Security Challenges in IoT - 180D-FW-2023/Knowledge-Base-Wiki GitHub Wiki

Security Challenges in IoT

What is IoT?

The Internet of Things, commonly referred to as IoT, is a term that refers to a system of physical devices with integrated sensors, all connected and able to exchange data over a network such as the Internet. The concept is most commonly associated with home automation, also known as smart home technology, but it can also be applied in a variety of different industries, such as healthcare, manufacturing, and transportation.[1]

Why is IoT security important?

In 2016, a distributed denial-of-service (DDoS) attack was carried out on a major DNS provider, causing multiple websites and Internet services to go down across North America and Europe. The attackers used the Mirai malware to infect numerous IoT devices and create a botnet, which is a group of Internet-connected devices each running bots. According to experts, this attack was the largest of its kind in history.[2] This is just one example of an attack that involved IoT.

mirai-attack-module Figure 1. Diagram of how the Mirai botnet attack was carried out.[3]

When IoT was gaining popularity for its smart home applications, the focus from developers and engineers was mainly on expanding and improving the functionality of IoT systems. A main criticism of IoT is that not enough focus or resources are spent on the security of IoT, leaving it vulnerable to attacks or breaches.

A few aspects of IoT technology make these types of systems uniquely exposed and suited for attacks. According to Palo Alto Networks, these include[4]:

  • Lack of inventory: It’s not always clear which devices are in a network and how to manage the addition and removal of devices.
  • Lack of built-in security in IoT device operating systems: As mentioned before, many IoT devices are not developed with security first in mind. They typically are designed with low power consumption requirements and less computational power, which makes them unable to run more robust security measures.
  • Data volume: IoT devices generate and process large amounts of data, which makes it harder to oversee and protect systems.
  • Ownership: There are risks associated with allowing IoT devices from multiple separate teams/sources to connect.
  • Diversity: There are many different types of IoT devices with different forms and functions, and new ones are constantly being developed, so any good security plan must be all-encompassing.
  • Operations: When IoT devices are so integrated into a company/system where they are critical for operations, but IT has difficulties integrating it into security.

Types of security vulnerabilities and exploits

IoT devices are susceptible to many of the same risks that plague traditional computer systems. However, the nature of IoT devices means that certain attacks are more common or higher risk.

Botnets

As mentioned before in the example, malicious actors can take advantage of the architecture of an IoT network, utilizing multiple devices to simultaneously run bots on them and launch a DDoS attack or run spyware to steal data.

Man-in-the-middle attack

A MitM attack is an attack where a malicious third party inserts themselves in communications between two parties, each of which believe they are conducting uninterrupted communication with the other. The attacker might impersonate each side to make them believe they are actually communicating with the other, or they may just be listening in to gather data. A study[5] found that common development boards used for do-it-yourself IoT devices, such as the Raspberry Pi, generate predictable and weak security keys that make them susceptible to man-in-the-middle (MitM) attacks.

mitm-attack

Figure 2. An example of a man-in-the-middle attack.[5]

SQL injections

A SQL injection is an attack where malicious SQL statements are inserted to a database and then executed. This type of attack can be used to dump the database contents, tamper with or destroy data, or take administrative control of the server.[6]

Weak authentication

Another common security risk is not prompting users to use strong authentication measures such as strong passwords and 2-factor authentication (2FA). This applies more to IoT "smart home" devices, which are intended for the average consumer rather than a cybersecurity expert.

Fault injection attacks

Fault injection attacks refer to physical attacks on devices to purposefully introduce a glitch and change the behavior of the device. It can be accomplished through voltage glitching, clock glitching, electromagnetic injection, or other physical methods of affecting the system.[7]

Remote control of devices

This refers to an end goal of the attack rather than the specific methods used to carry it out. After gaining access to a system, attackers can lock out users, access or modify data, and, depending on the type of device, change its settings with negative consequences. For example, according to the Washington Post, a family in California’s Nest camera was hacked and used to “fake audio warnings about a missile attack, not to mention peer in on them, when they used a weak password.”[8]

Countermeasures

The most effective method to reduce security risks from IoT devices is to place greater emphasis on security while developing devices and programs that make use of IoT. This can come in the form of hardware or software modifications, such as requiring 2FA, or implementing firewalls or strong cryptographic measures to protect data. Additionally, vendors and manufacturers can implement stronger testing measures to make sure that the new IoT device can safely interact with other devices.

For devices that are already in use, consumers of these devices can take steps to protect themselves by using stronger passwords and authentication measures. In larger-scale IoT applications where there are dedicated security and operations teams, these teams can focus on identifying all the devices in the system and the associated risks, and coming up with a specific dedicated plan to restructure the system architecture or improve its management. These measures can include constant management of devices to deactivate unused services, adding authentication layers between devices, and monitoring the service to have actions in place when an event occurs. IoT developers should also stay vigilant and remain on top of patching potential exploits and fixing bugs, as well as regularly updating the software and firmware of IoT devices.[9]

Some broad mechanisms have been put in place to protect IoT devices. For example, Mozilla’s Project Things is intended to be a decentralized “Web of Things” with a greater emphasis on privacy and safety.[10] Many security experts argue that the problem lies with the Internet in general, and that greater governmental regulation is needed.[11]

References

  1. https://www.oracle.com/internet-of-things/what-is-iot/
  2. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
  3. https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
  4. https://www.paloaltonetworks.com/cyberpedia/what-is-iot-security
  5. https://inria.hal.science/hal-02881745/document
  6. https://learn.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)?redirectedfrom=MSDN
  7. https://payatu.com/blog/fault-injection-basics/#Fault_injection_techniques
  8. https://www.washingtonpost.com/technology/2019/01/31/doorbells-have-eyes-privacy-battle-brewing-over-home-security-cameras/
  9. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/security-issues-in-iot-challenges-and-countermeasures
  10. https://labs.mozilla.org/projects/project-things/
  11. https://www.schneier.com/blog/archives/2017/02/security_and_th.html