The Internet of Things is a two-edged sword. While having a smart home with a smart lock and a Wi-Fi kettle that automatically heats water for your morning tea makes life so much easier, it comes at a price that could be slightly higher than the price tag. There are security trade-offs in IoT security, and they can, sadly, do more harm than good, almost making you miss the days when your TV wasn’t “smart” at all!
Let’s look at some examples to emphasise the value of protection before we embrace this technology in our homes, businesses, and daily lives.
IoT Security: How Your Connected Devices Leave You Vulnerable
Hackers can gain access to your network by even the most harmless devices. Nicole Eagan, CEO of cybersecurity company Darktrace, explains an incident in which attackers obtained access to a high-roller database of gamblers at an undisclosed casino in North America. They were able to do so by taking advantage of a low-risk error in a smart thermometer that was being used to track the temperature of an aquarium.
However, this is just one example. Before moving on to pointers on IoT system protection, let’s look at a few more examples of IoT security breaches.
At-Home Smart Devices for Consumers
Let’s just say you’re right to be concerned if you’ve read stories about how security flaws in Alexa and Google Home smart assistants have been used to phish and eavesdrop on users. Despite Amazon’s and Google’s countermeasures, they appear to be thwarted using newer techniques.
Apart from that, there’s Samsung’s smart refrigerator, which has a monitor that syncs with the user’s Gmail calendar so they can see what their day holds before leaving the home. Except, as good as that sounds, it’s not quite as tidy. Despite the fact that SSL was used to protect the Gmail integration, the fridge failed to validate the SSL/TLS certificate, allowing hackers to gain access to the same network and steal login credentials.
Samsung, to their credit, patched the bug with a software update, but it’s still concerning when trusted brands are hacked. It highlights an almost inevitable fact: even in companies that should know better, functionality sometimes takes precedence over security. Furthermore, in 2015, Samsung released an alert in their smart TV policy on how they planned to capture and use our data:
“Please be mindful that if you use Voice Recognition and your spoken words contain personal or other confidential information, that information will be among the data collected and transmitted to a third party.”
But, hey, thank God for Apple, right? Let’s think about that for a moment. In February 2019, a serious flaw in Apple’s FaceTime app was found, allowing attackers to gain access to an iPhone’s camera and microphone before the user accepted or declined an incoming call.
It’s fair to err on the side of caution when it comes to evading security controls in order to steal data, cause harm, or simply be disruptive. Nonetheless, good luck if you still want a smart house.
IoT Devices Are Used in Large Botnets Like Mirai
Mirai is an IoT-focused malware that infects computers with poor credentials and turns them into a network of zombies or bots that can be controlled remotely. Despite the fact that Mirai’s original developers have been apprehended, the malware’s source code was previously released (possibly to confuse and distract authorities), and it now has many mutations.
With the assault on Rutgers University and the one on Dyn, botnets have been used to launch many DDoS attacks (the company that provides domain name services to the likes of Netflix, Twitter, etc.).
Implantable Medical Devices
Nothing is sacred or safe from cybercriminals in the world of technology. Medical devices are included in this.
Billy Rios of WhiteScope and Jonathan Butts of QED Safe Solutions showed how medical implants, which are designed to save patients’ lives, can be operated remotely by hackers and exploited to inflict unintended harm at the Black Hat conference in 2018. The two security researchers showed how they were able to disable an insulin pump and take control of a Medtronic pacemaker machine. Medtronic’s initial response was to dismiss the reported vulnerabilities as “low risk” bugs, failing to understand the gravity of the situation. They failed to address the problem even after the researchers had submitted their results for 570 days!
We may speculate for hours about how a network of remotely operated IoT devices might be used to bring down power grids (or SCADA systems used in water delivery stations, to control gas pipelines, and so on) or squirm uncomfortably at the thought of baby monitors being hacked. But one thing is certain: the Internet of Things is here to stay. As a consequence, if we want to prevent an unregulated crisis, manufacturers must be more aware of the security risks (the most dangerous of which are advanced persistent threats [APTs]).
What Are the Biggest IoT Security Risks?
Though we may not have much say in the matter, we can restrict its effect on our lives to some degree by taking some precautions to protect our devices. The Open Web Application Security Project (OWASP) Foundation is a non-profit organisation that raises awareness of security vulnerabilities in areas such as web application security, mobile security, and other areas so that individuals and organisations can make informed decisions.
The OWASP Top 10 IoT vulnerabilities found in smart devices in 2014 and 2018 are listed in the table below:
|Top Ten||2014 IoT Top Ten||2018 IoT Top Ten|
|1||Insecure Web Interface||Weak, Guessable, or Hardcoded Passwords|
|2||Insufficient Authentication/Authorization||Insecure Network Services|
|3||Insecure Network Services||Insecure Ecosystem Interfaces|
|4||Lack of Transport Encryption/Integrity Verification||Lack of Secure Update Mechanism|
|5||Privacy Concerns||Use of Insecure or Outdated Components (NEW)|
|6||Insecure Cloud Interface||Insufficient Privacy Protection|
|7||Insecure Mobile Interface||Insecure Data Transfer and Storage|
|8||Insufficient Security Configurability||Lack of Device Management|
|9||Insecure Software/Firmware||Insecure Default Settings (NEW)|
|10||Poor Physical Security||Lack of Physical Hardening|
Top 10 Tips for IoT Security for Your Organization
Do yourself a big favour and don’t buy a smart device that has unchangeable passwords or some kind of authentication/authorization process! As you can see from the OWASP Top 10 Internet of Things 2018 list of vulnerabilities, some issues like vulnerable ecosystems (web interfaces, cloud interfaces, etc. ), data protection, and physical security have maintained their top 10 positions from the previous 2014 list. This provides an indication of the direction and speed at which IoT system protection is evolving. It also poses important concerns about the effectiveness and pace of adoption of IoT protection solutions.
However, since the Internet of Things is becoming such an important part of our daily lives, we must do whatever we can to protect our connected devices, data, and networks. Here are a few examples of how you can do so:
1. Know Your Network and The Connected Devices on It
If your devices aren’t properly protected, they leave your entire network vulnerable and open to attackers when they connect to the internet. It’s easy to lose track of which of your devices are accessible over the internet as more and more devices are equipped with web interfaces. It’s important to understand your network — the devices on it, and the types of information they’re vulnerable to exposing — in order to remain secure (especially if their corresponding apps come with social sharing features).
Cybercriminals monitor your location, personal information, and other data to keep tabs on you, which can lead to real-world dangers.
2. Assess the IoT Devices on Your Network
Audit your devices to understand their security status until you know which devices are connected to your network. Installing security patches and updates from manufacturers’ websites on a regular basis, checking for newer models with better security features, and so on are all ways to improve Internet of Things security. Additionally, before making a purchase, study the brand to see how important protection is to them. Consider the following questions:
- Is it aware of any security flaws in its goods that have resulted in data breaches?
- When pitching goods to potential clients, does the organisation discuss cybersecurity concerns?
- How do they enforce security controls in their smart solutions?
3. Implement Strong Passwords to Protect All of Your Devices and Accounts
To secure all of your accounts and devices, use solid, unique passwords that are difficult to guess. Remove any default or commonly used passwords, such as “admin” or “password123.” If necessary, use a password manager to keep track of all your passwords. Make sure you and your staff don’t reuse passwords across various accounts and change them on a regular basis.
These measures will help to keep all of your accounts secure, even if one of them does reveal sensitive account details. Set a cap on the number of unsuccessful password attempts and introduce an account lockout policy in addition to password expiration dates.
4. Use a Separate Network for Your Smart Devices
One of the most strategic approaches to IoT security is to use a network independent from your home or business network for your smart devices. Even if attackers gain access to your smart devices, they won’t be able to access your company data or sniff on the bank transfer you made from your personal laptop thanks to network segmentation.
5. Reconfigure Your Default Device Settings
Many of our smart devices come with default security settings that are often vulnerable. To make matters worse, these computer configurations aren’t always modifiable! Weak default passwords, intrusive features and permissions, open ports, and other issues must be evaluated and reconfigured according to your needs.
6. Install Firewalls and Other Reputable IoT Security Solutions to Identify Vulnerabilities
Install firewalls to prevent unauthorised traffic from crossing the cable, and track and evaluate network traffic with intrusion detection and prevention systems (IDS/IPS). Automated vulnerability scanners can also be used to detect security vulnerabilities in your network infrastructure. To find open ports and see what network services are running, use a port scanner. Determine if these ports are absolutely required, and search for known vulnerabilities in the services that use them.
7. Use Strong Encryption and Avoid Connecting Over Insecure Networks
If you want to keep an eye on your smart devices from afar, stop using public Wi-Fi networks or networks that don’t use secure encryption protocols. Make sure your network isn’t using obsolete protocols like WEP or WPA; instead, use WPA2. Your data and computers can be vulnerable to hackers if you use an unreliable internet connection. Despite the fact that WPA2 is vulnerable to key reinstallation attacks, or KRACK, and WPA3 is vulnerable to Dragonblood attacks, the only way to move forward is to instal updates and patches and acknowledge a certain level of risk.
8. Disconnect Devices and Features When They’re Not in Use
Examine the software permissions and read the privacy policies to see how these applications expect to use the details you provide. Disable features like remote access, voice control, and so on unless you need them to enforce more stringent internet of things security tests. If and when the need arises, you can always allow them. Try disconnecting your computers from the network when you’re not using them.
9. Turn off Universal Plug and Play (UPnP)
While universal plug and play is designed to connect devices without the need for configuration, due to flaws in the UPnP protocol, it also makes these same devices more easily discoverable by hackers from outside your local network. On some routers, UPnP is allowed by default, so check your settings and make sure it’s turned off unless you’re willing to risk your protection for the sake of convenience.
10. Keep Your Devices Safe by Implementing Physical Security
Keep your phones safe, particularly if they’re loaded with apps that control your IoT devices! If you do, make sure you can wipe your phone remotely, in addition to getting PIN/password/biometric protection on your mobile. Set up automatic backups or back up any computer data you may need on a case-by-case basis.
Additionally, restrict access to your smart devices. Is a USB port, for example, needed by your refrigerator? Enable access to a limited number of ports and, if necessary, avoid providing network access (only local access).
IoT Security Analysis Tools
Apart from the IoT protection solutions listed previously, there are a few other resources that can be used to enhance network visibility and control. Wireshark and tcpdump (a command-line utility) are two open-source network traffic monitoring and analysis software. Wireshark is more user-friendly since it has a graphical user interface and a variety of sorting and filtering options.
Shodan, Censys, Thingful, and ZoomEye are IoT computer search engines that you can use. Since the search query is automatically created when you click on filters, ZoomEye is probably the easiest to find out for new users.
Another tool that testers can use to run tests before a product is shipped is ByteSweep, a free security review platform for device manufacturers.
IoT Security in Summary
Regardless of the risks, there’s no denying that IoT technologies have enormous potential. IoT connectivity has proved useful in a number of settings and activities, including assisted living, environmental monitoring, health monitoring, and so on. The issue occurs when businesses rush to introduce the latest “in trend,” and in their haste to be first, they either overlook or undervalue potential security risks.
More consistent and genuine efforts toward creating safe and stable goods, raising consumer awareness, and undertaking robust testing before launching devices will resolve many of the issues that are currently more a function of negligence than a lack of ability.