Will IoT Security Awareness Protect Me From My Toaster?
Introduction
The paradigm of the Internet of Things devices is rapidly transforming our relationship with technology. The diffusion of smart objects is capillary, but we must carefully consider the aspects related to the cyber security and privacy.
Companies in almost every sector are adopting IoT devices to improve the user experience and deliver high-quality services. Experts at Cisco speculate that in 2020 there will be more than 50 billion connected devices, including wearable health monitors, connected vehicles, and smart grids.
Learn IoT Security
Smart objects gather and share huge quantities of information, including sensitive data, raising serious concerns in term of privacy.
Our surface of attack is enlarging as never before, both in workplace and in the private life. A recent research conducted by the security firm Veracode revealed that household IoT devices are exposing users to a wide range of threats, including data theft and sabotage.
The study conducted by Veracode, titled "The Internet of Things: Security Research Study," revealed that the principal problem for IoT devices is represented by the lack of a proper security posture.
The researchers have analyzed a number of always-on consumer IoT devices to evaluate their level of security and the way they manage user data.
The findings of the analysis are worrying. The design of the devices put consumers at risk for cyber-attacks or physical intrusions. The researchers analyzed six household IoT devices with up-to-date firmware version and performed a set of uniform tests; they discovered that all but one device were affected by serious flaws.
The security flaws emerged during the tests on the IoT devices could expose users to cyber-attacks, man-in-the-middle (MITM) attacks and data hijacking.
The researchers have discovered several security vulnerabilities, including open debugging interfaces that that could allow remote attackers to run arbitrary code on the unit and protocol weaknesses that could be exploited to access sensitive data or gain the control of the devices.
Experts in the security industry sustain that the majority of IoT vendors doesn't adopt a security by design approach. It is quite common to find smart objects with hardcoded credentials or that expose services without authentication mechanisms.
Do you really know what does it mean IoT?
A recent survey conducted in Germany by the Deutsche Telekom allowed measuring the level of awareness of the IoT in the country. Finding of the study demonstrated that only 12% of consumers ages 16 and older are aware if the Internet of things, an alarming result for a country where 41% of marketers believe the IoT will have a massive impact on them by 2020.
Figure 1 - IoT Awareness Survey (Deutsche Telekom)
4
The data are worrying if we consider another result of the survey. When researchers at Deutsche Telekom asked respondents whether they were interested in a variety of technologies that would ultimately be delivered by an IoT framework, the answer was affirmative in most of cases.
Among the IoT features with greater appeal on the respondents, there were smart-home capabilities of the new generation of devices.
Summarizing a growing number of people are interested in the IoT technology, but most individuals totally ignore technology, privacy, and security issues.
The data extracted from the survey is that customers have to be educated in the use of the new technology; an improper use in fact could expose them to risk of attacks.
We live a connected world. The overall security of a system depends from the security of a single component. The hack of a harmless smart meter could have serious consequences for the end-users and for the entire community.
Bad actors, accessing to the smart meters, could cause a blackout or conduct fraudulent activities, including billing frauds. Poorly protected credentials stored in the devices could let attackers gain access of several smart meters, allowing them to take full control of any device, modify its unique ID to impersonate the other customer or use the smart meter for launching attacks against the power network.
Recently, the Pen Test Partners researcher Ken Munro mapped and hacked connected iKettles across London demonstrating they leak Wi-Fi passwords, a circumstance that expose the owner of the smart devices to further attacks.
Another case in the headlines has been reported by Kaspersky Lab, the researchers at the security firm warn users of the possible risks when facing with connected coffee machines and other wireless-enabled home devices.
IoT devices are making our life easier, but they can become a nightmare if we ignore the cyber threats and to configure these devices to avoid serious problems.
Modern IoT implementations rely on hundreds of sensors embedded in different objects, always online and connected to the Cloud. Every smart device connected to the Internet is a potential entry door to any architecture. One of the most clamorous hack, the one suffered by the giant Target retailer, occurred because hackers breached its networked HVAC unit, in this way intruders compromised payment computer systems and stole 40 million credit card numbers.
The security has to be implemented since the design phases in ways IT experts have never done before.
IoT security and design awareness
When designing an IoT device, there are a number of things to consider for their rapid integration into any environment.
Security experts involved in the design of IoT architecture must analyze several aspects, including access control, device authentication, secure booting, firewalling and IPS, and of course the maintenance.
First of all, we have to consider the communication protocols to adopt for our smart objects. There are several IoT protocols that can add a significant complexity to the design phase. The protocol landscape in Internet of Things is highly variegated; alongside the classic HTTP there are other protocols such as CoAP, XMPP, AMQP and MQTT. Security architects must identify the protocol that most of all meets their requirements and properly implement it within their architecture.
The main challenge for security architect is mapping security protocols onto communication protocols implemented to connect devices with peer and the Internet.
Another factor to take care developing IoT devices is the choice of the authentication mechanisms, an alarming number of IoT devices currently rely on hard-coded credential, leaving them vulnerable to brute force attacks, spoofing and MITM, and many other types of attacks.
Designing IoT objects it is important to have a clear idea of the Key management systems to adopt. These systems are crucial because they are responsible for managing the entire lifecycle of the keys. Among main processes they manage; there are the key generation, the key distribution, and of course their revocation. Architects need to have a clear design to authentication, integrity, and confidentiality of IoT devices and the data they manage.
The economic factor will inevitably affect the design of infrastructure IoT, the price for a device depends on a number of features such as the networking features or the user interfaces.
A device that must be connected to the Internet needs an Ethernet or Wi-Fi interface, meanwhile smart objects that have to be deployed in a restricted space, such as a room or a warehouse, can implement ZigBee, Z-Wave, and Bluetooth protocols.
The choice of a specific technology influence the power consumption, architectures using smart devices powered by batteries have need to be designed considering how to preserve power.
In the end, both protocols and power consumption influence the final size of devices.
Looking at the user interface, the design must carefully consider the way to interact with IoT devices. Both protocols and interfaces must be carefully chosen and assessed, the presence of a security flaw could be exploited by attackers to compromise the entire architecture and steal sensitive information.
IoT objects must be considered as devices that evolve over time, it is essential to design objects that could be easily updated. Maintenance for smart devices improves the security of the IoT objects and could represent additional revenue opportunities for IoT vendors.
When dealing with IoT it is important to consider carefully the huge quantity of cloud applications developed to interface the smart objects with the services implemented by several manufacturers.
From a cyber security perspective, it is necessary to evaluate how service providers implement interoperability. Usually, Internet of Things devices can communicate with products designed by other vendors through standard APIs. The security is crucial when it is necessary to design heterogeneous infrastructures composed of smart objects from different vendors interact.
A flaw in any one of the protocols or in the authentication processes could be exploited by an attacker to compromise the entire infrastructure. Security is a major issue and current trend consists in approaching cyber security with a layered approach.
IoT security is still a pipe dream
Early this year, Symantec released a white paper addressing security issues related Internet of o Things devices. The experts at the security firm tested 50 smart home devices, including thermostats, locks, light bulbs, smoke detectors, energy management devices, and the findings of the study are disconcerting, but in my opinion not surprising.
"For our test, we used the precondition that the attacker has successfully cracked the Wi-Fi password and has access to the local network."
Figure 2 - Insecurity in the Internet of Things - Symantec Report
The key findings of the tests are:
- None of the analyzed devices provided mutual authentication between the client and the server.
- Around 19 percent of all tested mobile apps that are used to control IoT devices did not use SSL connections to the cloud.
- Some devices offered no enforcement and often no possibility of strong passwords.
- Some IoT cloud interfaces did not support two-factor authentication (2FA).
- Many IoT services did not have lockout or delaying measures to protect users' accounts against brute.
- Some devices did not implement protections against account harvesting.
- Many of the IoT cloud platforms included common web application vulnerabilities.
- It was found ten security issues in fifteen web portals used to control IoT devices without performing any deep tests.
- Most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all
The results of the research published by Symantec demonstrate the lack of security by design for most of smart objects that crowd our homes. Hackers could exploit security flaws, default settings and poor configurations to access our domestic networks and run several kind attacks.
"Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don't use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices."
By exploiting one of the above security vulnerabilities, an attacker could sniff the traffic within the home network searching for IoT device passwords, then use them to execute other commands on the smart devices and in the worst case take over the device completely by updating it with a malicious firmware update.
The good news is that until now Symantec didn't find any widespread malware attacks targeting IoT devices, but it is a question of time according the experts.
Conclusion
The security of the Internet of things infrastructures depends on both manufacturers and end-users.
Manufactures have the responsibility to design IoT devices implementing security by design having a clear idea of usage scenarios and cyber threats.
On the other end, organizations and end users should not blindly deploy Internet of Things devices assuming they are secure by default.
Deploying smart objects, it is essential to evaluate carefully the overall architecture and mutual interactions among peers and third-party systems. Experts must have a clear idea of the surface of attack of the resulting architectures.
The Internet of Things is a paradigm that most of all is changing our daily life; it represents the link between human and technology.
Manufacturers have to identify cyber threats and the risk of exposure for the IoT devices. Once assessed every component in the IoT architecture, it is necessary to identify all the potential flaws, implementing all the necessary countermeasures for the entire lifecycle of smart objects.
Symantec provided a list of suggestions to enforce IoT security and prevent hacking attacks:
- Use strong passwords for device accounts and Wi-Fi networks
- Change default passwords
- Use a stronger encryption method when setting up Wi-Fi networks such as WPA2
- Disable or protect remote access to IoT devices when not needed
- Use wired connections instead of wireless where possible
- Be careful when buying used IoT devices, as they could have been tampered with
- Research the vendor's device security measures
- Modify the privacy and security settings of the device to your needs
- Disable features that are not being used
- Install updates when they become available
- Use devices on separate home network when possible
- Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
- Verify if the smart features are really required or if a normal device would be sufficient
The IoT devices aim to make our life easier, but this is possible if manufacturers and vendors will start to think security by design, because as explained by the researchers at Symantec:
"Any code that is run on a smart device, be it the firmware or application, should be verified through a chain of trust."
References
http://securityaffairs.co/wordpress/34974/cyber-crime/iot-security-symantec.html
http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
http://securityaffairs.co/wordpress/41857/hacking/coffee-machines-hacking.html
http://securityaffairs.co/wordpress/41204/hacking/hacking-ikettles-devices.html
http://www.emarketer.com/Article/Internet-of-Things-Has-Big-Awareness-Gap-Germany/1012919
http://embedded-computing.com/guest-blogs/10-internet-of-things-design-considerations/
https://www.boozallen.com/content/dam/boozallen/documents/2014/12/Internet_of_Things.pdf
Learn IoT Security