Welcome to our blog article on the Security challenges of IoT Devices! In this article, we'll dive deep into the security aspects of IoT devices and provide insights into security vulnerabilities that bad actors can exploit.
So, without further ado, let's get started. Here are some key points that we will be covering in this article:
We hope you will find this post informative and useful. Let's jump right in!
The world of IoT is simultaneously a utopian and dystopian dream. We got here as technological advances continue to give us easier lives.
Accidentally lock yourself out of the house? Not a problem when you can unlock the front door via an online web app. Worried about missing a delivery? Plenty of doorbell cameras allow you to answer a delivery driver and even be alerted when movement is seen on your porch. We have pacemakers that include communications to share information directly with your doctor. Many medical devices, including heart rate monitors, communicate directly with other devices to alert whoever needs to be if they're not already side by side.
This sounds great, but the problem is that doing all this requires information, and some bad actors can take advantage of that.
That smart lock on your front door could have a log of your entries and exits, which a bad actor could use to see when you're not home. The doorbell camera could also be used by someone to see when you come and go or see if no one's answered your deliveries in a while.
That pacemaker? Someone could read your heart rates to see when you're exercising and learn your daily routine, and this is just the surface of information gathering.
If someone got into your home network and could map out the suite of IoT devices, sniff the information between them, or break into any of them, the amount of information someone could find out about you, your interests, activities.
Consider that these devices could be afflicted by ransomware, effectively stopping their function until that ransom is paid or they're restored to a point before the ransomware is applied.
For the lock and doorbell, not a big deal, but if your pacemaker loses its connection to your doctor's office, or worse, you're threatened that unless you pay someone thousands of dollars by XX date, they'll start withholding or administering extra shocks?
What happens If an entire hospital loses access to all its patient monitoring equipment or simultaneously has every piece suddenly blaring alarms constantly until said ransom is paid?
You may think this sort of thing is far-fetched, but in 2018, researchers at Black Hat demonstrated pacemaker ransomware that does that. A quick google search shows a myriad of other similar projects.
These are often shown only (at least publicly) on older machines or on older firmware that has since been patched to avoid the vulnerability.
But what happens when that vulnerability is discovered by malicious actors instead of people on the good side? What level of damage could be done? And what could be done to prevent it?
IoT devices are miniature computers. They should be roughly as secure as normal computers, yet little could be further from the truth. With accessibility comes several other issues.
Regarding networking, there are many more ways to communicate with these machines. On top of that, many of them are designed to be more lightweight protocols, such as Message Queueing Telemetry Transport (MQTT, a communication protocol designed for use in IoT devices to enable reliable and efficient data transfer between devices with limited processing power and network bandwidth. It works on top of the TCP/IP protocol and allows devices to publish and subscribe to messages or data topics) which may have their vulnerabilities. Kaspersky found 33 vulnerabilities, 18 considered critical in 2021 alone.
The protocol was developed in 1999 but began to be used more often later in life. In 2014, it became an OASIS standard, and in 2016 it became an ISO standard. Kaspersky's research into it started in 2014 but appeared to only start in earnest in 2017, the first year that more than 5 vulnerabilities were found.
It's this that raises a concern; these protocols have not faced the scrutiny more standardized ones have faced (and continue to face), especially since there are so many nearly IoT-specific protocols; BLE, LTE, Zigbee and more for network protocols, AMQP, MQTT, DDS, CoAP for communications protocols.
However, more importantly, these are individual machines, and the problem is rarely the protocols to share information themselves but, more often than not, the implementation of them. For example, one of OWASP's top 10 vulnerabilities for IoT devices is weak, guessable, or hardcoded passwords.
In this example, if a standard set-up password is a user: admin, password: admin on every device with the idea that the end user will change it, there will be many vulnerable users out there, unwilling to do additional work.
Some devices have built-in backdoors allowing developers to get into them from anywhere. This is a great idea for support and a terrible idea the moment somebody figures out what that backdoor and entry are, and the moment that happens, every device created is compromised.
This brings another issue; computers are built to be different, but IoT devices are built from the ground up to be virtually the same. On top of that, computers are highly customizable, and most IoT devices aren't. They're built to do a job and have some credentials they use to communicate with someone to tell them how and when to do it.
The concept of IoT started to gain popularity in the summer of 2010. Back then, these devices were not developed with security in mind. As we go forward and people have found and pointed these flaws out to the producers, devices have become more secure going forward.
However, we still have a long way to go as an industry. There are many ways to shore up defences and close the loopholes threat actors will exploit, and one of them is having someone else review your code and test your device for you. Maybe you have your cybersecurity team looking at it. This is excellent, but no one team is perfect.
If you're a company making locks, you likely have a security team focused on locks and how to defeat lockpicking attacks, but people who don't know how to defend against other attacks on doors, such as an under-door attack to grab the handle from the inside or an attack that involves shimming the latch.
If someone can bypass your lock directly by knocking the hinge pins out and removing the door, it doesn't matter how good your lock is. Every part must be secured, and no team can completely secure everything.
It is essential to acknowledge that IoT devices come with a fair share of benefits and risks. While IoT devices offer convenience, make our lives easier, and even save lives, they also present a significant risk to privacy and security.
IoT devices should be secured just like any other device, yet there is a lack of standardization regarding security protocols. As a result, these devices are highly susceptible to vulnerabilities. Ransomware is also a considerable threat to IoT devices and critical systems.
To address IoT security vulnerabilities, there is a need for third-party testing and holistic approaches to ensure that IoT devices are secure, functional, and resilient to attacks. The ecosystem must prioritize the security of IoT devices by identifying vulnerabilities, assessing risks, and developing countermeasures to protect the devices and their users.