Internet of Things Security: All You Need to Know and Apply

Dave was out in space, and about to enter his spaceship.

“Open the pod bay doors, HAL”.

HAL was the onboard artificial intelligence, tasked with safeguarding the astronauts, and making sure they completed their mission.

“I’m afraid I can’t do that Dave.” Was HAL’s response to Dave’s command.

HAL had gone rogue, and was now in the process of killing the men it was assigned to protect.

This famous scene from “2001: A Space Odyssey” asked the question: “What do we do when the technology around us malfunctions?”.

It’s not just PCs and smartphones we should worry about anymore, but a wide range of Internet-connected devices such as thermostats, smart meters, self-driving cars and even voice assistant devices such as Amazon’s Alexa.

These are all part of the Internet of Things innovation wave, which overall promises to greatly improve our lives, if we can deal with the cybersecurity threats they can pose.

What is IoT / Internet of Things

Industry experts usually define an IoT device as any object connected to the Internet (or to a Local Area Connection, in some cases).

Examples include:

  •  Smart TVs
  •  Internet connected cars
  • Wi-Fi routers
  • Smart cameras
  • Smart locks (including ones with Bluetooth)
  • Some medical devices
  • Voice assistants, like Amazon Echo
  • Smart lights
  •  Fitness bands.

Basically, if your fridge or TV has an Internet connection, then it becomes an IoT device.

Both manufacturers and consumers prefer these devices. Consumers for the added functionality (it’s easier to watch Netflix if the TV already has Internet).

Manufacturers however, like IoT devices because they allow them to silently collect information about how consumers use their products. As a result, they can then tailor future products around these usage patterns.

Here are some statistics that really bring home just how many Internet-connected devices we now have:

 

Why is IoT / Internet of Things security important?

In 2016, the Mirai botnet launched one of the biggest DDoS attacks ever recorded. More than 1 terabyte per second flooded the network of Dyn, a major DNS provider, and brought down sites such as Reddit and Airnbnb.

But what made this attack so special was that it was the first to be carried out with IoT devices. Nearly 150,000 compromised smart cameras, routers and other devices all enslaved into a single botnet, focused on a single target.

Below is a heat map that recorded the intensity of the attack and how many websites were taken down.

 

The Mirai botnet however is much bigger! By some estimates, it contains millions of enslaved devices. And it wasn’t even that hard to create in the first place.

Manufacturers use a handful of default password and usernames to protect an IoT device. So you had a few hundreds/thousands of password combinations to protect tens of millions of smart devices.

All it took were a few simple lines of code, designed to test each of those default passwords. A device could be hacked and enslaved within a few seconds, so long as the user didn’t change the standard login information.

But IoT botnets aren’t the only type of threat. Researchers have proven more than once that it’s possible to physically take control of a car by breaking into apps that control onboard software. For now, this has only been done in experimental situations, but as Internet-connected cars gain ground, it’s only a matter of time until it happens to someone, somewhere.

Unsecure car apps can allow malicious hackers to control your car

Researchers from the Russian cybersecurity firm Kaspersky for instance, managed to open up car locks, simply by hacking into an app.

Internet of Things security vulnerabilities

Simplicity and ease of use are crucial principles in the IT and electronics industry. Every software and device out there is designed to be as easy to use as possible, so as to not confuse consumers and discourage them from using the product.

Unfortunately, this often means that some products cut corners, and don’t implement security features consumers might find “too clunky”.

Insecure default login credentials

In practice, they might hide the “Change password/Username” options deep in the UI, out of sight for most users. No wonder so many people kept their default user names and passwords.

If each Internet of Things device had a randomized username and password, Mirai might not have happened in the first place. But that is too expensive a process in competitive industries with razor-thin profit margins.

Poor software updates

What’s more, many Internet of Things creators don’t even patch or update the software that came on their devices. If your device has a software vulnerability (nearly 100% chance that it does), there’s little you can do to prevent an attacker from exploiting it without help from the manufacturer.

The communication isn’t encrypted

Other IoT devices lack basic encryption to hide the data sent between the device and the central server. This can potentially expose the user’s personal information, if a malicious hacker can snoop in on his personal information.

Another thing that Internet of Things devices do, is that some of them ask for more permissions than they need to.

One time, numerous Amazon Echo users were surprised to see their device ordering dollhouses after a TV anchor said the phrase “Alexa ordered me a dollhouse”.

In that case, the device had permission to do a purchase all by itself. Each extra permission in an IoT device adds another vulnerability layer which can be exploited. The fewer permissions, the more secure your device is.

Insecure  user interface

A device’s user interface is usually the first thing a malicious hacker will look into for any vulnerabilities. For instance, he might try to manipulate the “I forgot my password”, in order to reset it or at least find out your username or email.

A properly designed device should also lock out a user from attempting to login too many times. This stops dictionary and brute force attacks that target passwords, and greatly secures your device credentials.

In other cases, the password might be sent from the device to the central server in plain text, meaning it isn’t encrypted. Pretty bad if someone is listening in on the device and reading all of your data.