IoT Security, Threats and Challenges
Introduction of IoT and Its Associated Challenges
“The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. It is a complete integration of physical objects with computer logical operations. Things, in the IoT, include vast collections of devices such as heart monitoring implants, biochip transponders on farm animals, automobiles with built-in sensors, or field operation devices that assist fire-fighters in search and rescue,” reads the definition provided by Wikipedia.
IoT Security is all about protecting or safeguarding. Nowadays, in almost every objects, we have a small chip, which usually we used to ignore. Attackers try to compromise those chips by gaining logical access to devices remotely. All security and technical experts face the challenge of protecting that chip from attackers because all the devices, like cars, industrial machines, and home appliances, have the same chip that works with a specific program which is easy to target.
Companies who Operate IoT
There are three categories of companies who operate IoT:
Traditional Big Companies – Google, Microsoft, and Amazon are the big companies who are well versed with latest security and threats associated with IoT and they have experts who can protect it from attacks. The Image below, that I would like to share, show how Amazon is using IOT. Source: Geekwire.com
Big Companies – They are not as exposed in terms of threats associated with IoT, like Honeywell and Ford
Kickstartup – New joinees who did research and developed a prototype, later on big companies, like IFTTT (If This Then That) by Linden Tibbets and MuleSoft by Greg Schott, purchase these packages and used them. Currently, the industry is facing a shortage of IoT security experts and they still struggle with countermeasures of IoT, according to the report " ISACA Survey: UK Security Experts Sceptical of IoT Device Security; 3/4 Say Manufacturers are Not Implementing Sufficient Security Measures "
Common Threats Associated with IoT
Cyber terrorists are always looking for sensitive information by hacking into IoT Network. For example, one group can infect thousands of network devices or SOHO devices, SmartTVs and other smart devices worldwide to run a cyber-attack against a target with extortion purposes. Hacktivists are also trying to compromise smart devices as a protest against some private companies and for political reasons.
Some of the reports that companies in the industry, like Symantec, developed based on threats associated with IoT :
Vulnerable IoT Perimeters: When IoT networks are designed, there is lack of planning of good security implementation which can allow an intruder to easily gain access to the network. Let's take an example of Smart Meter. If a cyber criminal compromised this device, he is able to access a domestic network and also can monitor the connections between objects in IoT. “Smart meters could be hacked to under-report consumption and this should act as a warning to the British programme," said Alejandro Rivas-Vásquez, principal adviser in KPMG’s Cyber Security department. "If the technology could be hacked for fraud, hackers with more nefarious intent may use these flaws for other purposes." In Spain, researchers have already managed to hack smart meters and send false information to energy providers.
Increase in Data Breaches: Data breaches are one of the biggest threats in IoT devices. Cyber attackers can try to spy on the communications between devices in IoT network. Devices accessed through Internet of Things may be used for cyber espionage purposes by an intelligence agency or by some companies for commercial purposes. Last spring, Norse and SANS Released a study showing how some 375 U.S. healthcare organizations were actively compromised in a period from September 2012 to October 2014. The FBI's chief information security officer warned the impact of IoT data breaches could be much worse for end users than previous enterprise data breaches. During her keynote address at the 2015 IoT Security Conference in Boston on Tuesday, FBI CISO Arlette Hart discussed how the growth rate of the Internet of Things (IoT) is outpacing IoT security efforts and implored enterprises to take action before disaster strikes. With technology, "cool trumps safe," she said. "The capabilities, themselves, are almost always developed without security in mind. We need to change that [for IoT]. Here are some other statistics about other data breaches.
Malware and Botnet Attacks: Malicious users designed the code for attempting to attack against IOT networks. Cyber criminals can exploit vulnerabilities in firmware running on the devices and run their arbitrary code, turning IoT components to unplanned use. Some of the Malware used in IOT is Linux worm, Linux.Darlloz. Graphics processing units-based malware and ransomware attacks are growing rapidly, due to the increase in data, bigger networks, and the Internet of Things (IoT), according to Intel Security's five-year retrospective threat report. The analysis found that ransomware continued to grow rapidly, with the number of new ransomware samples rising 58 percent in Q2. According to Intel Security, the total number of ransomware samples also grew by 127 percent year-on-year, with the company attributing the increase to fast-growing new families, such as CTB-Locker and CryptoWall. The release of the report marks the five-year anniversary since Intel Security purchased McAfee for $7.7 billion. The malware, dubbed "Linux/Moose" by Olivier Bilodeau and Thomas Dupuy of the security firm ESET Canada Research, exploits routers open to connections from the Internet via Telnet by performing brute-force login attempts using default or common administrative credentials. Once connected, the worm installs itself on the targeted device.
OWASP Introduces Vulnerabilities in IoT
The Open Web Application Security Project (OWASP) comes with best practices to improve the security of IoT. It is natural that the project also analyzed the top 10 security issues related to the popular paradigm:
Insecure Web Interface
Insecure Web Interface is a common vulnerability found in IoT. Most devices, like cameras, can be accessed through an interface, through a web portal. Most organization’s cameras are open without a password and it's easy to gain access to any privacy area. OWASP Zap and shodan tools are available and with them we can access these devices. The most famous example of this to date is the case of the web application on TrendNet cameras that exposed a full video feed to anyone who accessed it.
Most IoT devices are protected with a weak password and it is easily exploited through a brute force attack. The attack could come from external or internal users. Some devices in IoT are configured with a base64 password encoding mechanism and sent between devices in plain text so attacker can use an online website through which they try to convert base64 code to simple text. Many IoT devices are secured with “Spaceballs quality” passwords like “1234”, put their password checks in client-side Java code, send credentials without using HTTPS or other encrypted transports, or require no passwords at all. An example of this was revealed before my eyes at DEFCON 2014 was the simple password (slide 67) on Zoll X series defibrillators, but there are many, many others.
Insecure Network Services
Insecure network services may be vulnerable to buffer overflow attacks. Some other attacks can also be done, like DOS and DDOS attacks, which leave systems inaccessible to clients or users. In order to find insecure network services, we use several tools, like Nmap and other fuzzers. Examples of these types of services abound in IoT documentation and are regularly lit up by security researchers. In August 2014, a sweep of more than 32,000 devices found “at least 2000 devices with hard-coded Telnet logins.” A slightly more sophisticated example can be found in the October 2014 research that demonstrated more than a million deployed routers were vulnerable to misconfigured NAT-PMP services.
Lack of Transport Encryption
IoT devices have a lack of transport encryption which are exploited by an attacker who is trying to intercept the information exchanged between IoT devices. This attack can be done from internal and external users.
An attacker uses a different path, like lack of authentication, lack of strong transport encryption or other ports and network services through which they gain access to personal data. One of the biggest vulnerabilities, as per OWASP Standard, is that home users may not understand computer security, but they do understand physical security (“is my door locked?”) and privacy (“is that camera watching me?”). Furthermore, their fears are widespread. For example, a Fortinet “Connected Home Survey” in June 2014 suggested that “69% of respondents were concerned that a connected appliance could result in data breach of sensitive information.”
Insecure Cloud Interface
We can identify an insecure cloud interface vulnerability through reviewing the connections to the cloud interface and analyzing if SSL is secure. We also attempt a password reset on the portal to find a live user, which can lead to user enumeration. Since most security professionals already know how to evaluate systems for these types of vulnerabilities, we won’t spend much time on it in this article, except to remind you that you should get the permission of any remote cloud service before you attempt to perform any type of penetration test against it. (Fortunately, some leading cloud services, such as Amazon, now provide well-documented procedures that let you perform your job.)
Insecure Mobile Interface
Insufficient Security Configurability
Poor Physical Security
From 7 to 10 are common vulnerabilities that are interrelated with above 1 to 6 vulnerabilities
This article is all about raising awareness and integration of cyber security with IoT, how different levels of companies struggle to maintain IoT Security and what challenges they are facing while managing it. This article also addresses past data breaches, how they occur and the impact they had on the market.
V.P.Prabhakaran is a highly-experienced security professional , having more then 9 years experience as Senior Information Security Consultant at Koenig Solutions
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky
View all comments