IoT Security is one of the least talked about areas today since the world focuses more and more on Information security, Blockchain, and others.
Ambimat Electronics with its experience of over 4 decades as an ODM of IoT products wishes to draw the attention of its customers and readers of blog posts towards this neglected field.
Challenges with IoT security are many hence we have decided to break it down into two articles, this being the first of the two parts.
Care has been taken to keep the language simple enough for readers with varied experience to understand.
IoT Devices with outdated secure firmware.
A few years ago, security professionals were focused solely on protecting mobile devices and computers. Today, there is a proliferation of IoT devices. With more than a billion devices around communicating back to the enterprise, there are potentially billions of open points from where different attacks can be launched on the enterprise, by simply exposing the security vulnerabilities across the enterprise.
Since the IoT devices are being used increasingly, the manufacturers of these devices are focusing on building new ones and not paying enough attention to security. A majority of these devices don’t get enough updates, whereas some of them never get a single one. What this means is that these products are secure at the time of purchase but become vulnerable to attacks when the hackers find some bugs or security issues specifically when open source software was used. When these issues are not fixed by releasing regular updates for hardware and software, the devices remain vulnerable to attacks.
In addition to the vulnerabilities of the IoT devices, the other concern is with interconnected legacy systems. In an enterprise with a growing number of IoT devices, legacy technologies might seem out of place. A breach of an IoT device could also result in a breach of a legacy system that lacks modern security standards.
Use of weak and default credentials.
Many IoT companies are selling devices and providing consumers default credentials with them — like an ‘admin’ username and ‘password’ as a password. Hackers need just the username and password to attack the device. When they know the username, they carry out brute-force attacks to infect the devices. The Mirai botnet attack is an example that was carried out because the devices were using default credentials. Consumers should be changing the default credentials as soon as they get the device, but most of the consumers are never informed about the same by the manufacturers.
Lack Of Encryption
Although encryption is a great way to prevent hackers from accessing data, it is also one of the leading IoT security challenges. These devices lack the storage and processing capabilities that would be found on a traditional computer. At times what has also been seen is the unused bandwidth or the unused processing power of the same IoT device is used to launch an attack on the device.
The result is an increase in attacks where hackers can easily manipulate the algorithms that were designed for the protection of the device. Unless an enterprise resolves this issue, encryption won’t be a security asset.
Malware and Ransomware.
The rapid rise in the development of IoT products will make cyberattack permutations unpredictable. Cybercriminals have become advanced today — and they lock out the consumers from using their own device.
For example, an IoT-enabled camera that captures confidential information from home or the work office — and the system is hacked using a virus which is called Malware. The attackers will encrypt the webcam system and not allow consumers to access any information. Since the system contains personal data, they can ask consumers to pay a hefty amount to recover their data. When this occurs, it’s called Ransomware.
Another example: When an IoT device in a City-Wide infrastructure is uploaded with malware it can also launch an attack like a DDos or a Man-in-the-middle eventually compromising the entire city’s command and control infrastructure.
Predicting and preventing phishing attacks.
Cybercriminals are proactively finding out new techniques for security threats. Phishing is already a security concern across all enterprise technologies, and IoT devices represent the latest attack vector. Hackers could send a signal to an IoT device that triggers numerous complications. Although it is one of the most common forms of security attacks, and it can be stopped, many organizations fail to properly train their workers about the latest phishing threats.
In such a scenario, there is a need for not only finding the vulnerabilities and fixing them as they occur but also learning to predict and prevent new threats.
The challenge of security seems to be a long-term challenge for the security of connected devices. Modern cloud services make use of threat intelligence for predicting security issues. Other such techniques include AI-powered monitoring and analytics tools. However, it is complex to adapt these techniques in IoT because the connected devices need processing of data instantly.
Wide Area Networks.
Additionally today we see the rise of WAN (Wide Area Networks) everywhere. Such networks are city-wide networks and control the communication between essential services such as Smart Meters and Smart Street Lights. A breach by someone who simply uploads a malware into one of the ‘trusted’ devices means compromising the security of the entire enterprise.
Smart Homes Devices
Today, more and more homes and offices are getting smart with IoT connectivity. The big builders and developers are powering the apartments and the entire building with IoT devices. While home automation is a good thing, not everyone is aware of the best practices that should be taken care of for IoT security. Even if the IP addresses get exposed, this can lead to exposure of residential address and other contact details of the consumer. Attackers or interested parties can use this information for evil purposes. This leaves smart homes at potential risk.
Check out these case studies regarding Smart Home devices
Case Study #1:
Case Study #2: