Abstract

Internet of Things (IoT) is a new paradigm that integrates the internet and smart objects. It is an intelligent network that connects all things to the Internet for the purpose of exchanging information and communicating through the information sensing devices in accordance with agreed protocols. Aside the various benefits IoT provides, it also presents challenges related to security and privacy. Current research works are geared towards ensuring security and privacy in the IoT field; developing cryptography algorithms and protocols with much focus on the application and network layer of the IoT architecture. This paper presents the current state of WiFi routers as a gateway through which WiFi-connected IoT devices can communicate. It discusses security and privacy issues related to these WiFi gateways. It goes further to suggest mitigation techniques that address the security and privacy issues found in these WiFi gateways.

1. Introduction

The next wave in the era of computing will be outside the realm of the traditional desktop. In the Internet of Things (IoT) paradigm, many of the objects that surround us will be on the network in one form or another. Radio Frequency IDentification (RFID) and sensor network technologies will rise to meet this new challenge, in which information and communication systems are invisibly embedded in the environment around us. This results in the generation of enormous amounts of data which have to be stored, processed and presented in a seamless, efficient, and easily interpretable form. This model will consist of services that are commodities and delivered in a manner similar to traditional commodities. Cloud computing can provide the virtual infrastructure for such utility computing which integrates monitoring devices, storage devices, analytics tools, visualization platforms and client delivery. The cost based model that Cloud computing offers will enable end-to-end service provisioning for businesses and users to access applications on demand from anywhere. website.

Smart connectivity with existing networks and context-aware computation using network resources is an indispensable part of IoT. With the growing presence of WiFi and 4G-LTE wireless Internet access, the evolution toward ubiquitous information and communication networks is already evident. However, for the Internet of Things vision to successfully emerge, the computing paradigm will need to go beyond traditional mobile computing scenarios that use smart phones and portables, and evolve into connecting everyday existing objects and embedding intelligence into our environment ¹. Figure 1 presents a variety of common IoT applications, including smart home, smart city, smart grids, medical and healthcare equipment, connected vehicles, etc ². The growth of IoT devices is predicted to reach 41 billion in 2020 with an $8.9 trillion market ³.

The various services provided by IoT applications is of much benefit for human's lift, but accompanying that is a huge privacy and security concern. Security and privacy remain huge issues for IoT devices.

A number of researchers have published papers presenting techniques that address some of the security issues and challenges such as physical, network, software and encryption attacks. ⁴ proposed and designed a pervasive authentication protocol and a key establishment scheme for the resource constrained wireless sensor networks (WSNs) in distributed IoT applications. ⁵ proposed a new approach for authentication process using the device's unique fingerprint. ⁶ discussed technologies in developing an IoT middleware that embraces the heterogeneity of IoT devices and also supports the essential ingredients of composition, adaptability, and security aspects of an IoT system.

Most of the research works focus on software and encryption attacks with less focus on the physical and network attacks. Considering the IoT architecture, the core part for data dissemination is the IoT gateway.

Most IoT devices use technologies such as WiFi, NFC (Near Field Communication), Z-Wave and Bluetooth Low Energy (BLE) as the medium for data dissemination ⁸. IoT devices that use the above-mentioned technologies are prone to much security threats. In 2017, the Owlet wi-fi baby heart monitor was demonstrated to have possibly the worst IoT security. The Owlet base station encrypts data sent to and received from the manufacturer's servers, which contact parents' phones if needed. But the ad-hoc Wi-Fi network linking the base station to the sensor device is completely unencrypted and doesn't require any authentication to access. If an attacker is within connectivity range, he can snoop on the base station's wireless network, and meddle with it. The base station creates its own unlocked Wi-Fi network that the sensor (and anyone else) can join. A single unauthenticated command over HTTP can make the Owlet base station leave its current Wi-Fi network and join a malicious one. Hence an attacker can take control of the system and monitor a stranger's baby and prevent alerts from being sent out ¹⁰. This emphasizes the need for good security measures to be put in place to secure end users.

This paper discusses the security and privacy issues of WiFi routers that act as gateway for WiFi-connected IoT devices. These network routers are prone to a number of security threats. Firmwares of these network devices are not automatically updated to fix vulnerabilities that these devices are prone to. Besides, most network router firmwares do not take the privacy of client nodes into consideration. They end up exposing sensitive information of client nodes which can then be leveraged by an attacker to compromise such nodes. The paper goes ahead to suggest mitigation techniques to address the security and privacy issues. The rest of the paper is organized as follows: Section 2 describes the approach used in the security review. Section 3 describes the model used. Section 4 discusses the vulnerability assessment. Section 5 presents mitigation techniques against the discovered vulnerabilities and Section 6 is the conclusion and recommendation.

2. Approach to Security Review

This study evaluates three main router firmwares: OpenWrt, PfSense and Mikrotik Router Operating System (OS).

A virtualized network consisting of two client nodes connected to a router as shown in Figure 3.

The virtualized router consisted of two network interfaces, the Wide Area Network(WAN) interface and the local network interface. The WAN interface was configured as a Domain Host Configuration Protocol (DHCP) Client. The router's local network interface was configured as a DHCP Server. Client node 1 acted as a legitimate user and client node 2 acted as a malicious user.

3. Security Review Model

In this paper, the focus of the security review was as follows:

1) To find out how secure the authentication mechanism used in these router firmwares is.

2) To find out how these router firmwares handle the privacy of the client nodes.

3) To find out exploitable bugs in the source code of these firmwares.

The methodology involved information gathering, configuration management testing, authentication testing and exploitation ¹¹.

4. Vulnerability Assessment

The following router firmwares were used in the vulnerability assessment: OpenWrt, PfSense and Mikrotik.

The OpenWrt Project is a Linux operating system targeting embedded devices. It provides a fully writable filesystem with package management ¹². The version used was Chaos Chalmer 15.05.1.

Device fingerprinting was done using Nmap, which is a free security scanner, port scanner and network exploration tool. In the information gathering stage, Figure 4 shows the services running on the OpenWrt firmware router.

From the information gathered, it was found out that the firmware had services such as Secure Shell (ssh) service, Telnet service, Domain Name System service and an HTTP service running. An initial setup of the firmware required the use of the telnet service. This allowed the default password to be set. The Telnet service disables automatically after the user password is set.

The administrative page for OpenWrt was not encrypted. It used the standard Hypertext Transport Protocol (HTTP). The user management user interface is shown in Figure 5.

By default, the username was root which is the superuser in a Linux system.

The entire network was sniffed for packet data using Wireshark. It was realized that when a user logs in through the management interface, the login credentials can be sniffed since the HTTP service is unencrypted. This is shown in Figure 6.

When the user is successfully authenticated, the system generates a token together with a cookie which is stored in the user's browser. This was sniffed and captured as shown in Figure 7.

The authentication was bypassed using the cookie and token generated. This was done by creating a script that sets a cookie with an attribute called sysauth and with its value the same as the one captured (shown in Figure 8).

Once the script was executed, the token url was pasted in a browser and the management interface loaded without any authentication. This is shown in Figure 9.

The OpenWrt firmware exposes the identity of client nodes; hostname, Internet Protocol (IP) address and Media Access Control (MAC) address. This can be seen in Figure 10 which shows a JavaScript Object Notation (JSON) format of the clients information.

The firmware also exposes network traffic and communication protocol of each client node as shown in Figure 11.

PfSense is an open source firewall/router computer software distribution based on FreeBSD. It is installed on a physical computer or a virtual machine to make a dedicated firewall/router for a network ¹³. The version used in the experimental setup was 2.4.3-RELEASE-p1 (shown in Figure 12).

Figure 13 shows the various services running on the pfSense router.

The management system was running on port 80 and 443. Also a DNS system was running on port 53.

The default management interface for PfSense (shown in Figure 14) uses HTTP Secure (HTTPS) hence all the transport layer data frames were encrypted.

In order to verify how secure the authentication mechanism was, a man-in-the-middle attack was generated between the client node 1 and the router. Data exchange between the client node 1 and the router were routed through the client node 2. This allowed the client node 2 to strip the HTTPS header from the browser request. Hence all requests and responses received by client node 1 were purely HTTP.

Sniffing network traffic on the local network exposed the credentials used by the network administrator to log in into the management interface. Since the entire traffic was now HTTP, the credentials were harvested as plain text (shown in Figure 15).

Also, the firmware stored cookies after the log in credentials had been validated (shown in Figure 16). Hijacking this cookie can enable an attacker send requests to the router and retrieve certain details such as system uptime etc (shown in Figure 17).

With the hijacked session, connected nodes can be identified through a get request without performing an entire scan of the network. This is shown in Figure 18.

In reviewing the source code of PfSense, it was discovered that the management interface credentials was stored in an eXtensible Markup Language (XML) file. Also the password hashing function used was bcrypt. This is not an efficient way of storing user credentials since it can be bruteforced using rainbow tables (shown in Figure 19).

Also the default credentials is stored on the device in plain text format (shown in Figure 20).

RouterOS is a routing operating system which provides features such as routing, firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway and Virtual Private Network (VPN) server. The version used in the experiment was v6.40.8 as shown in Figure 21.

The following services(shown in Figure 22) were found to be running on the RouterOS,

1) File Transfer Protocol(FTP) service.

2) Secure Shell(SSH) service.

3) Telnet service.

4) HTTP service.

Two other services were running on port 2000 and 8291. These were service ports used by the WinBox application client to communicate to the RouterOS.

The default protocol for the management interface is HTTP. The system routes its connection through a JavaScript (JS) proxy which tends to obfuscate the data being transmitted (shown in Figure 23).

It makes session hijacking impossible. It was found out that the system sets a cookie in the browser once a user is authenticated (shown in Figure 24).

The system could not be bypassed using the hijacked cookie due to the JavaScript proxy implemented in the web service. Due to this, different attack measures were considered.

The system was exploited for vulnerability in the FTP service and the Telnet service. It was possible to sniff the username and password through the FTP service since it was unencrypted (shown in Figure 25).

User credentials was sniffed through the Telnet service (shown in Figure 26).

5. Mitigation Techniques

With the above vulnerability assessment, certain mitigation techniques can be deployed to address the vulnerabilities found.

To begin with, the default web service protocol for the management interface should be HTTPS. ¹⁴ provides a free HTTPS certificate that can be used on these firmwares. These certificates can be revoked and replaced with new ones if they expire or are compromised. The web service should embed HTTP Strict Transport Security (HSTS) in its header. Also, SSL/TLS can be validated through JavaScript so that if an HTTPS connection is not detected, the client is redirected to HTTPS.

Telnet service should be disabled since such protocol is unencrypted and can expose the login credentials and all network activities. Unencrypted FTP service should not be used. The best approach is to use Secure Shell FTP (SFTP) which is FTP over SSH. Communication over SFTP is encrypted hence no attacker can snoop on any data being transmitted.

Lastly, login credentials should not be included in the source code or stored in configuration files. It can be stored in an encrypted database file.

6. Conclusion and Recommendation

This paper presents the security and privacy issues of WiFi routers which acts as the gateway for most IoT devices. This affirms the need for good security measures to be put in place so as to protect WiFi-connected IoT devices which connect to these network routers in the mode of disseminating their data.

In enhancing security and privacy in WiFi routers, there is the need to develop lightweight intrusion detection algorithms that can be implemented on these routers. These algorithms can also be implemented on IoT devices to further enhance their security and privacy. Also, an orchestration framework based on Software-Defined Network (SDN) can be designed to help provide real-time patch of vulnerable WiFi routers in instances when vulnerabilities are detected. This will aid manufacturers of WiFi routers to isolate systems which have been compromised and apply the necessary patches.

References