IoT Security

Will IoT Security Awareness Protect Me From My Toaster?

Pierluigi Paganini
November 27, 2015 by
Pierluigi Paganini

Introduction

The paradigm of the Internet of Things devices is rapidly transforming our relationship with technology. The diffusion of smart objects is capillary, but we must carefully consider the aspects related to the cyber security and privacy.

Companies in almost every sector are adopting IoT devices to improve the user experience and deliver high-quality services. Experts at Cisco speculate that in 2020 there will be more than 50 billion connected devices, including wearable health monitors, connected vehicles, and smart grids.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

Smart objects gather and share huge quantities of information, including sensitive data, raising serious concerns in term of privacy.

Our surface of attack is enlarging as never before, both in workplace and in the private life. A recent research conducted by the security firm Veracode revealed that household IoT devices are exposing users to a wide range of threats, including data theft and sabotage.

The study conducted by Veracode, titled "The Internet of Things: Security Research Study," revealed that the principal problem for IoT devices is represented by the lack of a proper security posture.

The researchers have analyzed a number of always-on consumer IoT devices to evaluate their level of security and the way they manage user data.

The findings of the analysis are worrying. The design of the devices put consumers at risk for cyber-attacks or physical intrusions. The researchers analyzed six household IoT devices with up-to-date firmware version and performed a set of uniform tests; they discovered that all but one device were affected by serious flaws.

The security flaws emerged during the tests on the IoT devices could expose users to cyber-attacks, man-in-the-middle (MITM) attacks and data hijacking.

The researchers have discovered several security vulnerabilities, including open debugging interfaces that that could allow remote attackers to run arbitrary code on the unit and protocol weaknesses that could be exploited to access sensitive data or gain the control of the devices.

Experts in the security industry sustain that the majority of IoT vendors doesn't adopt a security by design approach. It is quite common to find smart objects with hardcoded credentials or that expose services without authentication mechanisms.

Do you really know what does it mean IoT?

A recent survey conducted in Germany by the Deutsche Telekom allowed measuring the level of awareness of the IoT in the country. Finding of the study demonstrated that only 12% of consumers ages 16 and older are aware if the Internet of things, an alarming result for a country where 41% of marketers believe the IoT will have a massive impact on them by 2020.

Figure 1 - IoT Awareness Survey (Deutsche Telekom)

4

The data are worrying if we consider another result of the survey. When researchers at Deutsche Telekom asked respondents whether they were interested in a variety of technologies that would ultimately be delivered by an IoT framework, the answer was affirmative in most of cases.

Among the IoT features with greater appeal on the respondents, there were smart-home capabilities of the new generation of devices.

Summarizing a growing number of people are interested in the IoT technology, but most individuals totally ignore technology, privacy, and security issues.

The data extracted from the survey is that customers have to be educated in the use of the new technology; an improper use in fact could expose them to risk of attacks.

We live a connected world. The overall security of a system depends from the security of a single component. The hack of a harmless smart meter could have serious consequences for the end-users and for the entire community.

Bad actors, accessing to the smart meters, could cause a blackout or conduct fraudulent activities, including billing frauds. Poorly protected credentials stored in the devices could let attackers gain access of several smart meters, allowing them to take full control of any device, modify its unique ID to impersonate the other customer or use the smart meter for launching attacks against the power network.

Recently, the Pen Test Partners researcher Ken Munro mapped and hacked connected iKettles across London demonstrating they leak Wi-Fi passwords, a circumstance that expose the owner of the smart devices to further attacks.

Another case in the headlines has been reported by Kaspersky Lab, the researchers at the security firm warn users of the possible risks when facing with connected coffee machines and other wireless-enabled home devices.

IoT devices are making our life easier, but they can become a nightmare if we ignore the cyber threats and to configure these devices to avoid serious problems.

Modern IoT implementations rely on hundreds of sensors embedded in different objects, always online and connected to the Cloud. Every smart device connected to the Internet is a potential entry door to any architecture. One of the most clamorous hack, the one suffered by the giant Target retailer, occurred because hackers breached its networked HVAC unit, in this way intruders compromised payment computer systems and stole 40 million credit card numbers.

The security has to be implemented since the design phases in ways IT experts have never done before.

IoT security and design awareness

When designing an IoT device, there are a number of things to consider for their rapid integration into any environment.

Security experts involved in the design of IoT architecture must analyze several aspects, including access control, device authentication, secure booting, firewalling and IPS, and of course the maintenance.

First of all, we have to consider the communication protocols to adopt for our smart objects. There are several IoT protocols that can add a significant complexity to the design phase. The protocol landscape in Internet of Things is highly variegated; alongside the classic HTTP there are other protocols such as CoAP, XMPP, AMQP and MQTT. Security architects must identify the protocol that most of all meets their requirements and properly implement it within their architecture.

The main challenge for security architect is mapping security protocols onto communication protocols implemented to connect devices with peer and the Internet.

Another factor to take care developing IoT devices is the choice of the authentication mechanisms, an alarming number of IoT devices currently rely on hard-coded credential, leaving them vulnerable to brute force attacks, spoofing and MITM, and many other types of attacks.

Designing IoT objects it is important to have a clear idea of the Key management systems to adopt. These systems are crucial because they are responsible for managing the entire lifecycle of the keys. Among main processes they manage; there are the key generation, the key distribution, and of course their revocation. Architects need to have a clear design to authentication, integrity, and confidentiality of IoT devices and the data they manage.

The economic factor will inevitably affect the design of infrastructure IoT, the price for a device depends on a number of features such as the networking features or the user interfaces.

A device that must be connected to the Internet needs an Ethernet or Wi-Fi interface, meanwhile smart objects that have to be deployed in a restricted space, such as a room or a warehouse, can implement ZigBee, Z-Wave, and Bluetooth protocols.

The choice of a specific technology influence the power consumption, architectures using smart devices powered by batteries have need to be designed considering how to preserve power.

In the end, both protocols and power consumption influence the final size of devices.

Looking at the user interface, the design must carefully consider the way to interact with IoT devices. Both protocols and interfaces must be carefully chosen and assessed, the presence of a security flaw could be exploited by attackers to compromise the entire architecture and steal sensitive information.

IoT objects must be considered as devices that evolve over time, it is essential to design objects that could be easily updated. Maintenance for smart devices improves the security of the IoT objects and could represent additional revenue opportunities for IoT vendors.

When dealing with IoT it is important to consider carefully the huge quantity of cloud applications developed to interface the smart objects with the services implemented by several manufacturers.

From a cyber security perspective, it is necessary to evaluate how service providers implement interoperability. Usually, Internet of Things devices can communicate with products designed by other vendors through standard APIs. The security is crucial when it is necessary to design heterogeneous infrastructures composed of smart objects from different vendors interact.

A flaw in any one of the protocols or in the authentication processes could be exploited by an attacker to compromise the entire infrastructure. Security is a major issue and current trend consists in approaching cyber security with a layered approach.

IoT security is still a pipe dream

Early this year, Symantec released a white paper addressing security issues related Internet of o Things devices. The experts at the security firm tested 50 smart home devices, including thermostats, locks, light bulbs, smoke detectors, energy management devices, and the findings of the study are disconcerting, but in my opinion not surprising.

"For our test, we used the precondition that the attacker has successfully cracked the Wi-Fi password and has access to the local network."

Figure 2 - Insecurity in the Internet of Things - Symantec Report

The key findings of the tests are:

  • None of the analyzed devices provided mutual authentication between the client and the server.
  • Around 19 percent of all tested mobile apps that are used to control IoT devices did not use SSL connections to the cloud.
  • Some devices offered no enforcement and often no possibility of strong passwords.
  • Some IoT cloud interfaces did not support two-factor authentication (2FA).
  • Many IoT services did not have lockout or delaying measures to protect users' accounts against brute.
  • Some devices did not implement protections against account harvesting.
  • Many of the IoT cloud platforms included common web application vulnerabilities.
  • It was found ten security issues in fifteen web portals used to control IoT devices without performing any deep tests.
  • Most of the IoT services did not provide signed or encrypted firmware updates, if updates were provided at all

The results of the research published by Symantec demonstrate the lack of security by design for most of smart objects that crowd our homes. Hackers could exploit security flaws, default settings and poor configurations to access our domestic networks and run several kind attacks.

"Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. We looked at devices that locally transmit passwords in clear text or don't use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices."

By exploiting one of the above security vulnerabilities, an attacker could sniff the traffic within the home network searching for IoT device passwords, then use them to execute other commands on the smart devices and in the worst case take over the device completely by updating it with a malicious firmware update.

The good news is that until now Symantec didn't find any widespread malware attacks targeting IoT devices, but it is a question of time according the experts.

Conclusion

The security of the Internet of things infrastructures depends on both manufacturers and end-users.

Manufactures have the responsibility to design IoT devices implementing security by design having a clear idea of usage scenarios and cyber threats.

On the other end, organizations and end users should not blindly deploy Internet of Things devices assuming they are secure by default.

Deploying smart objects, it is essential to evaluate carefully the overall architecture and mutual interactions among peers and third-party systems. Experts must have a clear idea of the surface of attack of the resulting architectures.

The Internet of Things is a paradigm that most of all is changing our daily life; it represents the link between human and technology.

Manufacturers have to identify cyber threats and the risk of exposure for the IoT devices. Once assessed every component in the IoT architecture, it is necessary to identify all the potential flaws, implementing all the necessary countermeasures for the entire lifecycle of smart objects.

Symantec provided a list of suggestions to enforce IoT security and prevent hacking attacks:

  • Use strong passwords for device accounts and Wi-Fi networks
  • Change default passwords
  • Use a stronger encryption method when setting up Wi-Fi networks such as WPA2
  • Disable or protect remote access to IoT devices when not needed
  • Use wired connections instead of wireless where possible
  • Be careful when buying used IoT devices, as they could have been tampered with
  • Research the vendor's device security measures
  • Modify the privacy and security settings of the device to your needs
  • Disable features that are not being used
  • Install updates when they become available
  • Use devices on separate home network when possible
  • Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
  • Verify if the smart features are really required or if a normal device would be sufficient

The IoT devices aim to make our life easier, but this is possible if manufacturers and vendors will start to think security by design, because as explained by the researchers at Symantec:

"Any code that is run on a smart device, be it the firmware or application, should be verified through a chain of trust."

References

https://www.veracode.com/blog/2015/04/iot-security-veracode-study-demonstrates-lack-security-posture-sw

http://securityaffairs.co/wordpress/34974/cyber-crime/iot-security-symantec.html

http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html

https://www.veracode.com/blog/2015/06/smart-devices-pose-many-challenges-iot-security-your-company-challenge-sw

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/insecurity-in-the-internet-of-things.pdf

https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

http://securityaffairs.co/wordpress/41857/hacking/coffee-machines-hacking.html

http://securityaffairs.co/wordpress/41204/hacking/hacking-ikettles-devices.html

https://www.axway.com/sites/default/files/resources/whitepapers/axway_whitepaper_top10_security_internet_of_things_en.pdf

http://www.emarketer.com/Article/Internet-of-Things-Has-Big-Awareness-Gap-Germany/1012919

http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/internet-of-things-risk-and-value-considerations.aspx

http://embedded-computing.com/guest-blogs/10-internet-of-things-design-considerations/

https://www.boozallen.com/content/dam/boozallen/documents/2014/12/Internet_of_Things.pdf

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

/internet-things-much-exposed-cyber-threats/

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.