IoT Security: Understanding Risks and Threats

IoT Security: Understanding Risks and Threats

The Internet of Things (IoT)  defines the world we live in - it consists of interrelated computing devices, mechanical and digital machines, objects, animals, or people that each have a unique identifier UID) and the ability to data over a network without requiring any human-to-human or human-to-computer interaction. A thing in the IoT is not necessarily what you will ordinarily think of as a thing.  It can be a person with a heart monitor implant or pacemaker, a pet with a chip, a car that can tell you when you're drifting out of your lane, or any other natural or artificial object in the universe that you can assign an Internet Protocol (IP) address and can transfer data over a network.  Unfortunately, something that exists so broadly and affects our lives so profoundly will be a virtually irresistible target for hackers and therefore require security.

The IoT is important because it is so ordinary now.  IoT devices are everywhere in our lives, full of connective devices. Therefore, a hacker can disrupt our lives by taking advantage of the broad hackable space IoT devices offer.  This article will look at the need to prevent IoT hacking and the security necessary.

What Is IoT Security?

IoT security starts with writing code intended to protect your network security and connected devices.  One way to begin is, as an enterprise, to require IT staff to create and use a set of pre-approved cryptographic standards whenever building or modifying applications for your business.  Once staff completes a draft of an application for your IoT devices, they should run a static code analysis program that analyzes the code to identify any common coding mistakes in the application draft that can lead to security vulnerabilities. Finally, to protect your enterprise-wide IT system, you should adopt the policy of instituting vulnerability management to identify and repair known vulnerabilities in IoT applications.  This program should be run frequently, on a scheduled, ongoing basis. Following these best practices will significantly enhance your network security.  

Device Takeovers

A common technique for hacking mobile devices and IoT systems is to hack into them to be entirely under the hacker's control.  The hacked device is then added to a botnet which permits an enormous number of devices to be simultaneously controlled.  A botnet refers to many Internet-connected devices, each of which runs one or more bots, connecting many devices. Botnets are potentially highly destructive devices that can be used to perform Distributed Denial-of-Service (DDoS) attacks, allowing the bot to deny service on a website.  They can steal data, send spam, and allow the attacker to access the device and its internet connection. The bot operator controls the botnet using command and control (C&C) software.

Botnets can also be used for entry points to closed or firewalled networks that are typically not accessible to daily internet traffic. The botnet will send direct emails to specific targets within a network, hoping that one of them will be tricked into opening the email or its attachment.  Doing so gives the botnet entry into the system.  They can also attack public IP addresses by updating the command and control software to allow themselves access.  

IoT and Hardware

If the IoT device controls equipment or other hardware, the hacker can create an entirely different kind of chaos.  Self-driving cars can drive into one another; indeed, using the correct type of hotspot can send a whole herd of self-driving vehicles into doing insane things.  Elevators and electronic access devices in high rises and public facilities like airports can be compromised, causing a system failure, shutting down airports, subways, trains, other transportation systems, and other critical infrastructure.  

Other Bot Attacks

Bots and botnets can recruit - they can attack devices to add more devices to themselves, growing like the Borg.  They can send out millions of spam emails and hope that someone will open them.  Ultimately, botnets are one of your system's primary security risks to your IoT and must be prevented in every way you can.

Why Is IoT Security Critical?

There are billions of IoT computing devices and internet-connected devices, as noted above.  More are added to the IoT every day. Unfortunately, many of these devices are brought into network connections without any IoT security measures.  Where these IoT newbies have minimum security built-in, they are often incapable of running firmware updates to stay secure.  Moreover, given that some of these devices are designed to last for years, their IoT security, however minimal or substantial, will soon be dated and unable to cope with current IoT attacks. These vulnerabilities create immense security concerns that the IoT system is only beginning to address. 

Think about the future where we expect smart homes with smart door locks and even smart cities, where our sensitive information is stored on widely available public sites in the cloud.  And then think of the damage that hackers can inflict on this IoT ecosystem, bringing down its entire IoT infrastructure.  Just one or two unsecured devices connected to this IoT network can crash the whole system.  

Understanding Current IoT Security Risks

Firmware

IoT security has only recently become aware of the extreme vulnerability presented by firmware, as opposed to software hacks.  Firmware is built into hardware, telling it how to talk to software.  When built, it is added to the hardware and often does not update except upon request.  And most people don't know you need to make that request.  So, the firmware stays in the device as it is used, sometimes for years, becoming increasingly vulnerable to an IoT hack that will attack the hardware where it sits.

Complexity

Security gets more necessary and more complex every day.  Open a news aggregator any day and find a story about the latest vulnerability that Acme has seen in its Coyote program and watch the world cringe until the patch is in place.  Of course, the patch often requires an update and a decision to do the update, so the vulnerability may not be fixed everywhere.  Worse, the patch may bring its new security issues, leading to a cascade of holes and patches requiring another patch with another potential hole.  IoT security experts struggle to keep up with the ever-changing security landscape.  

Slow and Boring - and Not Cheap

Few things are less interesting than sitting around watching your mobile device update. It's equally time-consuming and expensive to create those security updates and build them onto that same mobile device.  Meanwhile, the people who do IoT security work are highly trained and skilled professionals who are also expensive.  Making and keeping your IoT devices secure is not cheap, but people want to spend their internet money on bells and whistles, not locks and keys.

Zero-Day Vulnerabilities

On the day a new app or device enters the IoT universe, it may carry a virus or vulnerability of which no one is aware.  Hackers and cybercriminals - sometimes working for hostile governments - then race to take full advantage of this undiscovered gap until a victim or the developer discovers it, and a patch is built and made available.  Sometimes old zero-day vulnerabilities can still be used from old equipment or firmware. And zero-day vulnerabilities don't just attack small, amateur software operations.  Famous victims have included Chrome, Word, Windows, Apple, and Zoom.  Every new release is a new potential zero-day.  

Avoiding These Risks

One of the keys to avoiding IoT risks is to stay familiar with and aware of your operating systems.  Run analytics often.  Test your systems, make sure they are operating as usual and ensure that someone is analyzing the data produced.  Only if you become suspicious of how your system performs will you look for what is causing the differences.  Eternal vigilance, as the saying goes.  

Anticipating the Coming Risks

But the brave new world of IoT devices grows broader and deeper every day.  Soon more and more of us will be driving cars that do the driving for us, creating tremendous IoT security challenges and extreme vulnerability to physically dangerous hacks.  We rely increasingly on complex and sophisticated technology to perform highly skilled tasks like surgery that used to be undertaken only by trained professionals.  Hacking into robotic surgical equipment represents a nightmare of vulnerability.  Sensitive data is exposed to computer attacks.  Who is to say that the Supreme Court wasn't recently hacked rather than a paper copy of a draft decision taken from the building?  

Quantum cryptography is a technology that takes advantage of quantum physics to allow the distribution of symmetric encryption keys. Some say it might be more accurate to refer to it as quantum key distribution (QKD). It works by sending photons, “quantum particles” of light, across an optical link.  Think of the new opportunities for IoT attacks this new technology presents.  Any such new technology offers new vectors for attack and unique and unknown vulnerabilities.

Standardization is a great social good.  We all grow the same corn because it grows faster and more reliably.  We all wish that POS tablets at checkouts were the same so that just once, we can get it right on the same try.  However, as the Irish discovered with potatoes, having an economy built entirely on something the same everywhere means that when a hole is found in that same thing, the IoT can go straight down the tubes. If everyone runs the same operating system, and you discover how to bring it down, you can bring everything down.  Security of standard systems is thus becoming an intense focus in IoT security, with much expertise and attention devoted to it.  

Protecting the Internet of Things

There are, obviously, steps that can be taken to protect yourself and your systems from the vulnerability of IoT devices.  A few of these are:

Use the most current, most fully patched data libraries you can find.  Old libraries have old vulnerabilities.

Try to hack your own device or app before it is released.  Tools like Metasploit can help with this.  

Stay aware of common vulnerabilities and exposures (CVEs) related to your devices and libraries.

Always, always follow IoT security best practices during development and maintenance.  Use the best, most secure encryption standards available to you.  If you're not secure, your entire down-market chain is not secure.

Keep security part of your overall design process for IoT products.

Find and use any services that make testing IoT devices for security best practices and vulnerabilities easier.

Never Forget

IoT security is not a set it and forget it task.  It is an ever-moving target, and you have to remember it every day. A tiger only has to get hunting right occasionally; a deer has to be perfect as escaping every day. You don't ever want to be the prey animal who had an off day.  

Think about it.  A recent estimate suggested more than  8.4 billion IoT connective devices in this world.  That's a lot of temptation and a lot to be protected.

Or click here to learn more ->