The quiet threat inside “internet of things devices”

As Americans increasingly buy and install smart devices in their homes, all those cheap interconnected devices create new security problems for individuals and society as a whole. The problem is compounded by businesses radically expanding the number of sensors and remote monitors it uses to manage overhead lights in corporate offices and detailed manufacturing processes in factories. Governments, too, are getting into the act – cities, especially, want to use new technologies to improve energy efficiency, reduce traffic congestion and improve water quality.

The number of these “internet of things” devices is climbing into the tens of billions. They’re creating an interconnected world with the potential to make people’s lives more enjoyable, productive, secure, and efficient. But those very same devices, many of which have no real security protections, are also becoming part of what is called “botnets,” vast networks of tiny computers vulnerable to hijacking by hackers.

Tiny computers everywhere

The “internet of things” includes countless types of devices – webcams, pressure sensors, thermometers, microphones, speakers, stuffed animals, and many more – made by a vast array of companies. Many of these manufacturers are small and unknown and don’t have popular brands or public reputations to protect. Their goals are to produce lots of devices to sell as cheaply as possible. Customers’ cybersecurity isn’t a real concern for them.

These devices’ variety means they’re useful for lots of things, but also means they have a wide range of vulnerabilities. They include weak passwords, unencrypted communications, and insecure web interfaces. With thousands, or hundreds of thousands, of identically insecure devices scattered all over the world, they’re a wealth of targets ripe for the hacking.

If, for instance, a manufacturer has set an unchangeable administrative password on a particular type of device – it happens more often than you might think – a hacker can run a program searching the internet for those devices, and then logging in, taking control and installing their own malicious software, recruiting the device into a botnet army. The devices run normally until the hacker’s issues instructions, after which they can do more or less anything a computer might do – such as sending meaningless internet traffic to clog up data connections.

Blocking internet access

That type of attack when emanating from thousands of devices at once called a “distributed denial of service,” can shut down companies’ servers or even block wide swaths of the internet from being publicly accessible. A major DDoS attack in 2016 interrupted connections to Amazon, Netflix, and Paypal from customers on the east coast of the U.S.

The size and scale of these attacks – and the broad range of devices that can contribute to them – make this both a private problem and a public one. People want to secure the devices in their homes and pockets, of course. Yet the same networks that stream television shows and music also link burglar alarms to police, manage traffic lights in congested areas and let self-driving cars talk to each other.

All that activity can be drowned out if hackers flood the internet, or sections of it, with meaningless messages. Traffic would stall across towns, even counties, and police officers would have a hard time communicating with each other to try to straighten everything out. Even small devices, in their hundreds of thousands, all around the world, can work together to have huge repercussions both online and in the physical world.

IoT devices may seem like a significant security risk. However, there are several best practices you can employ to reduce IoT security risk and ensure that your system remains secure.  

1. Use security analytics

IoT security analytics involve the collection, correlation, and analysis of data from across your data sources. This information is then used to visualize IoT activity, identify suspicious events, and respond to possible threats.

When collecting security analytics information it is important to monitor IoT gateways as well as sensor CPU activity, and in-memory processes. This data can then be combined to provide context for a device's activity and ensure that only approved events occur.

2. Contextual Vulnerability Assessment

Exploits of vulnerabilities are a main entry point to IoT devices. These might be a library allowing code injection that wasn’t patched, hardcoded credentials, or a weak encryption key in a protocol. Performing continuous monitoring of a device’s security posture is crucial, and can be achieved by contextual vulnerability analysis.

Gaining control of the devices SBOM (Software Bill Of Material) is the key success factor of running such a program and a path to maturity of your product’s security while staying one step ahead of the adversaries.

3. Create visibility

When working with IoT devices, your IT team should adopt dedicated visibility tools. For example, network access controls (NACs) and detailed inventories of all possible endpoints on your network. These inventories should be automatically updated as devices are added or dropped and should retain a history of inactive devices. Additionally, access controls should be automatically applied whenever a device connection is made to ensure security without impeding productivity.

4. Implement segmentation

Segmentation involves isolating system components and layering security measures to ensure that sensitive data and systems remain protected. By segmenting your network you can reduce opportunities for attackers to traverse components laterally and restrict vulnerabilities to individual devices.

When segmenting IoT devices, you may find it helpful to segment by categories. For example, infrastructural, data-collecting, or user endpoints. Then, based on the requirements or purpose of each endpoint you can assign network policies that properly prevent unauthorized access.

5. Ensure protected communications

All communications between your devices and your network or your users should be protected. Protected connections help ensure that data isn’t intercepted or modified by attackers.  

To ensure this protection, you should implement the strongest possible encryption you can. For example, AES 128 or AES 256. You should also ensure that your encryption keys are not hard coded and that keys are rotated periodically.

6. Ensure device authentication

Device authentication measures can also help you protect your IoT endpoints. These measures can include biometrics, multi-factor authentication, or digital certificates where x.509 is commonly used. With authentication, you can ensure that attackers are unable to access device information even when the device itself is physically available.

Author : Diva Maharani | Illustrator : Akbar Nugroho

sources:

1. https://www.nielsen.com/us/en/insights/article/2018/smart-speaking-my-language-despite-their-vast-capabilities-smart-speakers-all-about-the-music/
2. https://en.wikipedia.org/wiki/SCADA
3. https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/
4. https://theconversation.com/security-risks-in-the-age-of-smart-homes-58756
5. https://theconversation.com/do-i-want-an-always-on-digital-assistant-listening-in-all-the-time-92571
6. https://theconversation.com/4-ways-internet-of-things-toys-endanger-children-94092
7. https://theconversation.com/using-blockchain-to-secure-the-internet-of-things-90002
8. https://resources.infosecinstitute.com/topic/the-top-ten-iot-vulnerabilities/
9. https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
10. https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/