Illustration: © IoT For AllA new generation of connected Industrial IoT (IIoT) devices are helping businesses leverage the power of the internet for smarter operational technology (OT). Programmable logic controllers (PLCs) are widely used to control industrial electromechanical processes for manufacturing and robotics, and increasingly online. In cities, connected OT …
IoT & Security
IoT technologies offer many remarkable benefits. They can make complicated tasks, such as tracking a fleet of thousands of vehicles, monitoring and adjusting manufacturing processes or automating a smart home or office simpler, easier and more cost-effective than ever before. By inviting IoT devices into our homes, workplaces and public spaces, however, we also expose new attack surfaces. When we assign an IoT system to be responsible for a critical task or trust it to monitor sensitive information in our most private spaces, we want to ensure that the system can be trusted. For this reason, it is vital that security best practices are applied at all stages when developing an IoT solution.
Familiar Old Friends
Although IoT systems introduce a slew of new security considerations, we must also remember all of our old internet security best practices. The goal of many if not most IoT systems is to monitor and surface information to human users. We need to be sure to use best practices for user management, authorization, and authentication and data storage. Hashing passwords, sanitizing inputs, using SSL for all connections and using tools like two-factor authentication are standard practices across the technology industry. The IoT sector is—or should be—no different.
Because of the often sensitive and sometimes personal nature of the information gathered and generated by an IoT system, access control is also of paramount importance. Permissioning needs to be considered at a project, sub-system, device class, or even a specific device-level basis. One of the most important steps in creating an IoT solution is considering who should have access to what data. While the permissioning for this type of system might be more granular than many others because of the sheer number of devices involved, the same basic principles apply.
In addition to all of the old familiar security considerations, IoT systems introduce a host of new risks and perils.
It is crucial for any company considering the deployment of an IoT system to identify a trusted hardware partner as so many of the security risks inherent in IoT systems begin at the hardware level.
IoT devices store and use cryptographic keys to transmit their data through a gateway and (often) onward across the broader internet. Access to these cryptographic keys can allow malicious actors to spoof device data and wreak havoc on IoT systems. Because physical access to these devices in many cases can’t be controlled as rigorously as it can be with traditional computing devices, it is important that measures are taken to prevent physical device-level tampering. In some cases, where proprietary data and code are stored on the device, it may even be appropriate for the device to self-sabotage, destroying all onboard data when unauthorized access is detected.
In a world in which IoT devices control physical processes involving business operations and human safety, failure to properly secure IoT hardware can result in lost revenue, or in the worst case, lost lives. Even attacks that are seemingly less ominous can be extremely damaging to a company’s brand and the trust of their customers. Recent attacks on IoT devices, particularly webcams, in order to create giant botnets used for launching Distributed Denial of Service (DDOS) attacks are prime examples of this. A key part of these types of attacks is that the attack remains undetected. By their nature then, these attacks are not immediately damaging to hardware and software systems of targeted companies. Once it is discovered and disclosed that a company’s IoT devices have been compromised, the loss of trust that customers have in that company’s products can be devastating.
In many ways, IoT software solutions are only as good as the data being fed to them by hardware. If a hacker were to gain access to a device, extract its cryptographic keys or patch its firmware with malicious code, it would be very hard to detect that the device had been compromised because IoT data—being generated in the asymmetrical real world—is often unpredictable. It can be helpful, however, to run data analysis to ensure that devices are reporting as expected. For instance, if a device seems to be reporting more frequently than expected, it could be a sign that a device’s unique id is being used to spoof data. Setting boundaries and expectations on your data can highlight data irregularities that may indicate nefarious activity on your network. It is also appropriate in many situations to know the exact parameters that a device’s message specification should follow and to only allow certain types and fields of data to be written to storage or acted upon.
IoT Security for the Future
With the introduction of IoT solutions composed of many thousands or even millions of devices, the attack surfaces for these systems are greater than perhaps any other. However, balancing out these risks are the promise of huge, world-changing rewards. As is always the case, working with an experienced IoT solutions provider who can help you navigate this new, exciting, and sometimes frightening world is crucial.
Source: IoT For All
Earlier this year, an Illinois couple panicked when they suddenly heard a male stranger’s voice speak to their infant through the baby monitor. It turns out their smart cameras and thermostat, installed to provide security, had instead been hacked and turned against them.
More recently, A Wisconsin couple got the scare of their lives when a hacker accessed their smart home device and cranked up their heat, spoke to them, and even played vulgar music through a camera.
We don’t have actual numbers on how many more terrifying stories of smart home “invasions” are out there. We do know that as more and more homes are deploying smart home devices (the global smart home market expects to reach 53 billion by 2022).
Instead of just enjoying the rewards of convenience and connectivity, homeowners are also very likely to suffer very real security risks, as smart hackers turn these IoT-based gadgets – lights, locks, cameras, other surveillance systems and even common kitchen appliances such as coffee makers and refrigerators – into gateways to their homes.
In mid-2018, the FBI warned consumers that just as they secure their PCs and mobile devices, they should also safeguard their vulnerable IoT devices such as routers, cameras and other smart appliances.
Common Cyber Threats Against IoT Devices
As the use of network-connected smart home automation devices soars (many of them unsecured), so do incidents of IoT security breaches such as:
- Your public IP address pinpointed by hackers as IP addresses are revealed by unsecured devices, increasing the risk of home intrusion (criminals will know when you’re not home).
- Your hijacked device turned into an email server, able to send thousands of spam emails without the device owner even knowing about it.
- Your compromised devices recruited as malicious botnets to carry out massive Distributed Denial of Service (DDoS) attacks on government or public facilities (See https://www.iotforall.com/iot-ddos-attack/).
- Your IoT devices’ failure to encrypt messages before sending them over the network to keep communication and user information secure.
- Your device’s vulnerability to outside access because manufacturers don’t tell customers to change the default password, which threat actors can easily attain through brute force.
- Your router’s susceptibility to remote access, enabling hackers to intrude into the home network and discover unsecured IoT devices.
What Happens When Hackers Turn Smart Appliances Against You?
Once accessed and compromised, your smart appliances can wreak havoc on your life. Your smart lock, installed to be able to enter your house without a physical key? It can now lock you out or, worse, unlock the door to intruders. The smart light you set up to automatically turn on and off? It can now decide to turn on all the lights – and all the other electrical appliances – until it overloads your power system. That smart vacuum cleaner that you can schedule to do the cleaning for you? Believe it or not, it can now show potential burglars the very layout of your home. Have a router that connects your devices to the internet and makes all this convenience possible? Careful, it can now give away your personal credentials or private information.
You get the point. Every link in the “smart chain” must be secured.
Smart Devices…Not-So-Smart Security?
Smart homes are great, but they’re also way too open. According to OSWAP, each IoT device alone has 15 attack surface areas.
Smart-home owners, get security smart and protect your IoT devices against attacks by:
- Accounting for all your connected devices. Be sure to note each device’s settings, credentials, versions, and recent patches so you’ll know what security steps you need to take or even if you should replace or update any device.
- Authenticating the smart home device before sending or receiving data. Using two-way authentication via cryptographic algorithms ensures that the data comes from a legitimate, rather than fraudulent, source.
- Replacing default or weak passwords to prevent hackers from accessing them through brute force, and change device settings to achieve stronger security.
- Using encryption to protect data as it travels from your device to the cloud to ensure that no one can access the transmitted data without the proper decryption key.
- Segmenting IoT devices by deploying two wireless connections in the home, setting up IoT devices separately, and creating different passwords to prevent the spread of attacks and cut off devices in trouble.
Best of all, adopt a solution – enterprise-grade security protection adapted for homes – that can scan your home network for any unusual activity and then immediately shut it down, while letting you know an attempt was made to invade your privacy.
Igor Rabinovich is CEO and founder of Akita.Box (Wireless IDPS) and the Akita.Cloud platform.