The number of IoT connected devices in 2019 was 7.74 billion. The forecasted figure for 2025 will (more than) double, reaching 16.44 billion devices. We are talking about a heavily used technology, coming in all shapes and sizes, with limited regulation and standards bound to it. Lack of security awareness by both end-users and manufacturers should raise alarm bells.
Let's start by splitting the term ''Internet of Things'' into sections to better understand what we're dealing with. The ''things'' are the IoT devices, and the Internet is – well, the Internet. Since IoT devices come in all shapes and sizes, offering a multitude of individual solutions for specific use cases, commonly up to a few functionalities per device, the IoT environment is as diverse as it gets.
The Internet of Things (IoT) describes the network of physical objects—“things”— embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet. These devices range from ordinary household objects to sophisticated industrial tools. - Oracle
One of the most familiar examples would be Smart Homes, showcasing the power of IoT and its accessibility. With an application in charge of your Smart Home system, you're able to manage your smart locks, check up on your surveillance system, adjust the temperature in each individual room, and more. There are also portable IoT devices, Smart Watches being the first thing that pops up in pretty much anyone's mind.
By now, you have an idea of how broad the IoT industry is. It includes every software, gadget, sensor, etc., with the capacity to connect to the Internet network. Although diversity is a good thing, in this case, the lack of standardization of security protocols and demand so high, resulting in manufacturer's focus solely on faster time to market, the IoT poses a significant threat to both your physical and informational security.
The IoT movement unveiled new ways of interacting with the Internet. It's no longer just us, humans; devices are using it too, 24/7 to be exact. This means that there is no way to monitor how the device interacts with the Internet unless there is another machine in play. This constant communication between the device and the internet is present because much of the concept designed around a particular IoT device relies on real-time responses, monitoring, and other functionalities.
If a thermostat receives information that the room temperature is lower than the one stated in the custom settings, it will react in real-time and adjust it accordingly. Your Smart Watch is ''watching'' you at all times, reminding you to take a stroll after an hour of sitting in the same spot. Like we said, without constant connection and exchange of data, much (if not all) of the IoT functionalities are useless.
This unsupervised flow of information exchanged by the IoT device is causing trouble for cyber security experts since the technology is being pushed onto the market with loose security standards. Regarding that, the IoT is not yet in its mature stage. Known and emerging challenges need to be resolved. This includes both the secure by design principle from the manufacturers, as well as building user awareness about the security issues.
The top challenges concerning IoT device security are the following:
An article by ChannelFutures lists some of the most common IoT attacks, and this is the breakdown:
Known IoT device bugs, design issues, and OS oversights are exploited by attackers in order to gain access to data that is usually protected from an application or the user.
Network interception in case of an unsecured connection between the IoT device and the network is used for stealing sensitive information.
Since most IoT device passwords are weak, brute force attacks are a successful method of gaining access to the device.
In case a firmware update coping from a source that is not legitimate is downloaded to the IoT device, the attacker is able to hijack the device and download malware.
DoS attacks are a popular way for hackers to put an entire company offline or gain access to sensitive information. DoS is notorious because of its presence in IoT related attacks.
When devices deployed in an environment where control management and access to the device is difficult to supervise, physical tampering is a serious threat. For example, company printers can spread malware, endangering the entire company network.
The IoT industry is only getting bigger, and so is the number of issues that come with it. The key to successful adoption is to understand repercussions and minimize any known IoT device security issues.
We're used to managing our account passwords and taking care of our email accounts, successfully ignoring phishing attacks and spam. But what about our IoT devices? As we're dealing with emerging technology, we are still unaware of the amount of sensitive and potentially valuable information stored within our gadgets. Social engineering attacks are a popular way for hackers to gain access to that information by targeting the user instead of the device. Doing so through our unexplored, brand new IoT device seems to be a very logical first step.
Each day brings a brand new IoT device on the market, which translates to a number of undiscovered IoT device security issues. Lack of compliance caused by manufaturers rushing to launch the next big thing is the primary source of emerging security issues. Furthermore, when implementing the ''secure by design'' principle, they always seem to overlook the ''secure'' part. When developing a new IoT device, manufacturers should avoid bad practices, including weak or hardcoded passwords, lack of security best practices, OS issues, and insecure data storage and transfer.
If a single IoT device is infected with malware, the threat lies there, with one user. But when there is a larger number of infected devices, creating an army of bots, entire systems and networks are endangered. Take a quick trip to 2016 and revisit the Mirai botnet incident. Since IoT device security is not at its peak, the devices are an easy target for hackers, which is later used as a weapon. An army of bots is able to send out huge amounts of traffic; causing system failures that result in potential threats to a large group of individuals.
Who is to blame? Both manufacturers and end-users. A common scenario when purchasing an IoT device is that it comes with the latest software update and never lives to another update – ever. This is because manufacturers allow the use of the IoT device without the latest update. Also, the update process differs from the one on your smartphone – maybe there is no notification or automatic updates. And let's be real, would you remember to check whether your smart lightbulb is up-to-date with the latest version? Yeah, me neither.
Taking control over the surveillance system often results in a ransom requests. Invading the user's privacy is also followed by theft of sensitive information. But the shivers you would get the moment after walking into your home knowing you had a recent IoT device security incident is probably the most frightening. To combat this issue, some IoT devices are being banned due to insufficient security measures and assumptions they might be a threat to a user or a larger group of people. Take the ''Cayla doll'' as a prime example of a seemingly unsuspecting smart toy; presumably recording and storing voiceprints of the entire household at all times.
IoT made great breakthroughs in the healthcare department. Real-time monitoring of your patients with a pacemaker from the comfort of their home is a real success story. On the other hand, tampering with IoT in healthcare could lead to devastating consequences. Imagine the repercussions of an infected IoT device handling insulin shots for a diabetic. The same thing applies to stealing and altering patients' medical records.
IoT devices that can't be stored at a secure location are exposed to physical attacks. For example, a smart surveillance system's memory card has easy access. The consequences vary from unauthorized access to sensitive information to blackmail.
The above mentioned IoT device security issues and threats are frightening enough on their own, but the most concerning part are the actual consequences. The diverse nature of IoT devices and their presence in both the virtual and physical world generate unpredictable results; sometimes positive, sometimes negative. If we take the industrial use of IoT, consequences range from minor power outages, financial losses to reputational damages. Following this, the healthcare industry is no exception to those threats. Smart homes, filled with smart appliances, are proving to pose both physical and informational threats, leaving us with consequences that are extremely hard to get over.
However, IoT devices are not here to raise havoc but to make our everyday tasks easier. As with all emerging technologies, it is our responsibility to design them and use them with caution. This includes implementing security measures and protocols that eliminate any known IoT device security issues; as well as being on the lookout for emerging threats and thinking critically before jumping into our new project.
Any IoT device managed through a mobile application is vulnerable to an additional set of threats – mobile app security threats. In order to unlock your smart door, you'd use a designated mobile app to do so. To gain a more in-depth insight of your workout supervised by your smart watch, you'd grab your smartphone and check your workout history in-app.
To combat known and emerging threats, ASEE developed a solution with mobile application security in mind, App Protector. By integrating our solution with your mobile application, you are enabling the detection and prevention of mobile app security threats in real-time. This includes hooking attacks, jalibreak/root and emulator detection, screen recording and debugging. Make the security of your mobile application and its users a priority, not an afterthought. Find out more about why mobile app security has become imperative in today's mobile-first environment.
In case you're curious, feel free to contact us - zero obligation. Our ASEE team will be happy to hear you out.