We are in a connected world where the devices around us are connected and communicating with each other, often more than we realize. This includes the likes of Alexas and Siris which knows more about us that we would like. The smart home appliances that we can control with a tap on our smartphones. The smart home security system and connected car system on which we are putting high stakes. All these are applications of the Internet of things. Have you ever thought of how secure these applications are? No doubt these technological innovations are making over life easy, at the same time it is also increasing the surface area where security threats can strike.
What is the Internet of things(IOT)?
In the digital world we see various software applications connecting and communicating with each other, whereas hardwares and physical objects, usually used to work in isolation. Hower that is not the case any more. Technology has helped the hardwares to connect with each other and servers, locally or on the internet and share data it generates, to serve us more effectively. Before we proceed further let’s understand how IOT works.The physical objects that are part of IOT have connected hardwares like sensors which generate data about the device . This data is shared with a software which processes the data and makes sense out of it. There is a layer of connectivity which helps various devices to be connected with each other and share data and add value.
Why should one bother about security of IOT devices?
Today IOT has become an integral part of our life where knowingly or unknowingly we or rather the devices we are using are generating tons of data, about ourselves or our surroundings. These data are processed and analyzed constantly so that these devices can serve us better. One thing to understand here is that these devices are or use computational devices though it may not look like the traditional computing devices. As incase of any other connected computational devices or computers, these are also susceptible to malicious hack attacks. There are an estimated 30.73 billion connected devices in 2020 and it is projected to grow to 75.44 billion by 2025.
With the growing number of devices are growing the risk that these devices could get compromised. Now it is not just enough to protect your computers from getting hacked but also your Smart TV,your Smart Thermostat, your Keyless Door Lock so on. Don’t think that what can someone gain by hacking my Smart Kettle which I bought so that I can boil water when I am still in bed. Your kettle may be just the entry point to your home network, from where the hacker can access any device connected to the network. Worst part with many of the IOT devices is that unlike our laptops, Desktop computers or smartphones the security aspects are often overlooked due to relatively low threat perception of these devices.
Types of security threats to IOT devices
Now let’s understand what are the security threats faced by various IOT devices
DDOS Attack or Distributed denial of service attacks are done by overwhelming a server by sending loads of fake requests to the server using a large number of compromised devices connected to the internet. This type of attack is a common attack seen in case of less secure IOT devices where a hacker hacks into the device and plants a botnet or malicious program in the device. The hacker will be able to initiate the attack on third party servers by simultaneously sending requests from these IOT devices to the server under attack. In most of the cases these IOT devices’ usual functioning will not be hampered so no one will notice that it is compromised.
Data theft is another common reason for which the hackers hack into IOT devices. The attacker may target either data resting in a network connected storage device, or data transmitted through the network. The stolen data may be used by attackers for financial gains, impersonation or other malicious use. Following are different types of data theft. The data can be either stolen from the device itself or the server where it stores or processes data.
Financial data theft
This could include sterling financial information like credit card details, Bank account details, subscription details etc. An example here is, if a point of sale invoicing device is hacked the hacker can potentially transmit customer credit card details, collected during the payment processing time, to a malicious site.
This happens when sensitive identity documents , usernames , passwords etc used to establish Identity of a person are stolen. This information can be used later for impersonation. Documents and passwords stored in network storage devices or documents being printed or scanned in a network printer or scanner can be targets for the hacker in this case.
Personal information theft
This includes stealing personal information like health record related data generated by wearable devices, internet surfing patterns , eating habits etc. This may also be used to acquire and leak damaging information.
Theft of intellectual property or trade secrets
In some cases hackers hack into the IOT devices for cloning the software and understanding how the system works . This is a way of stealing intellectual property and advanced technological know-how.
Ransome ware attacks
Ransomware attacks happen when the hacker encripts users data rendering it not accessible to the user. The hacker demands Ransom in exchange for decrypting the data. Organizations are more likely to be attacked by ransomware . Insecure IOT devices can be used to get access to the network.
Many times insecure IOT devices are used for spying purposes. IOT devices like IP cameras, DVRs, Smart TVs etc are often used for this purpose
Burglary and thefts
Burglars may hack into home security systems and disable them to get access to the property.
Ways in which hackers gain access to IOT devices
In the US household on an average 11 devices are connected to the network. Each of these devices is a potential point for a hacker to attack. Out of various devices home wifi router is the most hacked device. Home wifi networks can be accessed even from the street outside the house and with a weak password it is very easy to retrieve password with brute force technique. Once inside the network any device in the network can be hacked into if not protected adequately. Let’s see some common vulnerabilities exploited by hackers to hack into IOT devices
People often do not give as much importance to the password of various IOT devices, compared to Laptops or desktops, even if they pose the same level of threat. The reason maily is because the threat person of these devices seems relatively less than computers. If a hacker is able to access the network it is not difficult to find out the password, with tools, using brute force.
Default passwords of the devices are not changed many times due to ignorance and sometimes due to negligence. This leaves the device extremely vulnerable to hack.
Flaws in firmware
Sometimes there are flaws in the firmware of the devices which might have been overlooked by the manufacturer. Hackers could easily find out these flaws by reverse engineering the firmware and hack into the devices. Even if the manufacturer fixes the flaw quickly, it will not reflect in the device unless it is updated. And let me confess it is not very intuitive to wake up every morning and check whether there is a firmware update for my ip camera or smart kettle.
Vulnerabilities in Api
If the APIs used by the Devices in order to communicate with the servers are not secure enough there are chances of hackers using these vulnerabilities. These kinds of vulnerabilities often lead to an attack called man in the middle attack where the hacker intercepts the communication between server and client and sends a fake or altered message back.
So what can I do to secure my IOT devices?
Always use strong passwords
Always use a strong password which is hard enough for others to guess at the same time simple enough to remember without writing it down anywhere(Remember, writing down your password somewhere which could be accessed by others is also not safe ). Please use a combination of Capital letters, small letters, alphabets, numbers and special characters in your passwords. It is also a good practice to change the password often and not to use the same password for multiple devices.
Do some research about the device before you buy
Do your research about the product before you buy. Refer reviews of the product and focus on security aspects as well. Also look into the reputation of the manufacturer and it’s track record on security. It is best not to make a decision to buy a product just based on price and ignoring the security aspects.
Change default passwords
Many devices come with default passwords . These passwords could be easily found out from the instruction manuals. Change the default password of a device before you start using a device.
Apply security patches or updates on the devices as soon as they are available
Regularly check whether there are any new updates or security patches for the device. Apply those updates as soon as they are available.
IOT based connected devices are all around us and there is no doubt that they are here to make our life easy. However at the same time we need to realize that like the personal computer that we use, these connected devices pose the threat of getting hacked. So we need to be as careful with the IOT device as we are with our computers . It is widely seen that even at manufacturer level these IOT devices are not as scrutinized for security threats as in case of a laptop we would buy. It is evident that we will see more and more IOT devices which no doubt will make our life easier, however we also need to identify the security risks it brings and take corrective actions.