Although IoT- connected devices arise from the search for time savings that can be seen today, they can lead to more extensive and invasive breaches than we could ever imagine. Through IoT, not only more data is being shared, but it’s also more sensitive by far. Therefore, we live with exponentially greater risk. It is probable that we will see more non – technical hackers with no need for specific skills or even money to launch insidious attacks.
Remember MIRAI? In 2016, it didn’t take long for the incident to go from vague rumblings to a global red alert. Hackers shocked the Internet, as researchers identified that they had infected nearly 65000 devices in the first 20 hours, with the number doubling in size every 76 minutes. A DDoS attack hit DNS servers at the Dyn company, used by common and widely known websites such as Amazon, Reddit, Netflix, Spotify, GitHub or Twitter – users didn’t have access for a few hours. Hackers used cameras, sensors, and equipment connected to the network.
Now, let’s imagine something more regularly used– on a daily basis – the broad range of connectable home devices like home thermostats and alarms, or smart home hubs, creates a myriad of connection points for hackers to gain entry into IoT ecosystems, and moreover, to get access to customer information. What are the threats?
Network video recorders (DVR/NVR) were the second most attacked group of IoT devices in 2016, storing monitoring records based on IP cameras – 1.5 million attacks, with about 1800 discovered in Poland. This can be explained by the fact that IP cameras use “cloud solutions” or P2P for remote control more often, where communication is widely encrypted.
A huge problem with Bluetooth protocol implementation was discovered – huge, as it relates to more than 5.3 billion IoT devices. It’s quite likely that if any of your devices have Bluetooth on but it does not work under the control of up-to-date software, it is easily susceptible to attacks. What is worse, hackers have no need to connect to your device. You only have to be in range of a vulnerable Bluetooth signal sent by the burglar. The attack makes it possible to take charge of the device, run injurious code or intercept Bluetooth communication between devices. Such actions can be implemented in “worms”, which can spread individually. Thus, an attack on your neighbour’s fridge carried out from his friend’s fit-bracelet can, in fact, cause your car to become infected.
LACK OF MODULARITY
Most IoT devices are not easy for end-users to manage, as they usually lack a display screen or keyboard. Combine this with the fact that they are often designed to be ready to use immediately, and the need to plug them into the computer to change settings tends to be forgotten.
As mentioned above, we now have access to some cool and innovative technologies all around us. When our computer is attacked, then it’s time for our smartphone to attack every IoT device at home. Unfortunately, it can then attack our car and other neighbouring devices while driving through the city. Medical devices are just as vulnerable – blood pressure cuffs, glucometers, insulin pumps and many other medical appliances are connected to the internet. We have seen hacks into insulin pumps manipulating the dosage. The seriousness of a personal attack is outweighed by the threat to healthcare systems and records that can be accessed through these devices, all labelled as personally identifiable information.
LACK OF UPDATE
Ubuntu conducted a survey confirming that only about 31% of users update their devices as soon as updates become available. Besides this, they think they are not responsible for keeping firmware updated – 18% considered it to be the responsibility of device manufacturers and 22% feel that it’s the software developer’s job. Automatic mechanisms to fix vulnerabilities remotely are needed as an essential step on the road to a secure IoT. Unfortunately, most IoT devices have low processing power and small memory which is just enough to perform the assigned tasks. IoT devices aren’t sophisticated enough to feature proper security standards and to deliver software updates via the Internet.
So how do we overcome this obstacle?
– Artificial Intelligence: “Most of the major companies in security have moved from a purely “signature-based” system of a few years ago used to detect malware, to a machine learning system that tries to interpret actions and events and learns from a variety of sources what is safe and what is not,” says Jack Gold, president and principal analyst at J. Gold Associates. Besides, Google is using it to identify and remove malware from infected handsets.
– Cloudflare: Rather than pushing patches into devices, this security firm concentrated on its new Orbit service – a kind of defense layer. It creates a secure and authenticated connection between an IoT device and its origin server, blocking vulnerabilities and deploying “virtual patches” into place.
– Bluetooth – off: Turn it off until you install the proper patch. “Invisible mode” is not sufficient, as Bluetooth needs to be completely inactive.
– Secure Enclave: This is a relatively new concept from Apple which solved critical problems with how a device’s data will be encrypted, stored and secured. This is achieved by partitioning all of the hardware and software resources so that they exist in one of two worlds – the secure world for the security subsystem or the normal world for everything else. Normal world components do not access secure world resources, enabling construction of a strong delimiting boundary between the two.
– Be careful: All devices and sensors should be managed and monitored. They cannot be set to default, moreover, the network should be properly segmented – into internal, guest and IoT networks at a minimum. There are some other helpful pathways such as updating firewalls, securing remote access, reviewing security configurations, operating system updates, and patches, or improving security policies.
– Do not hurry: Better think before buying the most recent products released on the market. They are more likely to include various security issues that haven’t been discovered yet.
– Be attentive: As IoT is recently a hot topic, researchers are meticulously working on finding security issues in products ranging from baby monitors to app-controlled rifles. Just search the Internet for news and information if the device you own has been patched or not.