IoT Vulnerabilities

CIOReview Team | Thursday, 11 April 2019, 05:33 IST

IoT VulnerabilitiesThe Internet of Things (IoT) refers to devices used mainly by homeowners (but not exclusively) which connect up different technology and capabilities in a building. In a sense, they make the home smarter as a result.

IoT devices run the gamut including everything from front door cameras and door bell combinations to baby heart monitors to smart refrigerators. The devices are typically connected over a home’s internet access sometimes to each other, but usually to a central hub. There are also several competing eco-systems for IoT devices along with manufacturers wanting to be the primary go-to brand. And across many IoT devices lurk serious security vulnerabilities waiting for hackers to exploit for their own gain and to the owner’s detriment.

Predictions About the Future

The Internet of Things is a growing phenomenon. With the ubiquitous nature of smartphone use, and to a lesser extent tablets and PCs, homeowners (and sometimes renters too) can and are using IoT devices to see and hear what is going on in their home even when they’re at work.

For example, there are IoT door systems now that let the resident in the home unlock the front door when they can see their friend arriving before they have. Rather than keeping them waiting outside, they can remotely unlock the door using an app on their smartphone. This kind of convenience is undeniable and one of the reasons for the accelerated growth and rapid acceptance of IoT technologies.

Some experts have stated that by 2025, tens of billions of IoT devices will be on the internet providing different features and access. All the movies and TV episodes about an intelligent building going crazy and taking over - a ‘ghost in the machine’ scenario - haven’t caused them to hit ‘pause’ either. OWASP, a group formed to advise manufacturers of IoT devices about their security deficiencies, predicted a disaster when it comes to their vulnerabilities. But too few people are heeding their grave warnings.

Is the Risk Overblown?

The risk of IoT devices is no longer theoretical. There have been numerous instances of security breaches that have caused problems and could have ended in disaster. The mainstream press has been slow to bang the drum to alert readers about the problem.

The main issues surround the fact that many of these devices have buggy firmware that allows hackers to get inside the device over the internet. They’re then able to unlock a door, drive a car, access a baby monitor, or record video from security cameras inside the home. This is all rather chilling. It has us extremely worried and it should have you worried too!

For people who’ve been using computers for decades and not just a few years, this situation is oddly reminiscent of the time when Microsoft stopped supporting Windows XP. This left some ATM machines and medical MRI machines which were still running on this software at the time vulnerable to malicious attack. Except, in this case, it’s firmware is on the IoT devices.

Firmware is the software that stores critical basic information about how it operates. It’s usually buggy and needs updating. However, few buyers of IoT devices understand firmware or know how to update it themselves even if it’s actually updatable (some are hardcoded).

The Worst Might Have Already Happened

There have been an alarming number of IOT security vulnerabilitiesand hacks already:

Owlet Wi-Fi Baby Heart Monitor

The Owlet Wi-Fi Baby Heart Monitor was found to have serious flaws. The product is worn inside a baby’s sock and verifies the heart activity of the newborn. This information is encrypted and transmitted to the hub which is close by. The idea is that the parents can see the heart information and get alerted if the heartbeat becomes irregular. So far, so good…

The trouble with the monitor comes into play when looking at the underlying code as researchers duly did. They found that the device created its own ad hoc Wi-Fi network without applying any encryption to it. In other words, it’s an open Wi-Fi network that anyone close enough can access remotely. From there, they can use man-in-the-middle attacks or take other actions to thwart the way that the heart monitor information is transmitted; possibly preventing it from doing so and no warnings being sent to the parents.

Jeep Becomes Hackable

One that wasn’t in the home was when the security team at IBM discovered that a Jeep model could be hacked, back in 2015.

The SUV had a vulnerable CAN bus which could be utilized through a badly programmed firmware when not updated. The result was that a hacker could control the vehicle remotely, make it speed up, slow down or take other actions in a sequence.

Botnet Crosses IoT Devices; Takes Down Reddit, Netflix and CNN

In 2016, a massive DDoS attack hit ISP Dyn when hackers coopted IoT devices. This means, they accessed numerous IoT devices, gained control of them, and indirectly used each of these devices to perform the DDoS attack.

Put simply, a DDoS attack is basically intentional attempts to access, for instance, a website, 1,000s of times at exactly the same time. This is done by taking over other people’s computing devices and remotely directing them to access the same site concurrently.

As a result of the attack, Dyn was taken largely offline which brought down Twitter, Netflix, CNN, Reddit and many other major websites. A significant part of the internet as a whole went offline during this sustained DDoS attack.

The Mirai malware was used which first infects a computer and then has it look for IoT devices with known security vulnerabilities and attempts to access them using their default login information. Devices including home and business security cameras and even DVR recorders were affected.

What Security Measures Make Sense for Manufacturers?

Manufacturers need to make sure all devices are secure and protected. Default username and password combinations must be required to be changed before using the device. This avoids the device being accessed by a third-party using the default information.

Firmware must be securely updatable on a regular basis with a way to prompt the device owner about it. The eco-systems that they’re often part of – Google, Samsung, Apple – must be made more secure as well.

The companies behind IoT devices must follow the Top 10 recommendations from OWASP about how to make their devices more secure out-of-the-box to avoid most of the current problems.

What Can a Person Do to Protect Themselves with IoT Devices?

  1. First, be aware of the issue. Any device that has Wi-Fi access that’s in your home or workplace is a potential point of vulnerability. Check if your IP address is protected.
  2. Second, immediately change the username and password for any IoT device to make it both unique from the other IoT devices and different from the default setting.
  3. Third, check on a weekly basis whether there are firmware updates for any of your devices. You can look up the manufacturer’s website to confirm it. Make this part of your weekend chores list to work through.

Unfortunately, IoT vulnerabilities are a serious problem at present. There are many devices in homes and offices that are still insecure. A good percentage have default access settings that haven’t been changed or outdated firmware that makes them vulnerable. Hopefully, future IoT devices will be produced with better security features to learn from the lessons of the recent past.