The security of Internet of Things devices is among the major challenges that inevitably arise with the rapid growth of the industry. The information gathered by the smart devices and their direct functionality can become a target for hackers.
The combined efforts of many companies and IT enterprises are dedicated to finding solutions that will minimize the threats preventing full penetration of the IoT apps in people’s lives.
In this article, we are going to address some of the security issues that can occur and how to overcome them. To observe the topic more extensively, we will talk about examples of how IoT systems hacked, possible solutions to security problems, and state regulations of IoT apps.
Read more about IoT: Internet of Things Stocks: why, where, and how to invest?
What are IoT Vulnerabilities?
According to Palo Alto Networks, 57% of smart devices are vulnerable to medium- to high-risk attacks. Meanwhile, about 20 percent of organizations have experienced at least one attack on IoT tech in the past three years, says Gartner.
Progress has two sides, and IoT vulnerabilities are not a reason to throw technology out the window. You need to know what security issues should be considered to get the desired functionality with minimal risks.
Secure Network Connections
Unsecured network connections with Internet access compromise data privacy. Through them, third parties can gain remote control over the device. In Palo Alto Networks’ 2020 “Unit 42 IoT Threat Report,” 98% of IoT device traffic is unencrypted and transmitted in the open over the Internet.
For example, Cacagoo IP Camera and Hikvision Wi-Fi IP Camera were vulnerable to this. Unauthorized users could change settings and even disable the camera. And through Toy Furby and Toy My Friend Cayla smart children’s toys, an attacker could spy on their owners.
The user himself can use secure communication channels to transfer data. But encryption of stored passwords, biometric and other important data should be the concern of the device provider.
To make using devices easier, firms set one password for all occasions. And to reduce power consumption, they do away with encryption and other protections. For example, it does not support password validation, there is no possibility to create accounts with different rights – administrator or user, there is no setting of encryption parameters, etc.
The ease of IoT platforms use leads users to perceive these devices as ordinary household appliances and don’t delve into the instructions or think about changing the default settings. And not all IoT device providers provide users with full control over the operating system and running applications. Also check the integrity and legitimacy of downloaded software or install operating system update patches. As a result, devices are left with factory passwords that attackers can guess in seconds.
Interesting fact, by the way: Researchers at the University of Michigan and Federal University of Pernambuco analyzed 37 of the most popular apps for Internet of Things devices and found that
- 31% of apps have no encryption
- 19% of apps had encryption keys encoded and the user couldn’t change them
- 50% of all apps are potentially vulnerable to exploits
- many apps control devices via LAN or broadcast messages, such as UDP
Oddly enough, the physical security of devices is underestimated. Nevertheless, it can affect data privacy more than one might assume. For example, an intruder can use a soldering iron to turn an Amazon Echo speaker into a listening device or to load the processor into the Smart Nest Thermostat via a peripheral device via USB or UART. And you won’t even suspect that anything is wrong. The problem can only be solved by making physical access to the devices more difficult.
Unsafe Network Services
Unnecessary or insecure network services running on the device and open to the outside network threaten the confidentiality, authenticity, availability of information, or their unauthorized remote management. Open network ports can be scanned for vulnerabilities and insecure services to connect. Plus network services can be subject to DDoS attacks, for example.
One of the most popular attacks and infection vectors for IoT devices so far is brute-forcing passwords on Telnet and SSH services that are not disabled. After gaining access to these services, attackers can download malware to the device or gain access to valuable information.
What IoT Security Issues Can Arise?
There are billions of connected devices in use around the world. Our homes and offices are connected to the Internet of Things. The IoT industry is rushing to provide consumers with a wide range of devices. Many of them are trying to get a foothold in the market as quickly as possible by producing cheap and easy to use devices.
However, this rush to market often comes at a cost to users. Manufacturers are eager to be the first to offer connected devices to give little thought to cybersecurity.
Overall, there is three major Internet of Things security concerns:
- ‘Better Sorry Than Safe’ Approach in The Industry
- Excessive Cost of Technical Errors
- Micro Attacks in IoT Hacking, which are Too Small to be Traceable
‘Better Sorry Than Safe’ Approach in The Industry
Manufacturers want to release their devices as soon as possible. It leads to two distinct problems.
First, devices are poorly tested for security before launch. The first firmware is full of bugs and insecurities that users find and remain dissatisfied with it.
Second, manufacturers are too quick to stop updates to older devices and turn their attention to newer ones. In that scenario, older devices are not getting enough updates and become insecure and eventually susceptible to hacker attacks. Installing security patches on IoT devices is challenging.
Not only is updating running hardware risky, but many manufacturers don’t release software updates at all. Only 17% of smart devices run on supported operating systems. The remaining 83% use old versions of Linux, Unix, Embedded, Windows 7 and even Windows XP.
If the device does not receive regular software updates, the vulnerabilities are not patched, so security issues slowly accumulate IoT platforms become easy for attackers to exploit.
Insecure IoT devices can bring more harm than good. This problem will be eventually solved when manufacturers will be willing to spend more resources to support older devices.
Excessive Cost of Technical Errors
People are incorporating more and more IoT devices into their smart homes and offices. Entire residential and commercial buildings with embedded IoT and Smart Home systems increasingly appear.
These systems store a lot of sensitive private information, so even a single technical error or vulnerability can cause actual damage to reputation, property and health. Just a disclosure of an IP address can reveal residential addresses and other sensitive data that attackers can easily exploit.
For example, attackers can connect to a smart home camera and find out when you’re not home and use that information for burglary. The same goes for a car. A hacker can gain remote access to your car. They can gain control of your vehicle, leading to theft or an accident.
There are several steps a user can take to reduce the likelihood of such an outcome:
- Check the privacy settings and passwords for all installed IoT devices. Replace default passwords with unique ones and use two-factor authentication.
- Curb the use of always-on devices. Limit the location of your cameras, voice assistant speakers and other devices, waiting for motion or voice to activate. Make sure that not the entire area of your home is under constant surveillance.
- Separate your connections. Create a dedicated IoT-only wireless network so that hackers cannot use a compromised device to access the whole network.
Micro Attacks in IoT Hacking: Too Small to be Traceable
IoT devices are susceptible to minor attacks that can evade detection because of their size, making them especially dangerous.
Criminals can slowly and gradually leak sensitive information. There is a high probability that the user will not pay enough attention to each individual micro-attack. Because of this, the user might lose a lot of data and not notice it right away.
This issue can be dealt with in the same way as with privacy and property threats. On the other hand, this problem will be solved when IoT devices get more updates.
What Types of IoT Cyberattacks Exist?
By hacking IoT and IIoT devices, attackers pursue very specific objectives related to the commercial use of captured resources. The most popular methods are anonymous spamming, DDoS attacks, malware distribution, and industrial espionage.
Domain name server (DNS) spoofing is a cyber-attack used by an attacker to direct victim traffic to a malicious site (instead of a legitimate IP address). Attackers use DNS cache “poisoning” to intercept Internet traffic and steal credentials or sensitive information.
In 2016, mass use of routers for DNS Hijacking, a DNS spoofing attack, was detected. DNSChanger and Switcher programs replaced DNS server addresses in router settings with malicious addresses to show ads and distribute malware on devices connected to routers.
The client computer treatment in such cases does not help, because the source of the problem is in the router.
Spam is a mass mailing of messages to users, which is done to advertise certain software products, spread information, steal personal data, etc. Simply put, it is obtrusive advertising of something. Most IoT devices run Linux, the rich functionality of which allows you to install additional components.
Installing a SOCKS proxy server allows you to use the device as an anonymizer, to stay in the shadows and organize mass spamming and hacking of corporate networks.
The most common use of cracked IoT devices is to organize botnets to conduct distributed denial of service (DDoS) attacks. A DDoS attack is a way to block the site operation by sending a large number of requests that exceed the network bandwidth. The attacker sends such requests from multiple cracked systems. In this way, he tries to fully occupy the internet channel and “deplete” the victim company’s RAM resources. The ultimate goal is to disable such a company’s systems and interrupt its business processes.
A DoS attack can be a way for an attacker to extort money or even to benefit competitors or the government politically. A disruption in any company’s corporate network can be a serious windfall for many people.
Examples of Hacking IoT Devices
Let’s move on to some real-life IoT cyberattack examples.
Nest Smart Home Prank
In 2018, the Westmoreland family installed a Nest camera, doorbell and thermostat. They did not have any problems until their camera’s speakers in the kitchen suddenly started to play a piece of ‘vulgar music’.
One day, the family came home and found that the thermostat was up to 32 degrees Celsius. They thought it was a glitch and switched back to room temperature. But then the thermostat kept going up, and an odd song started to play through the speakers in the kitchen.
To secure the system, the family contacted their Internet service provider and changed the network ID. They believed that someone had attacked their Nest through hacking into their shared Wi-Fi network.
To prevent such hacks in your home, use unique complex passwords and two-factor authentication.
Camera Privacy Breaches
In 2019, a Reddit user reported a glitch occurring between Xiaomi Camera and Google Nest Hub. When the user streams content from his camera to his hub, he sees still images from other people’s homes because of a bug. Essentially, the privacy of several people has been breached due to a mistake of software developers.
It is not the first time cameras have created such a problem. Security researchers at Bitdefender discovered and reported a bug in Amazon’s Ring Video Doorbell Pro camera, which allows hackers to access users’ connected devices via unsecured Wi-Fi networks.
By gaining access to the Wi-Fi network, attackers can steal sensitive data such as your credit card data. To minimize the impact of these bugs, companies are striving to release their patches as rapidly as possible to eliminate the detected vulnerabilities.
Phone Line Vulnerabilities
Yaniv Balmas and Eyal Itkin, security researchers at Check Point, discovered that faxes have severe security vulnerabilities too. Such breaches could enable hackers to steal data from a company’s network using only a phone line and fax number.
The researchers claimed attackers could send specially created images encoded with malware to target networks via fax. Vulnerabilities in the device allow the malware to decode the files and download them, which leads to leaking sensitive information or disruption of connected networks.
Such an incident would cause enormous financial losses for every business. The solution for companies is to pay more attention to cybersecurity and hire specialists who can detect such unobvious attacks and neutralise them.
Eliminating of IoT Devices Security Risks
There are many ways to protect your IoT network devices and minimize risks. They provide different levels of security, so some of them might be more difficult than others.
Complex and Frequently Updated Passwords
The smallest thing you can do is establish complicated passwords and update them regularly. If you have a sophisticated network with different devices, use a password manager. By doing so, you will utilize longer passwords and avoid forgetting them.
Two-factor authentication is an additional safety measure that will defend your privacy even if your passwords are leaked or brute-forced.
The most common type of multiple level authentication comprises two steps. However, in systems containing sensitive information, there may be a multi-factor authentication model.
To shield your IoT system as much as possible, employ the maximum number of authentication steps available on your devices.
Software updates patch the majority of discovered bugs and address security vulnerabilities. If users cannot maintain IoT devices’ software up to date, their IoT systems will be vulnerable to attacks, especially if their devices are constantly connected to the Internet.
Secure Internet Connection
Let’s start with the router, which is the gateway between your IoT devices and the wireless network. If you leave the network unprotected, it becomes an easy target for hacker attacks.
As a first step, change the default network name, administrator’s login, and password with secure alternatives and change them from time to time.
As a second step, set the highest level of encryption that your hardware supports. If it only supports weak levels, consider upgrading to a more advanced router that supports WPA2 encryption.
If you intend to preserve the privacy of smartphones or work laptops, you can apply advanced security measures and build a separate wireless network only for your IoT devices.
Segmentation or partial isolation is the process of dividing the network into several independent subnets. Although the segments may sometimes interact, they are autonomous and disconnected from each other.
If a cyber-attack occurs on a segmented network, the hacker gains access to only a fragment of sensitive data. Thus, segmentation limits the scope of the attack and minimizes the potential damage.
Read more about Internet: How to protect data on the Internet
Government Regulation of IoT Industry
The consumer community has the power to take reasonable actions, however, the government attempts to regulate the IoT industry in certain countries as well.
Regulatory attempts to govern the Internet of Things are now being undertaken in the U.S. The Internet of Things Cybersecurity Improvement Act of 2020 was signed, leading to the first federal regulation of the Internet of Things.
The bill deals with devices procured by the federal government and includes requirements such as:
- Devices must be patchable, rely on industry-standard protocols, and be built without hard-coded passwords and known security vulnerabilities
- Alternative network-level security requirements for devices with limited data processing and software functionality
- Cybersecurity coordinated vulnerability disclosure policies will be required of all contractors that provide connected devices to the U.S. Government
Australia also has similar legislation. Lawmakers have proposed certifying IoT devices with requirements such as:
- Changeable, unguessable, non-default passwords
- Secured network ports
- Regular software updates
It is not yet known if this is effective, as not enough time has passed to figure it out. Nevertheless, the problem is so far unaddressed in the majority of countries.
Read More about IoT: Internet of Things Case – Zeaeye
Drawing conclusions from the above
IoT systems are vulnerable to hacking attacks, as evidenced by numerous examples in the media and on forums. Some breaches become feasible because of user carelessness. Other insecurities are caused by infrequent software updates and vulnerabilities in the hardware itself.
Therefore, some vulnerability problems can be solved by implementing measures such as multi-factor authentication, network segmentation and regular updates. Some problems will be solved over time if companies increase their focus on the security of their products. We as users can already observe some movements in this direction. State regulations on the IoT industry will likely be helpful as well.
We can help you with the development of secure IoT applications. Write to us about your ideas and we’ll create the best solution.