IoT is something of a double-edged sword. While it makes life so much simpler to have a smart home with a smart lock, and a Wi-Fi kettle that boils the water for your morning tea automatically, it comes at a price that may cost you significantly more than what’s on the price tag. In IoT security, there are security trade-offs and, unfortunately, these can do more harm than good, and almost make you miss the days when there was nothing “smart” about your TV!
Let’s take a look at some examples to drive home the importance of security before we welcome this technology into our homes, our industries, and our everyday lives.
IoT Security: How Your Connected Devices Leave You Vulnerable
Hackers can gain a foothold into your network from the most innocuous devices on your network. Nicole Eagan, CEO of Darktrace, a cybersecurity firm, recounts an incident at an unnamed casino in North America where attackers were able to access the high-roller database of gamblers. They did so by exploiting a low-risk vulnerability in a smart thermometer that was used to monitor the temperature of an aquarium.
But this is just one example. Let’s take a look at a few more examples of IoT security breaches before moving on to pointers on IoT device security.
Consumer Smart Devices at Home
If you’ve read the reports on how security bugs in Alexa and Google Home smart assistants have been exploited to phish and eavesdrop on users, let’s just say that you’re right to be worried. Despite countermeasures from both Amazon and Google every time, they continue to be thwarted using newer techniques.
Apart from this, there’s Samsung’s smart refrigerator, whose display is designed to be integrated with its user’s Gmail calendar so they can see what their day looks like before heading out of the house. Except that, however great that sounds, it is not quite as neat. Even though SSL was deployed to secure the Gmail integration, the fridge itself failed to validate the SSL/TLS certificate, leaving the doorway open to hackers for getting on the same network and stealing the login credentials.
To their credit, Samsung fixed the bug in a software update, but it’s quite troubling when credible brands get breached. It sheds light on an almost inescapable fact that, more often than not, functionality takes priority over security, even in companies that should know better. What’s more, in 2015 Samsung also warned us about how they intended to collect and use our data in their smart TV policy:
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
Thank God for Apple, though, right? Let’s hold onto that thought a moment. In February 2019, a severe bug was discovered in Apple’s FaceTime app that allowed attackers access to someone’s iPhone camera and microphone before they accepted or rejected an incoming call.
With attackers finding ingenious ways to evade security controls to steal data, cause damage, or merely be disruptive, it is reasonable to err on the side of safety. Nevertheless, if you still fancy a smart home, umm… good luck?
IoT Devices Are Used in Large Botnets Like Mirai
Mirai is an IoT-centric malware that infects devices with weak credentials, turning them into a network of remotely controlled zombies or bots. Although the original creators of Mirai have been caught, they previously released the malware’s source code (possibly to confuse and distract authorities), and now it has several mutations.
Botnets have been used to launch several DDoS attacks with the attack on Rutgers University and the one on Dyn (the company that provides domain name services to the likes of Netflix, Twitter, etc.).
Implantable Medical Devices
In technology, nothing is sacred or spared from the clutches of cybercriminals. This includes medical devices.
At a Black Hat conference in 2018, Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions demonstrated how medical implants, which are intended to save patients’ lives, can be controlled remotely by hackers and manipulated to cause unwarranted harm. The two security researchers demonstrated how they could disable an insulin pump and take control of the system of pacemaker devices manufactured by Medtronic. In response, Medtronic had initially brushed off the reported vulnerabilities as “low risk” bugs, failing to acknowledge the seriousness of the situation. They refused to resolve the issue even 570 days after the researches first submitted their findings!
We can spend hours speculating over how a network of remotely controlled IoT devices can be used to bring down power grids (or SCADA systems used in water distribution stations, to control gas pipelines, etc.) or squirm uncomfortably at the idea of baby monitors being hacked. But what remains certain is that IoT is here to stay. As such, manufacturers need to be more mindful of the security risks (advanced persistent threats [APTs] being most dangerous) involved if we are to avoid an unbridled crisis.
What Are the Biggest IoT Security Risks?
While we may not have much say in the matter, we can, to some extent, limit its control on our lives by taking some safety measures to secure our devices. The Open Web Application Security Project (OWASP) Foundation is a global non-profit group that creates awareness regarding security risks in domains like web application security, mobile security, etc. so that individuals and organizations can make informed decisions.
|Top Ten||2014 IoT Top Ten||2018 IoT Top Ten|
|1||Insecure Web Interface||Weak, Guessable, or Hardcoded Passwords|
|2||Insufficient Authentication/Authorization||Insecure Network Services|
|3||Insecure Network Services||Insecure Ecosystem Interfaces|
|4||Lack of Transport Encryption/Integrity Verification||Lack of Secure Update Mechanism|
|5||Privacy Concerns||Use of Insecure or Outdated Components (NEW)|
|6||Insecure Cloud Interface||Insufficient Privacy Protection|
|7||Insecure Mobile Interface||Insecure Data Transfer and Storage|
|8||Insufficient Security Configurability||Lack of Device Management|
|9||Insecure Software/Firmware||Insecure Default Settings (NEW)|
|10||Poor Physical Security||Lack of Physical Hardening|
Table 1: OWASP IoT Top 10 — 2014 vs 2018
Top 10 Tips for IoT Security for Your Organization
If your smart device comes equipped with unchangeable credentials or any type of authentication/authorization mechanism, do yourself a huge favor and don’t buy it! As you can see from the OWASP Top 10 Internet of Things 2018 list of vulnerabilities, several concerns such as insecure ecosystems (web interface, cloud interface, etc.), data security, and physical security have retained their top 10 positions from the previous 2014 list. This gives us an inkling of the direction and speed at which IoT device security is moving. It also raises pertinent questions on the efficacy and adoption rate of IoT security solutions.
However, because IoT is becoming such an integral part of our everyday lives, and we must do our best to safeguard our connected devices, our data, and our networks. Here are a few of the ways you can do that:
1. Know Your Network and The Connected Devices on It
When your devices connect to the internet, these connections leave your entire network vulnerable and open to attackers if the devices aren’t adequately secured. With more and more devices being equipped with web interfaces, it’s easy to lose track of which of your devices are accessible over the wire. To stay secure, it’s essential to know your network — the devices on it and the type of information they’re susceptible to disclosing (especially if their corresponding apps come with social sharing features).
Cybercriminals use information such as your location, your personal details, etc. to keep tabs on you — which can translate into real-world dangers.
2. Assess the IoT Devices on Your Network
Once you know which devices are connected to your network, audit your devices to understand their security posture. Internet of things security can be implemented by installing security patches and updates from manufacturers’ website in a timely manner, check for newer models with stronger security features, etc. Additionally, before making a purchase, read up to understand how much of a priority, security is, for that brand. Ask yourself:
- Do any of its products have reported security bugs that have resulted in breaches?
- Does the company address cybersecurity needs while pitching products to potential customers?
- How are security controls implemented in their smart solutions?
3. Implement Strong Passwords to Protect All of Your Devices and Accounts
Use strong, unique passwords that can’t be easily guessed to secure all your accounts and devices. Get rid of default passwords or common passwords like “admin” or “password123.” Make use of a password manager, if needed, to keep track of all your passwords. Ensure that you and your employees don’t use the same passwords across multiple accounts and be sure to change them periodically.
These steps help to prevent all of your accounts from getting compromised even when one of them exposes any sensitive account information. Apart from password expiration dates, be sure to also set a limit on the number of wrong password attempts and implement an account lockout policy.
4. Use a Separate Network for Your Smart Devices
Utilizing a separate network than your home or business network for your smart devices is perhaps one of the most strategic approaches to IoT security. With network segmentation, even if attackers find a way into your smart devices, they can’t access your business data or sniff on that bank transfer you did from your personal laptop.
5. Reconfigure Your Default Device Settings
More often than not, a lot of our smart devices are shipped with insecure default settings. To make matters worse, sometimes, you can’t modify these device configurations! Weak default credentials, intrusive features and permissions, open ports, etc. need to be assessed and reconfigured based on your requirements.
6. Install Firewalls and Other Reputable IoT Security Solutions to Identify Vulnerabilities
Install firewalls to block unauthorized traffic over the wire and run intrusion detection systems/intrusion prevention systems (IDS/IPS) to monitor and analyze network traffic. You can also use automated vulnerability scanners to uncover security weaknesses within your network infrastructure. Use a port scanner to identify open ports and review the network services that are running. Establish whether these ports are absolutely needed and examine the services running on them for known vulnerabilities.
7. Use Strong Encryption and Avoid Connecting Over Insecure Networks
If you decide to check up on your smart devices remotely, never do so using public Wi-Fi networks or ones that don’t implement reliable encryption protocols. Ensure your own network setup does not run on outdated standards like WEP or WPA — instead, use WPA2. Insecure internet connections can leave your data and devices exposed to attackers. Though WPA2 itself is found to be vulnerable to key reinstallation attacks, or KRACK, and WPA3 is susceptible to Dragonblood attacks, installing updates and patches is the only way to move forward, accepting a minimum level of risk.
8. Disconnect Devices and Features When They’re Not in Use
9. Turn off Universal Plug and Play (UPnP)
While universal plug and play is designed to network devices seamlessly without the hassles of configuration, it also makes these very same devices discoverable to hackers from outside your local network more easily due to vulnerabilities in the UPnP protocol. UPnP comes enabled by default on several routers, so check your settings and ensure it’s disabled unless you’re willing to compromise your security for the sake of convenience.
10. Keep Your Devices Safe by Implementing Physical Security
Try not to lose your phones, especially if it’s loaded with apps that control your IoT devices! In case you do, in addition to having PIN/password/biometric protection on your device, make sure you have the ability to wipe your phone remotely. Set up automatic backups or selectively back up any device data you might need
Furthermore, limit your smart devices’ accessibility. For instance, does your refrigerator require a USB port? Give access to a minimum number of ports and consider having no web access (only local access) where feasible.
IoT Security Analysis Tools
Apart from the IoT security solutions discussed earlier, there are a few other tools that can be used to have better visibility and control over your network. Wireshark and tcpdump (a command-line utility) are two open-source tools you can use to monitor and analyze the network traffic. Wireshark is more user-friendly since it comes with a GUI and has various sorting and filtering options.
Shodan, Censys, Thingful, and ZoomEye are tools you can use (like search engines) for IoT devices. ZoomEye is perhaps the easiest one to figure out for new users since the search query is automatically generated when you click on filters.
ByteSweep, a free security analysis platform for device manufacturers, is another tool that testers can use to run checks before any product is shipped.
IoT Security in Summary
Regardless of the risks, it’s a no brainer that IoT technologies have tremendous potential. The connectivity of IoT has demonstrated usefulness for solving problems all kinds of settings and tasks such as assisted living, environment monitoring, health monitoring, etc. The problem arises when companies rush to adopt the most “in thing” and, in a hurry to come out at the top, they either miss to consider potential security risks altogether or don’t take it seriously enough.
More consistent and sincere efforts towards developing safe and secure products, increasing awareness among customers, and conducting rigorous testing before releasing devices can, to a large extent, address many of the concerns that currently are more a result of neglect than a lack of skill.