Internet of Things (IoT) Security

What is the Internet of Things (IoT)

The Internet of Things (IoT) is a network of connected devices, each with a unique identifier that automatically collects and exchanges data over a network.

IoT devices are used in multiple sectors and industries, including:

  • Consumer applications – IoT consumer products include smartphones, smart watches and smart homes, which control everything from air conditioning to door locks, all from a single device.
  • Business applications – Businesses use a wide range of IoT devices, including smart security cameras, trackers for vehicles, ships and goods, as well as sensors that capture data about industrial machinery.
  • Governmental applications – Governmental IoT applications include devices used to track wildlife, monitor traffic congestion and issue natural disaster alerts.

The number of IoT devices worldwide now numbers in the billions. Their increased presence in our daily lives has led to increased scrutiny of their inherent security issues, which we will be exploring here.

How Internet of Things Devices Are Managed

To function as intended, IoT devices need to be managed both internally, (e.g., software maintenance) and externally (i.e., their communication with other devices).

Management of IoT devices via C&C centers

This is accomplished by connecting every IoT device to a management unit, known as a command and control (C&C) center. Centers are responsible for software maintenance, configurations, firmware updates to patch bugs and vulnerabilities, as well as the provisioning and authentication of tasks, such as device enrollment.

Communication between devices is enabled via application program interface (API). Once a device’s manufacturer exposes its API, other devices or applications can use it to gather data and communicate. Some APIs even allow control over devices. For example, a building manager can use an API to remotely lock doors inside a specific office.

IoT Vulnerabilities and Security Issues

C&C centers and APIs effectively manage day-to-day IoT operations. That said, their centralized nature creates a number of exploitable weak spots, including:

  • Unpatched vulnerabilities – Connectivity issues or the need for end-users to manually download updates directly from a C&C center often result in devices running on outdated software, leaving them open to newly discovered security vulnerabilities.
  • Weak authentication – Manufacturers often release IoT devices (e.g., home routers) containing easily decipherable passwords, which might be left in place by vendors and end-users. When left open to remote access, these devices become easy prey for attackers running automated scripts for bulk exploitation.
  • Vulnerable APIs – As a gateway to a C&C center, APIs are commonly targeted by a variety of threats, including Man in the Middle (MITM), code injections (e.g., SQLI), and distributed denial of service (DDoS) assaults. More information about the implications of API-targeting attacks can be found here.

The dangers posed by exploitable devices can be broken into two categories: threats that they pose to their users and threats that they pose to others.

Threats to Users

A compromised IoT device places its users at risk in a number of ways, such as:

Data Theft

An IoT device contains vast amounts of data, much of which is unique to its individual users, including online browsing/purchase records, credit card details and personal health information.

An improperly secured device leaves this data vulnerable to theft. What’s more, vulnerable devices can be used as gateways to other areas of the network they are deployed on, allowing for more sensitive data to be extracted.

Physical Harm

IoT devices are now commonplace in the medical industry, with examples including pacemakers, heart monitors and defibrillators. While convenient (e.g., a doctor can fine-tune a patient’s pacemaker remotely), these devices are also vulnerable to security threats.

An improperly secured device can be exploited to interfere with a patient’s medical care. It’s an exceedingly rare occurrence, albeit one to be considered when developing a strategy for securing IoT devices.

Threats to Others

Insecure IoT devices are vulnerable to being hijacked and used in a botnet — a collection of malware-infected internet connected devices, possibly numbering in the millions, controlled from a remote location.

For perpetrators, discovering unprotected devices is not difficult and can be easily achieved by running widely available scripts or tools. This is best exemplified by the existence of Shodan, a publically available search engine made for the discovery of such devices.

As IoT devices have become more sophisticated, so have the threats that they pose. This has manifested itself in all manner of cyberattacks, including widespread spam and phishing campaigns, as well as DDoS attacks. The latter have been growing in size in recent years, mostly due to the increased availability of under protected IoT devices.

One prominent example of this trend occurred in 2016 when a public release of the Mirai malware prompted perpetrators to create massive IoT botnets and use them for DDoS assaults.

This lead to an unprecedented wave of attacks, the most notorious of which took down Dyn DNS services, cutting access to some of the most popular domains in the world including Etsy, GitHub, Netflix, Spotify and Twitter.

The malware itself was a relatively simple script that scanned open remote access ports and tried to gain access using a short list of commonly used login credentials (e.g., admin/admin).

Still, the lackluster IoT security measures made these simple tactics extremely successful. In the word of the alleged Mirai malware author, Anna-Senpai: “With Mirai, I usually pull max 380K bots from telnet alone.”

Mirai creater pulls 380,000 bots from telnet.

Internet of Things Security Management

The sheer volume of Internet of Things devices makes their security a high priority and is crucial for the future wellbeing of the internet ecosystem.

For device users, this means abiding by basic security best practices, such as changing default security passwords and blocking unnecessary remote access (e.g., when not required for a device’s functionality).

Vendors and device manufacturers, on the other hand, should take a broader approach and invest heavily in securing IoT management tools. Steps that should be taken include:

  1. Proactively notifying users about devices running outdated software/OS versions.
  2. Enforcing smart password management (e.g., mandatory default password changes).
  3. Disabling remote access to a device, unless it’s necessary for core functions.
  4. Introducing a strict access control policy for APIs.
  5. Protecting C&C centers from compromise attempts and DDoS attacks.

Incapsula helps IoT manufacturers protect their C&C centers by providing on-edge traffic filtering services that ensure only authorized and authenticated client requests are allowed to reach their APIs.

Combining industry-leading WAF services and DDoS mitigation solutions, Incapsula is able to secure its users against all online threats and efficiently handle multi-versioning from different devices.

For added reliability, the service is also equipped with load balancing and failover features that help operators handle organic traffic spikes, such as the kind that can occur upon the release of a new firmware patch.