6 minute read

Assessing the Risks to IoT Devices

By Ang Cui, founder & CEO of Red Balloon Security

There’s no question that the Internet of Things is growing rapidly, and connected devices are finding their way into every conceivable nook and cranny of our daily lives, from the human body to home appliances, cars, office buildings, and more. Most major industries are also actively incorporating IoT into their supply chains, production processes, and facilities in the hopes of cutting costs and improving efficiency.

But what is less understood is just how vulnerable these devices actually are to attacks, and how these vulnerabilities can expose consumers and businesses to new threats which they may not have anticipated.

Device manufacturers continue to roll out new products with little built-in security, and

updating the software and firmware of a device once it is “out in the field” is not always easy. Basic security mistakes like default passwords, remote device management, and unencrypted web connections, all of which are common among IoT devices, expose these products to serious threats, whether in the home or office.

Current Threats

MALWARE

Malware attacks on IoT products continue to grow. Kaspersky Lab identified three times as much IoT malware in the first half of 2018 as they found in all of 2017, and there is no reason to believe the trend is slowing.

Currently, IoT malware has been mostly limited to botnets like Mirai and Reaper, which enslave devices in order to harness their processing power for DDoS attacks, spam campaigns, and cryptocurrency mining. Fortunately, botnet malware typically presents a low risk for the end-user, but there are two important caveats to this, particularly for businesses. First, a device’s functionality and performance could deteriorate if the malware interferes with its normal processes. Secondly, if the malware has a “downloader” component (which many do), it could install new malware later on that may not be so harmless.

REMOTE ACCESS

The holy grail for an attacker is to gain administrative control of a device. This type of remote access allows them to spy on the user, steal information, or manipulate the device itself.

For several years, this type of attack has been ongoing against lower-end IoT devices like baby monitors, webcams, and IP cameras. However, these same tactics can also be used to compromise more important products – like a major home appliance, car, or embedded device in a manufacturing plant. The 2015 Jeep Cherokee hack is one example of the havoc an attacker could wreak with remote access.

Ransomware is already a big business for criminals. It is estimated to generate over $2 billion annually. The WannaCry ransomware attack in 2017 offered a sneak preview of jackware attacks, as it infected more than 200,000 devices around the globe, including MRI scanners and blood-storage refrigerators in U.K. hospitals and police traffic cameras in Australia.

OTHER EXPLOITS

Given the wide range of IoT products entering the market, there are any number of one-off hacks which can occur, by exploiting the bugs and security mistakes specific to a brand or type of device.

Since most devices are vulnerable, these attacks can vary widely. Examples run the gamut, including: bypassing a building’s access control system by spoofing an ID badge, turning a printer into a bugging device, remotely unlocking smart door locks, or even hijacking pacemakers to harm or kill patients.

DATA COLLECTION AND SHARING

Misuse of private information by the device maker itself is another ongoing threat. This ranges from collecting user data without consent to improperly storing and transmitting customer data, accidental data exposures, and more. Even when the manufacturer discloses its privacy policies, there are real questions about the short- and long-term implications of its data sharing practices – particularly when it comes to private health information, such as Google’s 2016 patents for cardiovascular health monitoring in smart bathroom devices.

Emerging Threats

ID THEFT

Identity theft is already highly profitable for cybercriminals, and it will undoubtedly transition to the IoT market. Since many of these devices collect, store, and share sensitive user information, any attacker who breaches this device could conceivably gain access to the same data. To make matters worse, if the device connects to another device, external service, or database (i.e., a smart bathroom scale with a mobile app, which in turn connects to a medical provider), the hacker could quickly escalate this attack into a much larger data breach. This is equally true for businesses – imagine an attacker gaining entry to a manufacturing execution system, which would offer a rich source of intelligence on production methods and practices.

“Device ID theft” is another potential threat. By impersonating, or “spoofing,” a consumer appliance for example, an attacker could send the person fake text or email messages presumably from the device (like a water leak alert from a water heater). This could bait the user into clicking on a malicious link or sharing account credentials.

JACKWARE Ransomware attacks on big ticket items like cars and manufacturing equipment are also to be expected. This type of attack (sometimes referred to as “jackware” when it affects a physical system) would essentially “brick” the machine, rendering it useless. Given the enormous loss for victims, they would be even more inclined to pay a ransom.

PERSISTENT INFECTION

IoT devices tend to exist on the periphery of a network, which means they aren’t top of mind for consumers or IT managers when it comes to security. They also offer less visibility into their running processes than a PC. This makes it harder to detect a breach or malware.

For these reasons, hackers will increasingly exploit IoT devices in order to get a backdoor into a home or business. Once on a device, they can use it as a base camp to launch additional attacks on any other device sharing the network, as well as to hide out and maintain a long-term presence in the home or company. Case in point: hackers stole the high-roller database from a large casino after first hacking into its fish tank thermometer.

VENDOR BACKDOORS

Device makers may also create hidden backdoors to troubleshoot problems or monitor the user’s activity and collect information. Common backdoors include hardcoded passwords, remote management software, and debug mode.

Backdoors should be especially alarming for businesses. This level of access gives the manufacturer God-like control over the user. They can use it to spy, steal data, make changes to the device, reduce its performance, or even sabotage it. The U.S. government has been particularly worried about the potential for Chinese backdoors in mobile devices and telecommunication systems. The U.S. Department of Homeland Security recently launched the Mobile Security R&D Program to find hidden vendor backdoors and “implants.”

TACKLING THE SECURITY PROBLEM

So how do we solve the IoT security dilemma? It’s most necessary for manufacturers to build strong security into these devices from the very start.

In the meantime, companies have been transitioning PC security solutions like antivirus and firewalls to the IoT market, but these have limitations. They may miss attacks that hide or change signatures, imitate a legitimate program, or exploit an unknown vulnerability (“zeroday”). They also need regular updates to remain effective, and may not work in resourceconstrained IoT environments, or be difficult to extend to devices out in the field.

One alternative is DNS security (or DNSSEC). This has been widely used on corporate networks, but applying it to IoT devices offers a new way to block them from malicious redirects, which would have prevented the Mirai botnet.

New technologies are also being developed that can immunize devices against malicious behavior. Instead of trying to catch every new malware strand or hacker tool that comes along (a la antivirus), these techniques simply force the device to do only what it is supposed to do. In this way, even if a hacker gains remote access to a thermostat and orders it to raise the temperature to 110 degrees, the device would be unable to comply.

In the meantime, consumers and businesses need to take charge of their own security. Before buying an IoT device, ask a few basic questions: What is the device maker’s reputation? Does the company mention any security features or explain its privacy policies? Does the company offer ongoing software support? Users should also change any default passwords, check for an https web connection, and avoid devices with remote access software in place. Network managers should try to isolate IoT devices from the rest of the network, so a breached fish tank won’t unravel the business. ■

This article is from: