Generally speaking, an IoT device is an object connected to the Internet. These things are ubiquitous nowadays. Wi-Fi routers, smart TVs, smart locks, and online-accessible fridges are all examples of IoT devices that are literally all around us.
IoT security challenges
The Internet of Things started getting out of hand in 2016. The notorious Mirai botnet was used to launch one of the most powerful DDoS attacks. This cyber onslaught produced a bandwidth of 1 terabyte per second and fired it at Dyn, a large DNS and email provider, as well as popular services like Airbnb and Reddit. This incident stood out from the crowd because it was the first one to leverage IoT devices for malicious purposes. Specifically, about 150,000 hacked smart devices served as bots and zeroed in on a predefined set of targets.
The intrinsic hallmarks of the consumer electronics industry are simplicity and focus on user experience. Manufacturers’ commitment to these principles is easy to understand. They are unwilling to discourage potential customers via complex controls and maintenance of their products.
This strategy has got a flip side, though. Security experts from VPNBrains note that vendors may fail to build a robust security architecture, thus making their devices a low-hanging fruit for threat actors. That is the controversial tradeoff between ease of use and security.
Internet of Things security loopholes
Weak login credentials
In pursuit of the ultimate simplicity of user interfaces, manufacturers may keep the “Change password” option out of customers’ sight. This explains why so many users stick with default usernames and passwords. The above-mentioned Mirai incident probably would not have occurred if every IoT device had a strong, hard-to-guess password.
Poor firmware updates
Some Internet of Things authors do not even roll out updates or security patches for their devices’ firmware. So, if there is a security flaw and the vendor does not patch it, there is hardly anything you can do to prevent a hacker attack.
Lack of crypto
There are lots of IoT devices that do not use encryption to safeguard the data they exchange with the C2 servers. This may lead to the theft of the user’s personally identifiable information. Sometimes authentication details are sent from the device to the control server in plaintext. In this case, a man-in-the-middle attack will have adverse consequences.
Some IoT devices request more privileges than they actually need. For instance, allowing these smart things to purchase goods on their own can drain your credit card balance. What springs to mind in this context is the story where Amazon Echo, a popular voice-controlled personal assistant, automatically ordered dollhouses in response to a TV anchor’s phase. All in all, the more permissions an IoT device has, the more vulnerabilities it gets.
Internet of Things devices store a great deal of information about users. If perpetrators compromise one of your smart gadgets, they get access to the personal data that it stores. Before purchasing an Internet-connected device, be sure to check what kind of information it keeps on you. Refrain from using things like smart kettles that store your location details.
IoT attack vectors
There are vulnerabilities in any software, and even international companies with huge resources at their disposal do not produce flawless code. Cybercriminals can exploit software vulnerabilities to deploy attacks against IoT devices. The most common methods include:
- Code injection. This one is self-explanatory: an attacker takes advantage of a security flaw in firmware to inject perpetrating code and take control of the device.
- Buffer overflow. When a smart device tries to store superfluous data in its temporary storage, this redundant data may inflate other segments of memory space and overwrite them. In case this data includes a virus, it can affect the entire firmware.
- Cross-site scripting. This technique is applicable when a device communicates with a web-based interface. If a malicious code is embedded in that web page, it will quite likely contaminate the connected device.
Attacks against IoT objects are not restricted to compromising login information, although these are by far the most widespread predicaments. A growing trend with cyber crooks is to plague smart devices with malicious programs like ransomware.
A lot of these devices run Android; therefore, commonplace Android malware will work on them too. This simplifies the objective for threat actors. The Internet of Things segment most heavily targeted with this type of malware is Smart TVs because users often accidentally click on malicious links or download booby-trapped applications.
Perpetrators can try to camouflage their own device as another device used by a would-be victim. If the latter can access the wireless network, the rogue one will try to dupe the router into granting it that scope of access too. If this trick works out, the impostor device can be leveraged to infect the network with a virus.
This vector can be broken down into brute force and dictionary attacks. The idea of both is to try and guess a target device’s login credentials by automatically entering numerous username and password combinations. Unfortunately, few people use strong passwords, so these incursions are quite effective.
Ideally, firmware should restrict the number of failed login attempts. It is too bad not all manufacturers equip their devices with this critical feature. Also, be sure to never keep the default username and password for accessing IoT devices.
It is hard to think of a better potential bot than the average Internet of Things device. Cybercriminals know these objects are usually easy to compromise, and users do not really have any means to discover that they got hacked. If your smart device ends up in a botnet, it can be exploited for DDoS attacks, Bitcoin mining, spam campaigns, and click fraud.
It might seem that nothing awful will happen if someone accesses one of your IoT devices remotely. Well, it will simply act funny and will not harm you. However, things get much more threatening if your smart car gets under an attacker’s control as you are driving it on a highway. Also, imagine the smart lock to your house getting compromised. In this case, burglars can easily open the door and get in. In fact, security researchers have demonstrated proofs-of-concept for both of the above scenarios. Some black hats are tech-savvy enough to do the same.
Personal data leakage
Internet of Things devices store and process quite a bit of the users’ sensitive data. For instance, by analyzing information generated by smart speakers, perpetrators can find out if you are at home or not. Another case has to do with Internet-connected “spying” dolls that harvested too much data and therefore got banned in Germany. It all gets scarier when threat actors compromise IoT devices used in the healthcare industry. Malfunctioning pacemakers or insulin pumps pose a direct risk to people’s lives.
Ten ways to enhance your IoT security
- Never use default login credentials
Make sure you change the default username and password for an IoT device once you set it up. Make passwords as strong as possible by using capitalized letters, numbers, and special characters. Do not reuse passwords for different devices.
- Apply firmware updates
Run software updates for your Internet of Things devices as soon as they are released. This way, you ensure that new security vulnerabilities are patched. Unfortunately, some vendors do not release updates often enough or do not release them at all. So, when choosing an IoT product check for the manufacturer’s update policy. Refrain from purchasing devices whose makers do not take this issue seriously.
- Use two-factor authentication
If your Internet-connected device goes with a two-factor authentication feature, do not fail to enable it. This will add an extra layer of security to the login process and stop hacker attacks in their tracks.
- Restrict physical interference
Just like personal computers, some smart devices can be infected with malicious code via things like USB memory sticks. Therefore, consider putting such gadgets in places where these types of manipulations are problematic.
- Use encryption
The average IoT device exchanges data with a C2 server or smartphone. Most of the time, though, this information bounces back and forth in unencrypted form. If your device supports encrypted communication, be sure to leverage this option at all times.
- Isolate your network of smart devices
If possible, restrict the communication of your IoT devices so that they interact with each other within a separate network that is not connected to the Internet. Doing so will reduce the probability of malign code infiltration down to a minimum.
- Follow safe Wi-Fi practices
Your wireless router is one of the most wanted targets for attackers, so the rule of thumb is to secure it properly. Use a strong, randomized password consisting of at least ten characters. Modify the default username. Configure your firewall to safeguard wireless connection. And finally, toggle the guest network access feature off.
- Disconnect devices from the Internet when not in use
Some of your IoT devices do not need to be online at all times. By temporarily disconnecting them from the worldwide web when you are not using them, you make hacker intrusion attempts futile.
- Peruse the technicalities
Not only do user manuals provide device setup and maintenance instructions, but they may also include security enhancement tips. So, scrutinize the manual for security-related information and consider applying ad hoc recommendations.
- Use antimalware apps
If your connected device can run third-party software, as is the case with Smart TV, download and install a security application onto it.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.