What is IoT Security?

IoT security is the practice that keeps your IoT systems secure.

 

Learning Objectives

After reading this article you’ll understand:

  • What is IoT security

  • What attacks are IoT devices most vulnerable to?

  • How are hacked IoT devices exploited?

  • How to improve your IoT devices security

 

Introduction

The 'Internet of Things' describes a security risk in its name directly. Connecting previously local devices to the internet. Unfortunately, it comes with security risks. By installing additional smart devices to your other devices, you are able to access them anywhere in the world. A good example is car sharing platforms that install smart control systems in their cars in order to be able to track them and control locks remotely. That basically turns your car which was inaccessible remotely, into a smart, but hackabile device that has connection with the internet.

What is IoT security?

As IoT devices are connected to the internet, they can face many security issues. Due to their nature, they are usually made to be as cost and energy efficient as possible and simple in general, this leaves security to rarely be a top priority.

Since the internet allows you to access your device remotely, it also allows others to do so too. Usually, it’s the malicious groups that try to gain access to your device in order to use it for their own malicious purposes. That way your device might be compromised and used for other malicious purposes without you even knowing it. In addition, depending on the IoT device, your sensitive and private information might be compromised which is a huge risk.

Securing your IoT device means that you take some additional measures to ensure that your device cannot be easily targeted by malicious entities.

What attacks are IoT devices most vulnerable to?

Firmware Vulnerability exploits

Unauthorized access

There are a lot of devices that are simply left unattended without any protection. Sometimes all you need to do is connect to an open Wi-Fi network and you will be able to access devices connected to the same network. There are no security features in place to stop someone from doing something like that. Once you have access to unsecured devices, you can install malware and have control of the device even if someone manages to secure these devices later on. It is also possible that the device itself or its firmware is faulty and its security can be bypassed with a few lines of code.


Weak authentication

One of the most frequently used ways for maliciously gaining access to IoT devices is by simply trying a lot of different usernames and passwords in hopes of it working. Also, a lot of people tend to use the same password for many different services. In case one of these services get hacked and your password gets leaked, you are at risk of your other services being compromised. In order to protect yourself from that, you need to use different passwords for each service. Password managing programs are great for that.

Hidden backdoors

A backdoor is a type of additional code in the device system that allows accessing the device without any authorization. Sometimes that code is left there by the manufacturers themselves. These types of backdoors have legitimate uses, such as providing a means for the manufacturer to recover user passwords. However, if manufacturers can have access to it, so can hackers, assuming they know how to do it.

Hackers can also install the backdoor themselves by physically getting to the device or by somehow managing to install that backdoor remotely. There might be viruses within your computer or other device you are using to access your IoT device and upon connection with your IoT device the virus automatically uploads malicious files to your device without you even knowing it.

Password hashes

Most of the time passwords are encrypted (hashed), so if someone has access to your network or has infected your device with a virus, they can see the password you are entering in an encrypted form. So you might be sending 'password' to your device in order to access it, but hackers will see some gibberish like '5F4DCC3B5AA765D61D8327DEB882CF99'. You would think that this is great, since your password is not known, but in reality they do not really need to know your password - they can simply try to pass that hashed password as it is in order to get access to your device because IoT devices do not have many security measures in place to prevent these kinds of attacks.

Encryption keys

Secure Shell (SSH) network protocol is often used for secure remote logins to remote computer systems. In order to decrypt and encrypt the network you need an SSH key. There are two types of SSH keys - private and public. Private keys are the most important, so they have to be stored securely. Public keys can be shared and stored on multiple devices as public keys have a list of authorized private keys. When you have a private key, you are able to remotely access your device.

Usually, the private keys get stolen because of an inappropriate way of storing them. Sometimes they are uploaded online by accident and get stolen like that or a simple virus in your device steals your private key. Once the key is stolen, hackers can get into your device whenever they want as they have the same key you do.

Buffer overflows

Buffer overflow happens when a program attempts to write more data into one fixed memory block (buffer), than that block is allocated to hold. So what happens is that any additional data that cannot be stored in an allocated buffer will be moved into another memory block. By sending carefully written input to an application, a hacker could trick the application into executing arbitrary code and potentially take control of the device.

Open source code

Instead of having to develop their own code, some manufacturers of IoT devices can choose to use open source code within their device as it is free. This can be both good and bad. Open source code means that anyone can access the code and see how it works and even copy the code themselves. When everyone can view the code, there can be a lot of developers that can work on that specific code and find vulnerabilities that might be present. However, hackers have an advantage too, as they know the full code and can easily work on finding any vulnerabilities before they are noticed by others and patched. Sometimes the open source code is no longer attended which means that it does not get updated anymore and hackers can use that to their advantage by taking their time to find possible vulnerabilities.

Credential-based attacks

Each new device that you get comes with a default username and password. That includes, but not limited to CCTV cameras, routers, trackers and so on. Manufacturers put the same default username and password as it is really convenient to do so, because they do not need to modify any code and they can simply assemble the device as it is. Unfortunately, a lot of people do not choose to change their default credentials to something more secure and that makes an IoT device as vulnerable as it can get. Each default username and password for every device is available online and if your IoT device is connected to the internet - finding it is easy. Once someone finds your device, they will be prompted to login and they can try using default username and password. This method requires almost no technical knowledge, so it is a really popular method of attack.

On-path attacks

On-path attacks happen when someone intercepts your connection by getting in between two parties - sender and receiver. What happens is that instead of sending data directly to where you want, you unknowingly send data to the hacker which he then transfers it to where you want, so both you and the receiver think that you are communicating with each other, but in reality your messages just get relayed. That means that whoever is relaying the information can change it to whatever they want and see the contents of the information you send (such as your passwords).

Physical-based hardware attacks

IoT devices are often left unattended, that means that if it is located in a public place and can easily be accessed it is at risk of being hacked. If someone manages to get to your device physically, they can employ different methods for accessing the device. Physical access allows hackers to connect to the device via cable and then edit the device firmware real-time or they can reset the device to its factory settings and use credential- based attack when they use default username and password.

How are hacked IoT devices exploited?

Botnets

When someone uploads malicious code to your IoT device, they can turn it into a 'zombie' or a 'bot' that’s a part of the many other maliciously infected devices. Together these devices create a botnet - a connected network of a lot of devices that can be controlled by 1 entity. One device alone cannot do much, but when you have millions of devices doing something in a coordinated fashion - it becomes a really powerful weapon. Here are a few examples of what can be done with botnet:

DDoS attacks

Distributed denial-of-service (DDoS). There are different types of DDoS attacks, but they all work the same - send a lot of data to a target at the same time from many devices.

In fact these botnets can be so powerful that they can slow down the internet in the whole world. The traffic loads can surpass 1 terabyte per second and that’s roughly like downloading 250 movies every second. Obviously, if you targeted a single server or service, it would probably not be able to handle such traffic and will simply shut down.

Cyber attacks

Botnets can be used for any kind of cyber attack. Often botnets are used to try to force your way through some sort of system. As an example, each infected device can be trying to log into a specific website with random details until one out of a million devices manages to guess the right password.

Cryptocurrency mining

With the boom of blockchain technology, people have started mining different types of digital currencies by using CPUs and GPUs. Most devices have CPUs, therefore, if your device is infected, someone can be using your device to mine cryptocurrencies. The mining itself impacts your data usage, device speeds and wears off your hardware.

Using IoT devices to get into other networks

IoT devices are often connected to a router. Usually this is the case with home and office routers, because people think there is no point in buying a SIM card just for that IoT device alone when you have Wi-Fi coverage. While it is indeed cheaper to have your device connected to a router as it uses the internet data plan you already have at home or office and you do not pay any extra, there are some security issues that come with that. When you connect your IoT device to a router, both of these devices have to be able to communicate with each other. That communication poses a risk that if someone gets access to your IoT device, they can hack their way into your router and from your router into your other devices. This is a huge risk as your entire network (PCs, printers, IoT devices, etc.) can be accessed by a hacker.

That is where SIM cards come in. They use their own cellular network (just like your phone), so if your IoT device does get hacked, your other devices will stay safe from these types of attacks.

How to improve your IoT devices security

Software and firmware updates

Make sure that your firmware and software is always up to date, because it usually contains many bug and vulnerability fixes. Always make sure to check online what the current version of your software is in order to compare it with the version you have on your device, because if someone has already hacked your device, they might have disabled your software or firmware automatic updates in order to have these vulnerabilities present.

Strong credentials

Very common way of attack is by using the default device password in order to access it. A lot of people do not bother to change their passwords and leave them on default. These types of devices are the easiest catch for malicious hackers. In order to prevent that, always have a strong password with letters, numbers and special characters. Also, try to make it unique and random, so it cannot be guessed. We recommend finding a good password manager which helps you manage all your passwords by storing them safely and creating random passwords for each website or service you have an account with.

Authentication method

There are multiple authentication methods, the basic one is the well-known username and password method. In addition to that, we recommend using multi-factor authentication (MFA) whenever possible. It works by providing a way to authenticate your login additionally with a temporary code, fingerprint or face recognition in your mobile or another device. That way, even if a hacker knows your login credentials, he has to somehow authenticate himself with one of additional options in order to successfully get into your device.

Microsoft's 2019 report has concluded that MFA works really well as it is blocking 99.9% of automated attacks.

Physical location

If your devices are located in a public place, such as security cameras, they can be accessed physically and taken over or infected, therefore, it is important to put them in places that are harder to reach. That ensures that malicious entities do not have access to it which would help them hack it more easily.

Separate connection

In order to protect your entire network in case someone manages to hack your IoT device, you should be using a SIM card with cellular data within the device itself. That way your compromised device cannot be acting maliciously towards your other devices as it is not on the same network.

VPN

Using Virtual Private Network (VPN) is a good way to encrypt your connection. In combination with a SIM card, it allows you to have your device appear offline and inaccessible on the internet, but it actually is accessible only by using a specific VPN profile that only you have access to.

Public IP route

Instead of using a Public IP SIM card directly, you can choose to have a Public IP route. Regular Public IP can be accessed by anyone over the internet and the only thing protecting your device is username and password. When you use the Public IP route instead of connecting directly to your IoT device, you connect to our service via a gateway that is monitored, patched and protected against malicious attacks such as DDoS.

NAT gateway

Network Address Translation (NAT) allows your IoT devices to access the internet without worrying about security. When you wish to connect to the internet, the traffic is routed to the NAT gateway which has a public IP address and accesses the internet for your device. This protects your SIM from anyone trying to connect to your device from the internet.

For example: If your device wishes to visit Google, that request is routed to the NAT gateway. The NAT gateway then forwards that request to Google using its own public IP address and Google then sends back the data to the NAT gateway. The NAT gateway then sends the data to your device (website loads up for you). While connected to the internet, some malicious entity tries to access your device by sending requests to the NAT gateway, intended for your SIM. The NAT gateway checks if your device requested such traffic and will simply ignore such request.

Conclusion

IoT devices are built to be energy efficient and as simple as possible, therefore, security is not always taken into account. That means that IoT devices can be hacked into and exploited in many different ways. However, there are also many simple ways to prevent that from happening and the best thing is that most of these things are easy to set up and totally free. By following our recommendations, you can deploy these extra measures that will make your device more secure. Additionally, Simbase offers even more security features that can be enabled in your dashboard. Taking time to secure your devices can give you that extra edge over the hackers.