The Internet of Things (IoT) is the concept of a computer network, which describes the interaction of electronic physical objects with each other and the environment. In general, any physical device that is connected to the Internet can be considered IoT equipment. Your smartphone, laptop, coffee maker – those can all serve as IoT nodes.
There are a number of other concepts built on the IoT basis - smart home systems, tracking systems, life support systems, etc. Ensuring the continuous operation of some of these is critically important, and the safety of the transmitted data is of paramount importance. Thus, it is imperative to ensure an appropriate level of IoT security in these systems. The following are the main security issues associated with IoT.
Why is it important to provide security for IoT?
Creating a botnet by capturing and “zombifying” the nodes is one of the most common methods of data theft through Internet of Things devices. By breaching the protection of network nodes, hackers create entire networks that are then used for mass spam mailings, committing DDoS attacks on commercial and state sites, electronic currency mining, share price fraud, identity theft, etc. The collective computing power of some of the known botnets (ZeroAccess (2 million nodes), and Storm (up to 50 million nodes)) can rival those of supercomputers.
Obviously, the Internet of Things’ privacy is vital. A vivid example of the damaging effect of the botnet is the 2016 case of the Mirai botnet. According to official figures, Mirai, at its peak, controlled more than 150,000 Linux-based IoT devices (and according to unofficial figures, this number is up to several million). Mirai was used for hundreds of attacks that overloaded servers of such world-famous sites as Airbnb and Reddit. This was the first officially acknowledged case where IoT equipment was used for botnet nodes.
What kind of data are hackers looking for?
- Authentication credentials. Practice shows, that most attacks of this nature are targeted at intercepting network credentials. For example, by controlling a router without your knowledge, a hacker can intercept your traffic and, upon capturing the needed data, authorize themselves as a system administrator.
- Personal details of users. Having connected to the user’s PC through the network, criminals automatically gain access to all personal data stored on drives. In many cases, this allows not only for theft of personal files, but also the encryption of critical data and documents, which can then be offered to unlock for a certain price.
- Measuring and recording device information. Some data collected from sensors and recording devices, being unique information, carries monetary value. Thus, by hijacking traffic, a hacker gets illegal access to data of commercial importance or security camera feeds.
- Transmitted messages. Messages, whether business or personal, in many cases carry a private character and must not be made public. The perpetrator can take advantage of this information for blackmail, for instance.
Knowing all of this, you likely don’t doubt the need to protect your Internet of Things equipment. Let us consider the weakest security links in the IoT concept, which are most often subject to hacker attacks.
The most frequent security challenges with Internet of Things
- User accounts. Many IoT device owners do not bother making changes to their default user credentials. As practice shows, neglecting this security measure is a direct way to submit your IoT device into the botnet.
- Software. Software updates not only bear the increased responsiveness to user actions or new functionality but also improved methods for privacy protection, new security protocols, and vulnerability patches. Therefore, cyber security experts strongly recommend that you update your software in a timely manner so that attackers do not have time to take advantage of the outdated software’s vulnerabilities.
- Lack of encryption. When connecting an IoT device to a network in a public place, it is advisable to use a VPN (it is enough to simply install the VPN client on your personal device and then use it when setting up an internet connection on untrusted networks). Responsible manufacturers include VPN clients into firmware of devices that do not allow altering. The VPN connection employs secure encrypted channels, which renders the "Man-in-the-Middle" (MITM) attacks impossible. With this attack method, an offender intercepts messages between two nodes. In the result, they do not only receive the transferred data but also can replace it with fraudulent information or disrupt the communication completely. Nevertheless, most device owners neglect or decline data encryption as it noticeably slows down the connection. For example, user-entered login credentials can be sent as plain text, which makes them available to any attacker that intercepts the traffic.
- Lack of permission requests. Unfortunately, to date, not every IoT device has such a well thought-out interface that could protect users from unintentional dangerous actions. This is evidenced by a rather well known and widely discussed case of the AI technology based personal assistant, Alexa. After the device owner pronounced a random phrase about dollhouses, Alexa automatically searched them on Amazon and made a costly purchase. In turn, the multistage system of granting permissions to perform certain actions would have allowed this situation to be avoided.
- Ill-conceived user interface. The majority of IoT devices were designed to gain mass appeal. This is facilitated by simple and intuitive UIs, which do not require special training to operate. On the one hand, even the beginners can master their functionality swiftly. On the other - such interfaces, thanks to their simplicity, are a real tidbit for illegal activities. In particular, a hacker can try to get your registration information or e-mail address using the "Forgot your password?" button. Another area of UI for hacker attacks include services that do not block IP or MAC addresses after several unsuccessful authorization attempts. They fall under the risks of automatic login and password sorting algorithm attacks (so-called bruteforcing) or manual input of the most frequently used character combinations (for example, "bad" passwords include "qwerty", "password", "12345", etc.). To protect the device completely, strict rules for secure password selection must be enforced. Note that even those devices that were originally designed for high level user data safety (ATMs, bank terminals and other equipment that processes bank card data) are not immune to fraudulent activity. As the saying goes, something that one human built can be broken by another. Nowadays, there are already special ultra-thin pads that are almost impossible to notice that are placed inside ATM card slots over connectors to intercept the data transferred.
- Unreliable personal data store. The more personal data your user profile contains, the more damaging a hack would be. This factor especially concerns electronic purses and online stores, where money transfers are made online using bank account details. Security experts recommend selecting only the tested services. This factor also applies to all information stored in personal devices. In the case of security breaches, the attacker will have access to all the collected data.
The most common types of attacks on IoT
- Sniffing. This type of attack can be carried out if the network card of the IoT device operates in monitoring or any other "indiscriminate" mode. The result of sniffing is the hacker getting private information from data transfers.
- Spoofing. Some scammers issue their IoT devices to those who have legal network access rights (for example, through the valid credentials or the correct IP address), thus gaining the ability to distribute malicious software from within.
- MITM. As mentioned above, many intruders capture the communication channels between IoT devices, thereby acquiring the ability to intercept or modify transmitted information.
- Malicious software. Either to disrupt the operation of IoT devices, or to steal important data that is stored in them, perpetrators use all kinds of worms, trojans, viruses and rootkits.
- Software vulnerabilities exploitation. Exploiting the vulnerabilities in software is the simplest attack method, and widely implemented by hackers. Using unhandled exceptions, they block the work of applications or operating environments and, therefore, the operation of the IoT device, using special scripts, SQL-, PHP-, XPath-injections or the buffer overflow method.
Denial of service. This type of attack involves disrupting a server operation. There are two types of attacks:
- - Denial of Service (DoS). This attack is executed by a single attacking tool – PC, smartphone or IoT device. The activity of the hacker is aimed at bringing the work of the site or web application to a halt, thanks to the handling of an extreme number of exceptions and subsequent execution of the malicious code.
- - Distributed Denial of Service (DDoS). This attack is executed through the botnet, when multitudes of "enslaved" devices simultaneously send requests to the selected web resource, thereby overloading it.
Rules for using IoT devices: security essentials
To date, there are many advanced technologies designed to provide the Internet of Things security. These include: authentication (which involves digital certificates and biometrics), encryption, PKI and IoT Security Analytics. Each of these solutions are part of the products of world-renowned vendors, such as Cisco, HPE, Lynx Software Technologies, and Symantec. Considering all their benefits, they are all characterized by considerable price tags and, as a rule, intended for use within a large business, health, science or security organization.
We at applikeysolutions.com are a tight team of marketers, managers, developers and security analysts with years of experience in mobile, VR/AR and IoT application development behind our belt. If you simply want to provide the basic level of Internet of Things security for your device, we propose you to follow these recommendations, in most cases:
- Use strong passwords. Securing the Internet of Things device starts with setting good passwords. That is, never leave a default password unchanged and never use those that can theoretically be matched with a dictionary (these include birth dates, names, words, and various combinations of numbers). The best choice would be an arbitrary set of characters of at least ten units in length, which will use both lowercase and uppercase letters, as well as numbers and special characters.
- Update your software regularly. The older the software or platform of your IoT device is, the more vulnerabilities can be discovered in it. That is why it is very important to push software updates to all your IoT devices in a timely manner, in order to protect their data from unauthorized access.
- Ensure the systematic backup of critical information. Regular backups of your IoT device will allow for the quick recovery of its operation, in the event of security breaches, malware infection or hardware damage.
- Implement multi-level authentication. Many internet resources today provide multi-stage authentication. Google Mail services, for instance, offer two-step authorization, requesting the standard login credentials at the first stage, and verifying them with a secret code that is automatically sent via the SMS to a personal mobile number or generated by a dedicated application.
- Employ the antivirus routine. Running a potent antivirus in high-security mode will help protect your IoT equipment from known malicious software. Such programs can also block suspicious sites, thereby protecting firmware from “enslavement”, as well as from the theft or loss of critical data.
- Employ the firewall routine. Firewalls are divided into two types: those that block incoming traffic according to predefined rules, and those that block traffic with invalid data packet types. The latter type of firewall works more precisely because even the most experienced security analyst cannot foresee what form the next malicious attack will take.
Of course, an ordinary user alone cannot guarantee the safety and security of their IoT devices and solve all of the challenges associated with software vulnerabilities; however, adhering to the simple rules of security for Internet of Things, you can protect yourself and your private data from most hacker attacks.
Despite the recommendations above, you might still wonder if your IoT device really needs all those complicated security measures implemented. Contact us today and our experts will consult with you in detail about privacy and security risks.