IoT Security: All You Need to Know and Apply
Don’t let a cybercriminal watch you through your own TV
Dave was out in space, and about to enter his spaceship.
“Open the pod bay doors, HAL”.
HAL was the onboard artificial intelligence, tasked with safeguarding the astronauts, and making sure they completed their mission.
“I’m afraid I can’t do that Dave.” Was HAL’s response to Dave’s command.
HAL had gone rogue, and was now in the process of killing the men it was assigned to protect.
This famous scene from “2001: A Space Odyssey” asked the question: “What do we do when the technology around us malfunctions?”.
It’s not just PCs and smartphones we should worry about anymore, but a wide range of Internet-connected devices such as thermostats, smart meters, self-driving cars and even voice assistant devices such as Amazon’s Alexa.
These are all part of the Internet of Things innovation wave, which overall promises to greatly improve our lives, if we can deal with the cybersecurity threats they can pose.
What is IoT / Internet of Things
Industry experts usually define an IoT device as any object connected to the Internet (or to a Local Area Connection, in some cases).
- Smart TVs
- Internet connected cars
- Wi-Fi routers
- Smart cameras
- Smart locks (including ones with Bluetooth)
- Some medical devices
- Voice assistants, like Amazon Echo
- Smart lights
- Fitness bands.
Basically, if your fridge or TV has an Internet connection, then it becomes an IoT device.
Both manufacturers and consumers prefer these devices. Consumers for the added functionality (it’s easier to watch Netflix if the TV already has Internet).
Manufacturers however, like IoT devices because they allow them to silently collect information about how consumers use their products. As a result, they can then tailor future products around these usage patterns.
Here are some statistics that really bring home just how many Internet-connected devices we now have:
Why is IoT / Internet of Things security important?
In 2016, the Mirai botnet launched one of the biggest DDoS attacks ever recorded. More than 1 terabyte per second flooded the network of Dyn, a major DNS provider, and brought down sites such as Reddit and Airnbnb.
But what made this attack so special was that it was the first to be carried out with IoT devices. Nearly 150,000 compromised smart cameras, routers and other devices all enslaved into a single botnet, focused on a single target.
Below is a heat map that recorded the intensity of the attack and how many websites were taken down.
The Mirai botnet however is much bigger! By some estimates, it contains millions of enslaved devices. And it wasn’t even that hard to create in the first place.
Manufacturers use a handful of default password and usernames to protect an IoT device. So you had a few hundreds/thousands of password combinations to protect tens of millions of smart devices.
All it took were a few simple lines of code, designed to test each of those default passwords. A device could be hacked and enslaved within a few seconds, so long as the user didn’t change the standard login information.
But IoT botnets aren’t the only type of threat. Researchers have proven more than once that it’s possible to physically take control of a car by breaking into apps that control onboard software. For now, this has only been done in experimental situations, but as Internet-connected cars gain ground, it’s only a matter of time until it happens to someone, somewhere.
Researchers from the Russian cybersecurity firm Kaspersky for instance, managed to open up car locks, simply by hacking into an app.
Internet of Things security vulnerabilities
Simplicity and ease of use are crucial principles in the IT and electronics industry. Every software and device out there is designed to be as easy to use as possible, so as to not confuse consumers and discourage them from using the product.
Unfortunately, this often means that some products cut corners, and don’t implement security features consumers might find “too clunky”.
Insecure default login credentials
In practice, they might hide the “Change password/Username” options deep in the UI, out of sight for most users. No wonder so many people kept their default user names and passwords.
If each Internet of Things device had a randomized username and password, Mirai might not have happened in the first place. But that is too expensive a process in competitive industries with razor-thin profit margins.
Poor software updates
What’s more, many Internet of Things creators don’t even patch or update the software that came on their devices. If your device has a software vulnerability (nearly 100% chance that it does), there’s little you can do to prevent an attacker from exploiting it without help from the manufacturer.
The communication isn’t encrypted
Other IoT devices lack basic encryption to hide the data sent between the device and the central server. This can potentially expose the user’s personal information, if a malicious hacker can snoop in on his personal information.
Another thing that Internet of Things devices do, is that some of them ask for more permissions than they need to.
One time, numerous Amazon Echo users were surprised to see their device ordering dollhouses after a TV anchor said the phrase “Alexa ordered me a dollhouse”.
In that case, the device had permission to do a purchase all by itself. Each extra permission in an IoT device adds another vulnerability layer which can be exploited. The fewer permissions, the more secure your device is.
Insecure user interface
A device’s user interface is usually the first thing a malicious hacker will look into for any vulnerabilities. For instance, he might try to manipulate the “I forgot my password”, in order to reset it or at least find out your username or email.
A properly designed device should also lock out a user from attempting to login too many times. This stops dictionary and brute force attacks that target passwords, and greatly secures your device credentials.
In other cases, the password might be sent from the device to the central server in plain text, meaning it isn’t encrypted. Pretty bad if someone is listening in on the device and reading all of your data.
Poor privacy protection
Internet connected devices are data-hungry beasts, but some of them have a greater appetite than others. The less information they have on you, the better, since it limits how much a cybercriminal can learn about you if he hacks the device.
As a rule, try to look into what type of data a device will store about you. Be critical of those that harvest data they don’t need, such as coffee machines storing your location information.
The main types of attacks against IoT devices
Smart devices can be hacked in a number of ways, depending on the type of vulnerability the attacker decides to exploit.
Every software has its vulnerabilities. It’s nearly impossible not to. Even Google, with all its resources, hasn’t been able to stamp them out from Chrome.
Depending on the type of vulnerability, you can use them in multiple ways.
Buffer overflows. This happens when a device tries to store too much data into a temporary storage space. This excess data then spills over into other parts of the memory space, overwriting it. If malware is hidden in that data, it can end rewriting the code of the device itself.
Code injection. By exploiting a vulnerability in the software, the attacker is able to inject code into the device. Most often, this code is malicious in nature, and it can do a multitude of tasks, such as shutting down or taking control of the device.
Cross Site Scripting. These work with IoT devices that interact with a web-based interface. Basically, the attacker infects the legitimate page with malware or malicious code, and then the page itself will infect the IoT device.
The most frequent and well known malware attacks on PCs target a device’s login credentials. But recently, other types of malware such as ransomware have made their way onto IoT devices.
For one, many base their operating system on Android, so the malware is mostly interoperable, requiring only minor modifications.
Smart TVs and other similar gizmos are most exposed to this kind of threat, since users might accidentally click on malicious links or download infected apps.
Password attacks such as dictionary or brute force target a device’s login information by bombarding it with countless password and username variations until it finds the right one.
Since most people use a simple password these attacks are fairly successful. Not only that, but according to one study, nearly 60% of users reuse the same password. So if an attacker gets access to one device, they get access to all devices.
Sniffing / Man-in-the-middle attacks
In this attack, a malicious hacker intercepts the Internet traffic that goes into and out of a smart device.
The preferred target is a Wi-Fi router, since it contains all the of the traffic data sent of the network, and can then be used to control each device connected to it, even PCs or smartphones.
Spoofing works by disguising device A to look like device B. If device B has access to a wireless network, then a disguised device A will trick the router into allowing it on the network. Now that the disguised device A can communicate with the router, it can inject malware into. This malware then spreads to all other devices on the network.
Internet of Things devices are prime candidates for a botnet. They are both easier to hack, and harder to diagnose if they’re compromised.
Once your device is enslaved, it can be used for a wide variety of cybercriminal activities, such as DDoS attacks, sending spam emails, performing click fraud (basically using the enslaved device to click an ad), and Bitcoin mining.
Mirai is the biggest IoT botnet we know about, and it was built on the backs of default passwords and usernames.
Taking control of an IoT device doesn’t sound so menacing at first glance. After all, it’s not as if a malicious hacker could poison you if he hacked your coffee maker.
But things will quickly get serious if the attacker takes control of your car as you’re driving it. This isn’t even hypothetical situation, it’s actually been done, albeit by cybersecurity researchers. In that example, the whitehat hackers were able to hack into the car’s braking system and acceleration.
Some people now use smart locks to secure their homes, but ultimately they’re just software on hardware. At DEF CON 2016 (the biggest hacker conference in the world), researchers tested out 16 smart locks, and proved how many of them used very simple security features such as plain text passwords. Others were vulnerable to device spoofing or replay attacks.
Smart devices process a lot of personal information, such as:
- medical data
- location data
- usage patterns
- search history
- financial information, etc.
Whitehat researchers proved it was able to hack into a smart speaker and analyze data from its sensors to figure out if you are home or not. This would be extremely useful for a burglar seeking empty homes to steal from.
In a fairly high profile case, the German government banned a children’s doll because it recorded so much information, it was labeled as a “spying tool”.
Devices which leak information from inside the privacy of your own house are dangerous for a wide variety of reasons. Recordings of sensitive conversations and intimate acts can then be used as blackmail tools against a person or outright publicized to damage a person’s image.
For instance, how would you feel if a sex toy sent “usage data” to the company’s central servers?
You’d probably ask “Why on Earth did they think it was a good idea to make an Internet-connected vibrator?”, to which we can only say: data hunger.
A more worrying scenario is the possibility of hacking IoT devices used in the healthcare industry. In theory, a cybercriminal could hack a pacemaker or an insulin pump, and then demand a ransom from the victim in order to keep the devices working properly.
But sometimes it’s the central server that leaks information.
Sometimes, companies are the ones that leak information, and not the devices. Such was the case of a teddy bear that spilled recordings from nearly 2 million kids and parents.
This kind of information goes into the company’s cloud. If that’s compromised, chances are each one of its consumers are also hacked.
One major weakness of Internet of Things devices is that is that many of them send data over unsecured ports. In other words, you can actually see the data live, without requiring a password and username. All it takes to view this data is a paid account at Shodan, and you’re set.
Why there isn’t a widely agreed upon solution to traffic filtering
Another possible way to limit the damage caused by Internet of Things devices is to filter out some of the bad traffic sent over the wider Internet.
ISPs could theoretically identify and filter out any malicious traffic they see on their network. But the process wouldn’t be foolproof, and false positives would be a likely possibility.
Another possibility would be for traffic filtering to be applied at a user level. Smart and secure traffic filtering hardware such as Bitdefender Box or Luma Wi-Fi System are making their way onto the market, with more to come. Unfortunately, they are expensive and it remains to be seen if users will consider them as worthwhile investments.
How to improve your Internet of Things security
Change your default passwords and usernames
The Mirai malware is still out there, actively seeking out more IoT devices to enslave into the botnet. Fortunately, it’s a fairly simple malware, and can be easily countered by setting up a strong and secure password and changing your default username.
For the best results, we recommend you make the password at least 10 characters long, and use at least 1 capitalized letter, 1 normalized one, 1 number and 1 special character, such as an * or a &.
Here’s a website you can use to figure out how strong your passwords are.
Also, try to have a different password for each device. That way, if one device gets hacked, then you can rely on the other ones.
As much as possible, update to the latest software
The manufacturers of the best IoT devices release frequent updates to improve functionality and also patch security vulnerabilities. For this reason, try to make sure your device receives these updates whenever they are available.
Unfortunately, not all manufacturers release updates on a regular basis. Many don’t even bother to update them at all, and effectively abandon the customer to his own devices (pun intended).
When you’re in the research phase of a purchase, look into the update cycle of the product. If you can’t find one, and reviewers are openly lamenting the non-existent software updates, then chances are that company wants to cut costs. And frequently, that means cutting costs from customer support as well.
This is the update policy for a software called Open Nebula. Not all developers are this thorough in their patching policy, but it should give you an idea as to what constitutes good practice.
On a more similar note, here’s a small sample of Microsoft’s update policy for various Windows software versions.
Login lock settings
Even strong passwords and custom usernames can be vulnerable to a dictionary or brute force attack. These will bombard a login page with countless password combinations, until it hits the right one.
iPhones for instance, have a setting which locks the PIN authentication after too many attempts. At the 10th attempt, it completely wipes the device.
IoT devices with good built-in security should have a similar option you can use to ensure their login integrity.
The Internet of Things has lagged behind other services in implementing two-factor authentication, but recently Nest announced it will roll out two-factor authentication to secure it’s thermostats and smart cameras.
For the time being, most devices don’t have two-factor authentication, but as the industry matures, the feature will become more and more prevalent.
In the meantime, be sure to activate it whenever your devices support it.
Physical weaknesses in IoT devices
Sometimes, all it takes to infect a PC is to introduce a USB stick in it and let Windows autorun the USB, and by implication the malware.
The same principles apply to smart devices. If it has a USB in it, then all a malicious hacker has to do is to plug it in, wait a bit, and that’s it.
If you can, try to place your device in such a way so that sticking a USB stick in it isn’t a straight forward process.
Most smart devices work by communicating with a central server, Internet network or smartphone. Unfortunately, the information isn’t properly encrypted in most cases. Either the devices are too small to carry a strong processor, or the manufacturer decided to cut costs (including security features).
Whenever available, we strongly recommend you activate the option to encrypt the data it sends and receives.
Create a second network for your IoT devices
A good way to secure your smart devices is to create a separate network for them to communicate in. This network isn’t connected to the Internet, and so there is minimal chance for malware to make its way on your devices.
This system does come with a set of drawbacks however. If you want to control your smart devices from your phone, you’ll need to switch between Wi-Fi’s to control your IoT network. In this case, you either have to learn to how automate everything, or use Z Wave switches to go between networks.
Secure your home Wi-Fi
Your Wi-Fi router is one of the first attack points for a malicious hacker. To make sure it is secure, we suggest you do the following:
- Use a strong and secure password.
- Change your username, and make it non-recognizable. Don’t make it easy for an attacker to identify which Wi-Fi is yours.
- Set up a firewall to protect your Wi-Fi. In most cases, the firewall will be software based, but some routers come with a hardware one preinstalled.
- Disable guest network access for your wireless network. Here’s a guide to disable this for Linksys routers.
A guest network is a second Wi-Fi created from your router, which limits access to your “core” network. In theory, it should offer extra security, by isolating guests on the separate network. However, most Wi-Fi routers set up an insecure guest network, which can act as a window to your core Wi-Fi.
Here’s a more in-depth guide on how to protect your wireless network from outside intrusion that you might find useful.
Disconnect the device from the Internet when you don’t use it
Devices such as Smart TVs don’t need to be permanently connected to the Internet. By keeping them off the Internet, you limit the time interval in which a cybercriminal could attempt to break its security.
Read the device manual for any security tip you might find
Most people only use a device’s manual during installation and to figure out how to use it. But manuals often contain a lot of useful tips and tricks that can improve the performance of a device and make it more secure. Take your time and go through the manual to see if there’s anything you might find useful in it.
Download security applications
Some smart devices such as TV’s are powerful enough to run apps. Even simple, free versions of antivirus apps can significantly boost your security.
For the best results, we recommend you use the paid version of an antivirus app, since it will unlock its full functionality.
Use a hardware solution to secure your IoT network from outside attacks
A dedicated security solution for your IoT network can make all the difference between an infected or clean device. There are quite a few security solutions available, even if the market isn’t as developed as it is for desktop or mobile.
Here are some viable software/hardware products you can use, with a link explaining how they work.
- Bitdefender Box.
- Luma Home WiFi System.
- F-Secure Sense (not yet available, but you can preorder it).
- Norton Core (also not available, but up for preorder).
- Dojo (up for preorder).
IoT is one of the biggest technological trends since the smartphone, and promises to be just as impactful. Unfortunately, the promise and opportunity they offer are just as tempting for cybercriminals as they are for regular customers.
On the bright side however, the IoT industry knows its shortcomings, and together with cybersecurity experts and companies are moving forward to improve on their track record.