How is the Internet of Things (IoT) Vulnerable?
Internet of Things (IoT) vulnerabilities stem from the tendencies of the devices to have low computational power and hardware limitations that don’t allow for built-in security features. On top of that, IoT devices may sacrifice security in order to be first to market. If the vendor is a startup that fails, the needed updates of security patches won’t come, leaving a user with an open attack vector on their network.
It is a best practice for organizations and individuals to research the vendors of their IoT devices and ensure they are reputable and have a commitment to security with documentation. Furthermore, changing default credentials, using unique passwords, keeping the device’s software up to date, and encrypting stored and transmitted data can help protect IoT devices.
Vendors that are making IoT devices can reduce vulnerability by using anti-rollback mechanisms that prevent unauthorized entities from reverting software to an older, less secure version. Additionally, vendors should ensure the operating systems (OSs), code, and any third parties that provide software or hardware, are not providing insecure products.
An IoT device can have one or multiple vulnerabilities that make it an easy target for hackers to gain access to a network and move laterally to more critical devices or systems. The following points were informed by the Open Web Application Security Project’s (OWASP’s) Top 10 2018 list of IoT vulnerabilities.
IoT devices often require passwords for users to access services or control the device. The default credentials of the devices can be weak, easy to guess, or hardcoded. A hardcoded password, or embedded credentials, are unencrypted passwords that are in the source code of a device. The reasoning behind this is to simplify setting up devices at scale, despite the significant risk to the device’s security.
An extra step vendors should consider for making credentials harder to crack is two-factor authentication. For example, some intelligent thermostats support two-factor authentication when signing into user accounts. When a user, which includes organizations, utilizes two-factor authentication, they are both creating new usernames and passwords, along with using an additional form of credential that an attacker is less likely to have access to.
It isn’t just the credentials used to access the device that is at issue. The interfaces, like a backend API, that a device uses to connect to a larger network ecosystem can be compromised. When that occurs, it can be because there is no method to authenticate or authorize the entity accessing the device, weak encryption or lack thereof, or no filtering of traffic coming in or going out from the device.
Even if vulnerabilities like these can be identified, not all IoT devices can be updated securely. This is the case when firmware validation isn’t implemented, the update is delivered in plain-text, there are no anti-rollback mechanisms, or users are not notified of updates. An anti-rollback mechanism would prevent attackers from downgrading a device to an older edition of the software that has known security vulnerabilities the attacker can exploit.
If an IoT vendor develops its device or devices with insecure software libraries or other components that are from an insecure source, then the device will naturally be insecure. The other components include insecure customization of operating system (OS) platforms and the use of third-party software and hardware that come from a compromised supply chain.
Where a user’s or organization’s personal information is stored is also important. If it is stored on an insecure device or insecure environment, then it is vulnerable to being discovered by an attacker. Data encryption is a basic and near-mandatory approach that can secure data in storage, in transit, or during processing.
Attackers Take Advantage of IoT Vulnerabilities
A major player in the malware world that focuses on IoT devices is the Mirai malware, which creates a botnet largely consisting of IoT devices. It infects a device through brute force password attempts where it goes through known default credentials that allow access to the device. Once inside it forces the device to scan the internet for vulnerable devices, which tend to be IoT devices. Once a sufficiently large botnet is made, they are typically used to launch a distributed denial of service (DDoS) attack on an organization. The result is the organization’s network and subsequent services it provides via the internet go down. This reinforces the importance of changing passwords away from their defaults and using two-factor authentication where possible with IoT devices.
A different kind of vulnerability that is known but has not been reported to be exploited, was found in the St. Jude Medical’s Merlin@home cardiac devices. These devices included pacemakers and defibrillators. According to the Food and Drug Administration (FDA), a vulnerability existed in the devices’ RF transmitters. Had the transmitters’ vulnerability been exploited, the battery could be drained rapidly, or the device could send shocks in the incorrect pace. The devices transmit over radio frequencies in order to send data to physicians to assess and monitor the device’s function, which means fewer in-person visits to the doctor for check-ups. The data can be transmitted over cellular or wireless internet connections.
Securing IoT Devices in the Office and for Remote Workers
Typical security best practices still apply to IoT devices and can be used to counteract the vulnerabilities mentioned above. Encrypting data is a major aspect of securing data and transmissions so attackers cannot read any data they would otherwise have access to after compromising the device. Personal, proprietary, or confidential information held by an organization or the device vendor should be encrypted as a best practice; however, unless a vendor discloses the privacy protocol information to users and organizations, the users and organizations cannot know what type of encryption, if any, is being used.
Using password managers, or simply changing default passwords to something unique to a user or organization’s catalog of passwords, is part of quality password hygiene that can prevent IoT devices from being compromised. Two-factor authentication increases the strength of credentials even further. This is especially helpful when it comes to malware like Mirai that uses known default credentials to quickly gain access to IoT devices.
As more employees start to work from home offices, IoT devices in their homes become an attack vector that could lead back to an organization’s sensitive information. Organizations that can afford to provide security tools to their employees known to have consumer IoT devices should do so to protect their networks. Virtualized security tools are helpful in securing IoT devices because they can be scaled more easily to accommodate for a large remote workforce. Virtual private networks (VPNs) and virtualized firewalls can enable encryption, monitor data entering and exiting the local network, and prevent malware from getting to IoT devices in the home.
IoT Vulnerabilities: Key Takeaways
- IoT devices are vulnerable because they do not have the computational power to run security functions and vendors may sacrifice security in the rush to market.
- Organizations should research the vendors they buy from to ensure they are reputable and security-minded.
- A best practice to secure a device is to make new login credentials and use two-factor authentication to access and control IoT devices.
- The Mirai malware easily finds and infects IoT devices and spreads by scanning for devices with default credentials.