is further augmenting the attack landscape
the perceived behavior of the system as opposed to
for cybercriminals seeking to develop convincing social
the device itself. In practice, such an attack can lead to
engineering attacks.
INTERNET
Router
Sniff data and inject spoofed message
Figure 2 — Attacking a SMART fridge through intercepting and injecting spoofed application messages.
Get The Cutter Edge free: www.cutter.com Vol. 29, No. 7 CUTTER IT JOURNAL 21
Data Leakage: No Data Is Too Big or Small undertook a series of experiments to determine how
much information they could extract about three sub-
Just as the IoT expands the different types of user inter- jects using only social networking sites. By utilizing
faces that attackers can target, the different types of data three freely available tools (Twitonomy, Streamd.in,
(previously hidden from attackers) that can be acquired Creepy) that harvest information from Twitter, the data
is also increased. It is well known that attackers are revealed where the three subjects lived and worked,
adept at gathering user data and utilizing this informa- the route they took to work each day, where one sub-
tion as a mechanism to target a user and better design ject’s parents lived, and even where and when another
an attack specific to the user’s system or improve the subject went to the gym. It was also possible to follow
credibility of the deception techniques used. Nowadays, each of them through cyberspace to other sites such as
hackers use social networks to obtain personal data Facebook, LinkedIn, Foursquare, and Instagram, where
about a user, such as their children’s names, pet’s name, information missing from their “profile” was quickly
date of birth, where they graduated, and so on. By filled in. The experiment demonstrated how easy it is
detecting and exploiting systems that are of high value for cybercriminals to gather personal data to construct
and using their target’s “pattern of life” data, cyber- social engineering attacks that an individual would
criminals can develop effective deception mechanisms find credible.
by manipulating information the user has shared and is
therefore very familiar with and unlikely to repudiate.
Data leakage is exacerbated when geolocation is turned “Smart”er Attacks
on in IoT devices (see Figure 3). This enables anyone
Social engineering attacks against IoT devices are by
to determine the exact location where a smartphone
no means hypothetical, and exploitations abusing func-
picture was taken, for example, which can be a prob-
tionality in smart devices have already been observed in
lem if this identifies the user’s home and they have just
the wild. For example, from December 2013 to January
tweeted that they are going away on holiday. Burglars
2014, security provider Proofpoint detected a cyberattack
use Twitter as well!
that was originating from the IoT, where three times a
Recent research by the C-SAFE team at the University day, in bursts of 100,000, malicious emails targeting busi-
of Greenwich has demonstrated the ease with which nesses and individuals were sent out. In total, the global
an individual can be profiled through their leaked attack consisted of more than 750,000 malicious emails
personal data using only social networks (Facebook, originating from over 100,000 everyday consumer gad-
Twitter, LinkedIn, Instagram, etc.).2 Researchers gets, 25% of which originated from smart TVs, home
Figure 3 — Example of a cyberstalking experiment monitoring and geolocating Tweets from Twitter user, Twitter feed (top left, middle),
Creep.py (bottom left, right), Streamd.In (top right).
Cloud-based services
provided to IoT meter
INTERNET
Figure 4 — Example of a smart meter phishing attack via compromised update and content services in the cloud.
Get The Cutter Edge free: www.cutter.com Vol. 29, No. 7 CUTTER IT JOURNAL 23
3 User’s Twitter account
Follower’s Twitter account
2
1
2
3
Figure 5 — Example of an attacker exploiting Internet of Social Things contagion to deliver a social engineering attack.
Get The Cutter Edge free: www.cutter.com Vol. 29, No. 7 CUTTER IT JOURNAL 25
Interfaces
WSoI
SoI
Detect / Classify
Patch
User Scenarios
arios Prog
Programmatic
Dete
Determinism
IF (X=0){
click=FALSE
X++}
ELSE{
warning()}
Figure 7 — Key concepts in the S-SDLC lifecycle for developing resistance to deception-based attacks in the IoT.
Requirements Testing
Identify the attack surface for an IoT platform by clearly Design and implement scenarios where different user
defining the intended functionality and its expected behavior is arbitrarily executed (e.g., fuzzing) in order
limitations. Document the system-to-system and to identify anomalous situations when the user interface
system-to-user interfaces forming the overall system or functionality can become part of a deception-based
of interest (SoI) and determine how these communicate attack. In testing, developers should generate and exe-
and affect interfaces within the wider SoI (WSoI; e.g., cute random input parameters, physical and logical,
the deployment environment). against the IoT platform in an attempt to elicit unhan-
dled or anomalous behavior that may lead to
Design exploitable vulnerabilities.
Develop threat models that run through different fea-
Release/Maintain
tures of the platform’s design and WSoI interactions.
Pinpoint weak spots in the user interface that can be Establish monitoring or reporting functionality within
abused or vulnerabilities in data transfer and network the platform deployment environment to help detect
communications that may allow attackers to inject mali- attacks. This will facilitate continuous patching and
cious data or code or gather information about the user. security hardening of the specific platform and/or
external platforms that have lower-security features.
Coding
Employ static code analysis to determine whether the Attack Classification and Defense
platform’s programmatic features are deterministic to
By applying each taxonomy criterion against each of the
ensure spoofed or injected data does not force the plat-
two IoT attack cases, we can use classification to employ
form to exhibit a deceptive behavior toward the user.
S-SDLC principles that help suggest a single approach
Similarly, evaluate user interface controls (whether
to defense that would prevent both attacks.
graphical or physical; e.g., a button) to ascertain
whether these can be (ab)used through intended
functionality.
Case B
TD. Promiscuously targets any user who owns an IoT Each of the IoT devices, their interface contracts between
picture frame with social media app functionality. other IoT platforms/devices, and the functionality they
extend should be clearly defined and then evaluated
MA. Functions as a manual operation by searching against different user deployment scenarios. In this
for tweets, then creates a custom Twitter account and way, developers can pinpoint specific functionality sup-
tweets once a target is found. plied by the system that is vulnerable to manipulation.
MD. Distributed to execute the deception via remote Here, the manipulation of features supplied by the IoT
software on the Twitter platform. devices in each attack case could easily be highlighted
by reviewing each interface contract, then conducting a
DV. Deception is behaviorally convincing, as product robust test of its functionality in different user deploy-
suppliers often communicate with customers via social ment scenarios. Since both attacks’ deceptions are one-
media so as to gain customer data analytics. It is off, they may be hard to identify and prevent; therefore
unlikely the Twitter account is visually credible (e.g., it is even more important to rationalize system interface
there are few or no followers, and as the account is not requirements before providing the users with func-
official, tweets are not authenticated — no blue tick!). tionality that the developers are not able (or willing)
IM. Here the attacks simply (ab)use the user interface to protect. Where each attack requires multiple user
functionality of the Twitter platform. steps to complete, integration of further authentication
mechanisms for more significant functionality requests
ES. The deception completes in multiple steps, as the
between interfaces should be enforced and reviewed
user must click on the URL and then add the malicious
through testing. This approach can help to determine
Twitter app permissions to their account.
whether extra security procedures should be enforced
AP. The message’s particular deception is one-off as it before a user commits a potentially compromising action
is unlikely the attacker will reissue the same phishing (e.g., forcing a user to review a warning or confirm their
message and thus compromise the attack’s integrity. identity through multi-factor authenticating).
Get The Cutter Edge free: www.cutter.com Vol. 29, No. 7 CUTTER IT JOURNAL 27
User Susceptibility Profiling Within a smart city, users are likely to be exposed to
many different IoT interfaces, such as advertising, mul-
In order to provide a robust defense against social timedia, and wireless multicast feeds in the local geo-
engineering attacks, responsibility cannot be laid graphic area (e.g., local car park capacity, what’s on at
solely upon the shoulders of system developers or the cinema, popular restaurants). Should any of these
the organizations that provide access to a computer interfaces be targeted by an attacker using social engi-
system, whether that is an IoT platform connected to neering, users can play an important role in identifying
the Internet, a local area network, or a near field com- deception attempts. In this example, the user can open
munications medium. The users of the system are just their HaaS tool within their smartphone to report any
as important, if not relied upon even more to act and suspected attacks, which can then be directly fed to the
use the computer securely to ensure that their actions smart city security-monitoring system. Free car parking
do not inadvertently result in information security com- might even be an incentive for correctly reported
promise. Remember, there is no silver bullet for protect- attacks!
ing against human error.
Identifying a key set of measurable user attributes can
help to provide a basis for modeling which type(s) of
Conclusion
user profiles are more or less likely to be susceptible to The IoT promises to synergize technology in new
a deception-based attack. Such attributes could be used and innovative ways, and in doing so it presents
to define features for predicting and estimating user major social, business, and economic benefits for
susceptibility when using a specific platform or range of modern society. Equally, for cybercriminals, the IoT
platforms. Crucially, access to a user susceptibility pro- promises significant rewards if they can execute a
file provides the basis for applying a threshold at which social engineering attack successfully, because hacking
the probability of user susceptibility triggers security- the user can provide access to all the “things” that they
enforcing actions aimed at minimizing and/or mitigat- control. The more successful social engineering attacks
ing exploitation. against the IoT are, the more user confidence in its secu-
rity is undermined, ultimately delaying adoption of the
IoT and the realization of its potential benefits.
Fundamentally, protecting the integrity of the IoT is a
Fundamentally, protecting the integrity of two-way street. System developers should ensure that
the IoT is a two-way street. they employ best practice frameworks for producing
secure IoT platforms. Security should be treated as an
enabler of system functionality and not be a cost-based
bolt-on or ignored completely. For their part, users are
a crucial firewall in detecting social engineering threats
Human as a Sensor (HaaS) in the IoT, and it is important that they be empowered
The concept of the human as a sensor has been employed to report potential threats, especially as they will be
extensively and successfully for the detection of threats familiar with their own environment and more sen-
and adverse conditions in physical space; for example, sitive to its anomalous behavior. At the same time, it is
to report road traffic anomalies, detect unfolding emer- helpful to be able to measure whether users will likely
gencies, and improve the situational awareness of first be deceived by social engineering attacks in an IoT
responders through social media.5 In a similar manner, ecosystem; therefore, as part of security awareness, it is
human sensing can be applied to detect and report crucial that the IoT be factored into training material.
threats in cyberspace as well. In fact, as the IoT crosses Finally, as shown in Figure 8, each of these approaches
the cyber-physical boundary, the ability of users to report provides complementary tools that help provide a
suspected attacks, both cyber and physical, may help to through-life defense architecture against social engi-
detect attacks initiated in one space that result in an effect neering attacks in the IoT.
on the other. In this respect, it then becomes particularly To improve IoT security, system developers must
important to be able to tell to what extent users can cor- empower user threat detection with a mechanism
rectly detect deception-based security threats, leveraging to report suspected attacks and review/analyze user
the intelligence provided by users to augment IoT cyber reports to determine their credibility. If they decide an
situational awareness.
Platform Platform
S-SDLC Reports
Developer
User
Figure 8 — A four-phase approach to through life management of user interfaces in an Internet-capable platform.
4
attack report is credible, they can then apply a generic Heartfield, Ryan, and George Loukas. “A Taxonomy of Attacks
classification to determine the key aspects of the attack and a Survey of Defence Mechanisms for Semantic Social
Engineering Attacks.” ACM Computing Surveys, Vol. 48, No. 3,
and finally integrate these attack vectors as patch para-
February 2016 (http://dl.acm.org/citation.cfm?id=2835375).
meters within the platform “release/maintain” phase of
5
the S-SDLC. Dave, Rakesh, et al. “Augmenting Situational Awareness for
First Responders Using Social Media as a Sensor.” IFAC
As Bruce Schneier once said, “People don’t understand Proceedings Volumes, Vol. 46, No. 15, 2013 (www.sciencedirect.
computers. Computers are magical boxes that do things. com/science/article/pii/S1474667016330567).
People believe what computers tell them.” Trust lies at
Ryan Heartfield received his BSc degree from the University of
the heart of securing the IoT against deception-based Greenwich in 2011 in computer systems and networking. He
attacks, and thus in order to instill trust, it is device currently works as a Network Architect for the UK Government,
integrity that must be protected to prevent user and since 2014 he has been working toward a PhD in the CSAFE
compromise. group in the Department of Computing and Information Systems
of the University of Greenwich. Mr. Heartfield’s research interests
include social engineering, computer networks, cloud computing,
Endnotes and network security. He can be reached at R.J.Heartfield@
greenwich.ac.uk.
1
Loukas, George. Cyber-Physical Attacks: A Growing Invisible Diane Gan is a Principal Lecturer in the Department of Computing
Threat. Butterworth-Heinemann (Elsevier), 2015. and Information Systems at the University of Greenwich. She has a
2
Gan, Diane, and Lily R. Jenkins. “Social Networking Privacy — PhD in the field of computer networks, is a chartered engineer with
Who’s Stalking You?” Future Internet, Vol. 7, No. 1, March 2015 the Institution of Engineering and Technology (IET), and a Senior
(www.mdpi.com/1999-5903/7/1/67). Fellow of the Higher Education Academy (HEA). Dr. Gan’s current
3 engagements include research and teaching within the areas of
“Proofpoint Uncovers Internet of Things (IoT) Cyberattack.”
cybersecurity and digital forensics. She can be reached at
Press release, Proofpoint, 16 January 2014 (http://investors.
D.Gan@greenwich.ac.uk.
proofpoint.com/releasedetail.cfm?releaseid=819799).
Get The Cutter Edge free: www.cutter.com Vol. 29, No. 7 CUTTER IT JOURNAL 29