Social Engineering Attacks on the Internet of Things

 

Internet of Things (IoT) devices are accepted and trusted parts of everyday life for many people today. IoT devices and networks are known to be more vulnerable to traditional cyber-attacks than traditional desktop/server platforms for many reasons including their limited computational power, use of ad hoc networking protocols, and limited battery lifetimes. A security risk associated with IoT which is often overlooked is the increased vulnerability to social engineering attacks which are psychological attacks directly on humans using devices, rather than the devices themselves.

All manner of system defenses can often be circumvented if a user reveals a password or some other critical information. Social engineering is a modern form of the confidence scam which grifters have always performed. Phishing emails, which fraudulently request private information, are a common version of the attack, but social engineering comes in many forms designed to exploit psychological weaknesses of the target.

Social engineering attacks involve communication between the attacker and the victim in order to either elicit some information, or persuade the victim to perform a critical action. Information gathered might include explicitly secure information such as a credit card number, or seemingly innocuous information which can support a larger attack, such as the name of a coworker. An attacker might also convince the victim to perform tasks which would support an attack, such as going to a website. Numerous experimental studies over the years have demonstrated the susceptibility of people to social engineering attacks. The effectiveness of social engineering has encouraged attackers to use it more frequently, relying on social engineering as a component of larger attacks.

The use of modern IoT devices has greatly increased the reach of an attacker, and the effectiveness of social engineering attacks. The high degree of integration provides people with the benefit of much greater access to the internet and the devices and services connected to it. However, this access can be bi-directional, allowing remote devices to interact directly with people using IoT devices. IoT devices often hold the trust of users as they belong to a family of devices which they have been able to safely use for years, such as cars, phones, and television sets. The trust relationship between users and IoT devices makes them an effective avenue for social engineering attacks because users are more likely to accept information received from them without question.

Characterization of Attacks

Social engineering attacks can be divided into the class of generic attacks, such as phishing, which are created for a broad audience, and the class of targeted attacks which are refined for a smaller target group, or even an individual. Basic phishing attacks are created in a generic way so that they can be automatically deployed to attack many people very easily. However, since they are generically constructed, they are not particularly effective against any individuals, so the success of a phishing attack is based on the number of people to whom it is deployed. Compared to a phishing attack, a targeted attack is created to focus on a smaller subset of people, and is often more effective than regular phishing attacks. Spear phishing is the term used to describe phishing attacks which are targeted in this way. An example of the type of targeting used in a spear phishing attack can be seen in the following excerpt from a real spear phishing email deployed against email users at the University of Buffalo.

"This mail is from the UBmail and it is to inform all our UBmail users ..."

The email continues to request various credentials including username and password. This spear phishing email contains a reference to "UBmail" which is the name of the email system at the University of Buffalo. By modifying the email to include local information, the attack is likely to be more effective because it tends to engender more trust in the target.

Combating Social Engineering

Existing defenses against social engineering attacks are divided into two categories, training-based defenses which train the user to defend himself, and automatic defenses which attempt to analyze communication and detect attacks automatically. Training regimens have been proposed which educate users on the techniques used in previous attacks, and the importance of various pieces of information. Training techniques depend on the user's awareness of his/her mental state and thought processes, referred to as metacognition. A user may be expected to consciously consider security questions in the middle of a conversation, while providing data to an external agent. Such training-based approaches are important but they cannot be relied upon in general because a user's response to an attack is highly dependent on his mental state at the time of the attack, and this is not predictable. A person who is upset due to an event in his personal life will be more susceptible to an attack than a person with a secure mental state. A person's reaction to an attack is also highly dependent on aspects of their personality which are not controllable. Some people may be more insecure and feel a need to please someone who they are communicating with by answering their questions. Mental state and personality issues are not strongly impacted by training.

A number of automatic approaches exist to detect phishing emails and phishing websites masquerading as trusted websites. Phishing website identification approaches observe the features of the website and apply a set of rules which distinguish anomalous website properties. Identifying features used include the existence of misleading URLs, the existence of specific images, client-side search history, and password requests. Detection rules consider values of individual features and correlations between feature values, such as the inclusion of a company logo at a website whose URL is not related to the company. Several techniques have been proposed to detect phishing emails by extracting features of the email header and body. Commonly used features include the use of IP-based URLs, URLs linked to new domains, HREF values which do not match the displayed link, and HTML emails which allows URL names to be masked.

Conclusions

Social engineering attacks are not likely to disappear anytime soon, but IoT designers need to appreciate the significance of these attacks and start to build detection approaches into products. Training of users is useful for an employer to require for all employees, but automatic detection approaches directly integrated into IoT devices has a much greater potential for reliability in the long term. Automatic detection approaches need to scan user communication for suspicious activity while maintaining user privacy. This is a hard problem but it must be addressed if people are to be expected to continue accepting IoT technology to the degree that they have in the past.

 

---

 

Ian G. Harris is an Associate Professor and currently Vice Chair of Undergraduate Education in the Computer Science Department at the University of California Irvine. He received his BS degree in Computer Science from Massachusetts Institute of Technology in 1990. He received his MS and PhD degrees in Computer Science from the University of California San Diego in 1992 and 1997 respectively. He was a member of the faculty in the Electrical and Computer Engineering Department at the University of Massachusetts Amherst from 1997 until June 2003. Research projects in Professor Harris' group are related to security and verification of Internet of Things systems. Professor Harris teaches an IoT specialization entitled "An Introduction to Programming the Internet of Things" which can be found on Coursera at https://www.coursera.org/specializations/iot.