Since the term came into being in 1999, IoT or the Internet of Things has been gaining attention for all the wrong reasons. What was once a buzzword, with little to no real developments and limited commercialization has made experts call it the “Internet of no things”.
For a couple of years with bullish forecasts and big promises since 2015, it is still facing security issues and scrutiny from people all over the world.
“Why, where is it all going wrong” is a question most of us have. To understand these let’s get started with the fallouts.
Moving from “Year of IoT” to Annus Horribilis for IoT
Many experts described 2015 as the year of IoT, but so far it has been an era of bad press.
It was also the time countries and industry leaders around the globe were also making strategic efforts in the direction, such as (Source):
- Google announcing to buy Nest for $3.2 billion
- Consumer Electronics Show (CES) in Las Vegas, that was held under the theme of IoT
- Market predictions reporting that IoT would be $8.9 trillion in 2020
However, with countless hacks and breaches, it is resulting in abomination, but before that, there is still hope!
Not everything has been negative, it has seen tremendous positivity as well as cities, homes, and businesses turning smart. With all the help and positivity it is still one of the biggest concerns when it comes to the security of IoT devices.
Security firm Kaspersky recently ran a damning critique of IoT security challenges, with an unflattering headline, “Internet of Crappy Things”
Millions of IoT devices are hacked every month with compromising details, here are a few IoT breaches and attacks which shook up the world.
The top 5 of these breach attacks are as follows:
Xbash Botnet aka the Pangea of malware attacked both, the Windows and Linux devices and incorporated multiple attack methods, namely – botnet, destruction, ransomware, and cryptocurrency mining. It attacks over unpatched vulnerabilities and weak passwords.
Since its first appearance in 2018, Muhstik botnet has been using web app exploits to hinder the IoT devices, and Oracle WebLogic and Lacework for Drupal are some of the murky examples.
The Mirai Botnet a.k.a Dyn Attack
In 2016, Dyn Attack infamously leveraged a number of internet-connected devices, such as residential gateways, baby monitors, IP cameras and printers, etc.
This botnet also infects IoT devices such as routers and smart cameras and is basically a DDOS attack on the online medium.
Mozi is a recent malware that includes source codes from Gafgyt, IoT Reaper, and Mirai and organizes the attacked IoT devices into a botnet for DDOS attacks, data exfiltration, and payload execution.
Why are IoT Devices Vulnerable?
IoT devices are largely vulnerable as the devices lack the necessary built-in security to keep the threats and attacks at bay. Further, the way users set the security and access points also play a major role in vulnerability to threats.
On top of these, in the race of being the “first” in the market, the vendors in the segment tend to overlook is the “fittest” in the market. What makes the entire system even more vulnerable is, the failure of an IoT startup that went down South right after launching a few of its products.
Now, as there is no one working on them, or developing patches or upgrades for them, the consumers become vulnerable to all types of attacks and compromises.
When we talk about the security and vulnerability of IoT devices, there is one more factor that we must consider – the users’ expertise and motivation for security.
Everybody wants a smart home where the devices are “communicating” and making everyday jobs easier. Also, all the business owners wish to have a smart office where they can monitor every person and every happening.
However, this zeal of bringing “smartness” to their surroundings turns into security mayhem, because of a few small mistakes, such as:
- Weak and common passwords
- Opting for cheap or average products
- Undermining the importance of software updates and patches
- Lack of encryption on the data stored on the IoT devices
We explore all these points and many other IoT security challenges in the following section.
Top 10 Common IoT threats
‘In 2014, the top 10 most common security IoT threats were identified and published by a community of security professionals, called the Open Web Application Security Project (OWASP).
This list has been recently updated, and comprises the following:
Weak, Guessable, And Hardcoded Passwords
As per the recent stats, 24% of people in the US opt for extremely weak and easily crackable passwords, such as 111111, abc123, Iloveyou, Password, 123456, Qwerty, Admin, and Welcome. Doing this, they give an open invitation to the attackers, and form the weakest link in the chain!
Insecure Network Services
“FREE WIFI” is a word that tingles the data-hungry Gen-Z and a majority of the modern mobile-using population. People tend to undermine the importance of using a safe and secured network, just for the enticing free internet services, available in the cafes, subway stations, hotels, and any other public place.
What they don’t know is, these networks are insecure, and one of the top priorities of the attackers, to find the potential victim.
Insecure Ecosystem Interfaces
Previously this category consisted of three categories, namely – cloud, insecure web, and mobile interface. Interfaces, such as cloud, mobile, back-end APIs and web, etc can pose certain vulnerabilities in various aspects, such as:
- Data filtering
- Encryption weaknesses
Lack Of Secure Update Mechanism
As important as it is to update and monitor your IoT devices from time to time is, so it is to ensure that this is done securely. Malware can hide as security updates with graphics and aesthetics that look genuine or from the vendor itself.
Installing them without verification can result in a major breach.
Use Of Insecure Or Outdated Components
IoT devices are largely vulnerable as they come with hardware and computational limitations. Further, they don’t have any in-built security system. The users also contribute to the vulnerability by overlooking the security basics.
Further, many companies go out of business or never roll out any security updates for their products. They might also discontinue some devices after a few years, while people keep using them. All these things amount to insecure or outdated IoT devices or components making them more vulnerable to attacks.
Insufficient Privacy Protection
Many times users store their personal information and confidential data on the IoT devices which are used improperly, and insecurely by the attackers.
Insecure Data Transfer And Storage
Another common user-related device vulnerability in the IoT environments stems from the inability or simply “neglect” of the user to encrypt the data on IoT devices.
An IoT device has hardware limitations and comes with limited computational power. It also has no in-built security mechanism, as discussed above. Hence, the users must opt for proper security tools or encryption mechanisms for better security.
Lack Of Device Management
There are many devices that are employed for asset management, facility management, and systems monitoring, etc. Most of these are never updated or maintained the way they should be for security and safety purposes, and become one of the major IoT security challenges.
Insecure Default Settings
Using devices with insecure or less secure default settings can open a direct channel for attackers. Apart from default settings, the vendors should also ensure that the operators are not able to modify them.
Lack Of Physical Hardening
Physical hardening ensures the safety of IoT devices from physical attacks, such as:
- Attacks on the ports that are not disabled or removed
- Removing the memory cards to read the information on an insecure device
- Not using secure boot etc
IoT Security Challenges – Organizations
IoT has been a major driver behind enhancing networking capabilities in organizations. It has helped them to cope with the advanced technological capabilities by developing an effective connection between devices and networks.
Lack of physical hardening
When companies fail to “harden” their devices, the hackers can tamper with them and access them illegally, especially when surveillance is not available.
As the IoT devices don’t have any in-built security systems, they become more vulnerable to IoT threats and become subject to security and data breaches.
Lack of ownership and governance to drive security and privacy
Frankly speaking, IoT devices suffer from many other challenges, such as risk assessments, security testing during the network design and threat model evaluation, etc.
They just fall under the jurisdiction of the “security guys” who are overloaded with many other concerns, apart from the IoT devices. Management of such devices should come with proper job profiles and ownership etc.
Users lacking security awareness
Whenever it comes to mass installation, such as offices and commercial places, people tend to overlook the quality and go for the IoT devices that offer similar “smart” features as the ones offered by top-notch devices.
This is also a common practice among people that wish to have a smart home with an affordable tag. Such devices have average construction, with little or no security promises. They might even go out of service within a year and you might never receive any security upgrade or patch for ensuring the safety of your data!
Lack of proper incident response process
Lack of proper response processes and steps to be taken once a data or information breach has happened, also constitutes one of the major IoT security challenges.
Organizations lacking proper infrastructure for dealing with breaches, such as tools, strategies for risk mitigation and notification, etc crumble down once their IoT network is under cease!
Insufficient data and updates
IoT devices lag severely when it comes to updates and timely maintenance. Most of them even get discontinued before even getting a security upgrade developed. Further, they are meant for connections and communication, instead of frequent updates or data maintenance.
Improper and lacking security protocols and exposure of sensitive data, etc pose serious security challenges in IoT.
IoT Security Best Practices
Below we share the IoT best practices that have been categorized into two phases – before buying a device and before you acquire a security management solution for that device.
Take a thorough read and learn how to minimize IoT threats.
Best practices for buying an IoT device:
- Choose a device from a reputed vendor
- Device hardware must be secure
- Firmware and software must be upgradable
- The device must be tamper-proof
- The number of access ports and their status must be known
- Know and change the default user-profiles and security credentials (user ids and passwords)
- Whether the software has open-source code or not?
Best practices for choosing a device security management solution:
- All the cloud operations and cloud-based components must run on certified cloud
- Check whether the device has internet access or not
- Every access must be logged and authenticated
- Data storage must be secure and third-party details must be known
- Communication to and from the device must be encrypted
Torchbearers for Securing IoT Devices
A chain is as strong as its weakest link!
And, the vulnerability of IoT environments and the unpredictable nature of cascading effects this can have, raises a question for the overall security of the internet. Our discussion shows that security in the IoT sector is the responsibility of all stakeholders.
The vendors must diligently address the known vulnerabilities in future products, roll out patches for existing threats or vulnerabilities, and report the “expiration of support” for discontinued products. IoT device manufacturers must also ensure that device security stays a priority right from the design phase. They must conduct penetration tests and ensure that the system has no external or internal flaws in relation to security.
Finally, joining hands with the emerging standards, such as ioXt Alliance and adhering to their policies, allows them to make their IoT offerings more robust and reliable.