Published 06. Oct. 2020
Internet of Things: Imperfectly Smart Devices
Internet of Things (IoT) devices and services are rapidly becoming ubiquitous. This success has not gone unnoticed, as the number of threats and attacks against IoT devices and services are also on the rise. In this article, Management Events sounds the horn about the various threats, classification, and attacks on IoT infrastructure.
Smart technology or IoT continues to shape both consumer and industrial domains. Achievable through the convergence of multiple technologies, which include machine learning, real-time analytics, commodity sensors, and embedded systems. Companies who miss an opportunity and or fail to innovate alongside IoT face the genuine possibility of being overtaken and fail over time.
IoT’s most significant trend in recent years is the explosive increase in connected devices, controllable over the internet. According to Fortune Business Insights, the global IoT market size stood at $250.72 billion in 2019. Projections indicate this number will reach $1.46319 trillion by 2027, exhibiting a Compound Annual Growth Rate (CAGR) of 24.9% during this forecast period. 2020 saw a rise in the following components of the IoT model; Networks and Communication, Sensors, Data Analytics (Cloud), and Applications, with different degrees of impact.
IoT brings a lot of benefits and new opportunities to businesses all over the world. Environmental sensors, machine learning capabilities, and artificial intelligence platforms provide various operational services for organizations across different industries. Although there are fundamental characteristics shared by most devices, the wide range of applications for IoT technology also means that the particulars can be entirely dissimilar from one device to the next.
Due to the large amount and variety of connected devices, IoT continues to implant itself deeper in our lives and society, making it another prime target for cyber-attacks. According to the IBM X-Force Threat Intelligence Index 2020, Financial services remain the topmost attacked industry, closely followed by the Retail sector. Ransomware and Magecart attacks were the most prominent attacks observed against retail and impacted at least 80 reported e-commerce websites in the summer of 2019 alone. Operational Technology (OT) targeting also increased by 2000% from 2018, with more attacks on Industrial Control Systems (ICS) and OT infrastructure than in the past three years.
Cyber-attacks are not new to IoT; the most common breaches are spyware, malware, and human errors. The latter is critical due to the increase in phishing tactics through email. Attackers have been impersonating consumer tech brands with tempting links to trick users into clicking malicious links. Consumer Technology giants such as Google & YouTube (60%), Apple (15%), and Amazon (12%), made up the bulk of targeted spoofed domains, where attackers hit due to the monetizable data they hold.
An innocuous IoT device should not be run unsecured. Therefore, both users and manufacturers need to accentuate and take cyber defense seriously. Thus, resulting in the real need to systematically understand the threats and attacks on IoT infrastructure to secure IoT devices against attackers. This article attempts to identify threat types, analyze, and describe intruders and attacks facing IoT devices and services.
Brute-forcing and Poor Passwords
IoT devices often require passwords for users to access and or control the device. According to Cybernews, the most common passwords worldwide are “123456”, “123456789”, “qwerty”, and the word “password” itself. Weak passwords place your most sensitive information at risk and are similar to not using any password in the first place.
Manufacturers typically provide IoT devices with preset login credentials, making setup easier and consumer-friendly. These preset credentials are often openly available from a single web search and easily broken during brute-force attacks. Thus, IT administrators must replace the preset login credentials with significantly stronger credentials. The recommended way to go about this is to create quality passwords unique to the organization or the device and utilizing password managers.
An additional step would be to enable or implement two-factor authentication (2FA). Doing this instantly increases the security level by creating an additional lock that an attacker is less likely to access.
Improper Data Transfer and Management
IoT devices make automated decisions and carry out actions without requiring human-to-human or human-to-computer interaction. Thus, it is vital to the integrity of IoT applications that the source(s), data being fed, and produced are protected and verifiable at both ends. To achieve this, data must be encrypted from creation to consumption. However, this typically requires a higher level of encryption, cryptology, and intelligence than is easily achievable by the conventional one-way Transport Layer Security (TLS) encryption.
Furthermore, dynamic keys should be employed that ensure each data payload is encrypted with single-use keys that are not stored on the device itself or shared over the network, particularly over an insecure network.
IoT devices require an active network connection to allow endpoints to communicate with each other over the internet. As a result, one of the initial and simplest attack methods a malicious attacker can deploy is to seek out weaknesses in running network services and the network communication model of connected devices.
Attackers attempt to manipulate several vulnerabilities to obtain login credentials, communication tokens, and other identifiers that the Service Ecosystem uses to identify various endpoints. It is crucial to secure endpoints with industry best practices to protect data integrity, privacy, and Man-In-The-Middle attacks (MITM). One method involves encrypting device authentication data at the data-level paired to the public key. Consequently, any captured data should remain unreadable without the equivalent private key.
Unsecure Update Process
Firmware and other software patches are often required to be pushed out to IoT devices to prevent them from being compromised or left in a vulnerable state. Organizations have to upload these updates securely to each endpoint as soon as they are made available. Failure to secure access to the update, verify the sources, and integrity can have physical consequences, resulting in data loss and corrode brand reputation, introducing legal liability.
Even if vulnerabilities and loopholes are identified, not all IoT devices can be updated securely, and this may be due to the following reasons.
- Wrongful or no firmware validation.
- Updates are delivered in plain text or without encryption.
- No anti-rollback measures
- Users are not notified of available updates. This is a fairly common occurrence.
Implementing anti-rollback update mechanisms can prevent attackers from downgrading a device to an older software version with a known security vulnerability that the attacker can exploit.
Inadequate Privacy Protection
IoT devices, by design, collect and store a significant amount of users’ personal information. Unfortunately, not all manufacturers implement strong privacy or data management and protection policies. Those that do tend to begin by encrypting and implementing various layers of distinct checks and balances, providing data security between endpoints. When these security and privacy protection models are absent, improperly installed, or set up, glaring issues crop up.
One such example of improperly set privacy controls by the manufacturer was the TRENDnet Webcam Hack. TRENDnet marketed their SecurView cameras for various uses ranging from home security to baby monitoring and claimed they were secure, the FTC said.
However, they had faulty software that let anyone who obtained a camera’s IP address look through it — and sometimes listen as well. Thus for at least two years (2010 – 2012), the SecurView webcams allowed the transmission of user login credentials in clear, readable text over the internet! It did not just end there. Even their proprietary mobile app for the cameras stored users’ login credentials in clear, readable text, right on their mobile devices allowing anyone who obtained a camera’s IP address to look and sometimes listen through it as well.
Insecure Ecosystem Interfaces
The IoT ecosystem comprises all the components that allow consumers, governments, and businesses to network between their IoT devices. Some of these include networks, data storage, remotes, security, dashboards, and data analytics. Interfaces like a backend API that devices use to connect to a larger network ecosystem can also be compromised. A significant security concern to network operators and manufacturers is 5G network technology, which is expected to shoulder the connectivity load of IoT devices.
IoT devices, when integrated with centralized management platforms and legacy systems, are at high risk of being compromised by users who unknowingly introduce security vulnerabilities at the application layer. When such interfaces are compromised, it is often due to the previously mentioned reasons and improper traffic filtering.
Should an IoT vendor build its device or devices with insecure software libraries or other elements that are from an insecure source, then the device(s) will logically be insecure. Other means include using third-party software and hardware from a compromised supply chain or the insecure customization of Operating System (OS) platforms.
Manufacturers must comprehend that as more IoT ecosystems are being built, it is equally imperative to build security in, right from the very start. From sourcing components to firmware writing, initial installs, and throughout a device’s lifecycle. Thus, as more and more IoT connected devices come online, these and other yet undiscovered vulnerabilities need to take center stage.
Alongside poor management practices, targeted malware, and weak IoT architecture, IoT devices and technology can also be exploited through hard to detect zero-day vulnerabilities. Attackers continue to modify their malicious code to obfuscate better and spread within networks faster. Some of the better practices that should be applied to IoT technology include not over connecting your systems, not trusting a compromised device, particularly if it was compromised locally, and for vendors, frequently subjecting your code and hardware to third-party penetration testing (Black & White Box variants).
In the future, a significant feature of IoT devices will be the ability to rapidly modify device configurations through remote tools and deliver innovative applications and capabilities. Additionally, all control updates, and packages, will include increased security and encryption to block attacks while driving more automated deployments.
The goal remains to enable a user at a local site with little to no background or understanding of IoT and IoT edge devices to connect a power cord, network cable(s), and walk away. Allowing the device to carry out self-provisioning and authentication automatically. Likewise, should a need to move the device occur, it can self-provision itself to its new location’s conditions and obligations.