The world of today is constantly transforming, and dependence on internet connectivity is an innate part of that transformation. As technology develops, traditional methods of connecting to the internet are now no longer sufficient, and we begin to see a network of connected “smart” devices, able to communicate seamlessly over the internet. Termed the “Internet of Things”, this development is changing life as we know it, in terms of how we both work and live.
Gartner, which is a global research and advisory firm providing insights, advice and tools for leaders in I.T, Finance, HR, Marketing and the likes across the world have estimated the growth of IoT devices connected via the internet to be 20 billion by they year 2020 and approximately 75 billion world wide by 2025. With the rapid growth and change pacing the world, the need for both technology and connectivity has made data not just a record of bytes but also a valuable resource.
The growth of IoT from our smart wearables devices, connected cars, homes, and even smart cities and Industrial Internet of things(IIoT), means large amount of data seamlessly is moving between devices, which in turn makes security a very important factor alongside the growth of IoT.
As IoT grows, so does IoT security. Confidentiality and integrity of the data being collected should be uncompromising to avoid hacks, such as taking control of a smart home, or being able to track an individual via their fitbit wearable bands, as reported by cbsnews.
Gartner also reports that by 2020 IoT devices will comprise 25% of cybersecurity attacks, and from 2017 many IoT devices would have been breached and used as miners to mine cryptocurrency without the victim’s knowledge.
In this post we will take a look at the challenges of IoT security that we face today:
Data Encryption and Authentication: With lots of data either at rest (data found in application, databases or in the cloud), in use (data being accessible to users or devices via application or a gateway) or in transit (data moving from either cloud to devices or device to device) large amounts of personal and useful information is at risk when an IoT system is breached. Attackers are always looking for possible ways to steal or have access to this data. Data in transmission between IoT devices needs to be encoded.
There’s not a guarantee that attackers can’t steal encrypted data, but with the use of wireless inbuilt encryption, sensitive data will be available to hackers. With tools such as “Attify framework”, attackers can intercept, sniff and exploit data being transmitted between devices in an IoT system. This exploitation was popular with ‘Zigbee’ IoT communication protocol, which was mostly used in smart homes.
Besides the encryption of data, authentication is a serious concern with lots of different IoT devices integrated to provide an endpoint solution (surveillance, monitoring and access control). With different IoT devices in the consumer market, not all of these device provide or use authentication to receive and send data.
Encrypted data isn’t enough if the source of the data can’t be determined, if there is no way to authenticate the source of the data an attacker can send fake data containing a payload to get desired result.
An example of this occurrence was the famous casino fish tank thermostat hack in North-America. Attackers breached the casino network system via the IoT enabled thermostat attached to the fish tank to monitor the temperature and cleanliness of the water.
The attackers were able to get 10gb of valuable data, from the casino’s database just because the thermostat was unable to authenticate the request from an attacker. Without authentication, threats like identity theft are still a reality, although they now extend to one’s own identification between IoT devices. There was a dramatic increase in Distributed Denial of Service (DDoS) attacks due to this issue in 2017 via IoT devices from some of the largest ever DDoS attacks known as by the Mirai botnet.
Hardware Issues: With different IoT devices integrating into a IoT system to be connected to the internet, the foundation being the hardware is built on is of high importance. Tech giants such as ARM and Intel are making security amendments to their smart devices in order to protect users. Attackers use a hardware tool called “Shikra”, which is known to be reliable and stable for connecting to UART, JTAG, I2C and SPI- the main serial bus interfaces to exploit IoT devices. It can be used to pull the firmware image off a target IoT device for software exploitation. Another widely noted issue is the cloning of an RFID tag to bypass access control with Proxmark or Tag Cloner which copies the UID number of a targeted victim tag to the attackers desired tag.
Image source: Unsplash
Updates: Updates are an important, regular process in the world of IoT. Not all IoT devices support over-the-air update and hence require the devices to be manually updated or changed with respect to hardware changes, and if not handled properly, can result in loopholes in the security of the IoT system. This means devices which were safe when first acquired become unsafe as vulnerabilities are found. IoT device managers need to be particularly aware of “End-of-Life” IoT devices.
Human Factor: As security experts say, “You’re only as strong as your weakest link”. Ignorance of IoT security both by companies and individuals is a great security challenge, and basic errors such as not knowing when to update, using default passwords shipped with devices and so on, were part of the vulnerabilities attackers used with Mirai Botnet to brute force and infect the devices.
To handle IoT security issues, make sure your IoT system is properly structured and segmented network by following security procedures along policies. If you would like to know more reach us at firstname.lastname@example.org