According to Gartner, Inc., consumer IoT devices are expected to make the biggest growth rates within the next 4 years. By 2020, there will be over 13.5 billion consumer IoT devices worldwide. Because the average consumer puts price over privacy, consumer devices have weaker security solutions than those made for industries. While industries employ an army of engineers to make their solutions impervious to various attacks, a consumer simply wants a simple method of operation and relies on vendor support.
The primary issue – a great discrepancy in the quality of IoT devices – directly affects the quality of all components: hardware, firmware, software and support.
Convenient firmware backdoor
Customer convenience and low price over safety concerns remain consumer priorities. This applies to minor vendors who care more for immediate revenue than for their future. Mirai, one of the latest examples is, sadly, no exception. Small companies use the same simple login and password for all their devices making them vulnerable to dictionary attacks and brute-force methods . Alternatively, devices have a firmware backdoor left to simplify remote device administration by the support team – by hackers, too.
Software companies can prevent brute-force attack by just making longer time lag after an invalid password. A positive practice is firmware by Ubiquiti. It has a standard login/password but users cannot change any settings until they change the password, thus increasing security level.
Company’s reaction time
No software can be 100% safe. Hackers find weaknesses daily. However, vendors need to deliver a realistic security level. Ukrainian development companies when delivering software components for IoT solutions analyze requirements first and provide several risk scenarios on their basis.
Trusted vendors support their product for a reasonable amount of time supplying consumers with patches and firmware updates. This is what Phillips did when a group of researchers had discovered a wireless flaw – created by using ZigBee protocol – could enable hackers to get control over the lights.
This is why we recommend using devices of trusted vendors. Always pay attention to customer feedback and communication with the support team.
This applies to miniscule smart devices (e.g. BLE beacons or smart cameras). When put within reach, hackers can either replace normal devices with infected ones or modify the devices to start an attack or compromise service.
Ensure no one can easily reach your hardware.
Common issues of Internet-connected devices
IoT devices allow managing various infrastructures (from cars to insulin pumps) which can be dangerous when they fall under unauthorised control. This is why IoT devices need the same protection level as banking or healthcare services.
Important note: A cable connection is as vulnerable as a wireless connection when attackers gain physical access to the cable. Two network cards (even USB does it) are needed to get connected to the cable. When hackers want to take over, a victim notices a temporary lost connection. The connection is restored within a few seconds and the victim notices nothing different; however, traffic is now controlled by hackers.
Because of this, when IoT devices have Internet access, they are vulnerable to a multitude of MitM attacks (local and remote). For example, IoT is sensitive to ARP-spoofing, regardless of cable or Wi-Fi connection used.
Also, the following issues must be addressed when launching an IoT device or a sensor network:
- Insecure connection settings
- Insecure web or mobile interface to sniffer data
- Improper firewall settings
- Cloud storage issues
Like any computer, IoT devices can be attacked with the aim to capture data using a sniffer or start a botnet. Encryption and strong passwords are required to exclude data exchange and privacy concerns.
Specific IoT issues
The best way to enhance security is authorisation and authentication algorithms, but because of hardware limitations, it may cause long response time or just be impossible. Sending unencrypted data directly via the Internet is not a good option at all.
Instead, IoT devices and sensors can be protected from intrusion using a gateway or a bridge (e.g. Raspberry PI platform as a node). This way enables encryption but does not increase much the costs of the end-product.
Last but not least: Smart devices are on and connected to a network 24/7. Because they only require initial authentication, it is easy to miss the moment when the device becomes infected.
Ongoing network monitoring is required.
To sum up: IoT technology has some inherited vulnerabilities in addition to their own. But, by making security one of the top priorities in the project’s initial stages and reacting to new challenges as soon as they appear, it is possible to manage them successfully.
FEATURED IMAGE: Shutterstock