IoT Security Basics Every Device Owner Needs Now

A cybersecurity expert offers a soup-to-nuts IoT security guide for every organization, individual and device with confidential data to protect.

2015-05-IoT-AP-e1430842365956.png

By Paul Cucu, Heimdal Security

In the movie 2001: A Space Odyssey, HAL the onboard artificial intelligence goes rogue killing the men it was assigned to protect, begging the question: “What do we do when the technology around us malfunctions?”

It’s not just PCs and smartphones we should worry about anymore, but a wide range of Internet-connected devices such as thermostats, smart meters, self-driving cars and even voice assistant devices such as Amazon’s Alexa.

These are all part of the Internet of Things (IoT) innovation wave, which overall promises to greatly improve our lives, if we can deal with the cybersecurity threats they can pose.

What is IoT?

Industry experts usually define an IoT device as any object connected to the Internet (or to a Local Area Connection, in some cases).

Examples include:

  • Smart TVs
  • Internet connected cars
  • Wi-Fi routers
  • Smart cameras
  • Smart locks (including ones with Bluetooth)
  • Some medical devices
  • Voice assistants, like Amazon Echo
  • Smart lights
  • Fitness
[hs] Information a malicious hacker can obtain from an IoT device

Basically, if a refrigerator or TV has an Internet connection, then it becomes an IoT device.

Both manufacturers and consumers prefer these devices. Consumers like the added functionality -- it’s easier to watch Netflix if the TV already has Internet.

Manufacturers, however, like IoT devices because they allow them to silently collect information about how consumers use their products. As a result, they can then tailor future products around these usage patterns.

Here are some statistics that really bring home just how many Internet-connected devices we now have:

IoT devices

Why is IoT Security Important?

In 2016, the Mirai botnet launched one of the biggest DDoS attacks ever recorded. More than 1 terabyte per second flooded the network of Dyn, a major DNS provider and brought down sites such as Reddit and Airnbnb.

But what made this attack so special was that it was the first to be carried out with IoT devices. Nearly 150,000 compromised smart cameras, routers and other devices all enslaved into a single botnet, focused on a single target.

This heat map shows the intensity of the attack, and here’s a list of websites that were taken down by it.

dyn attack

The Mirai botnet however is much bigger. By some estimates, it contains millions of enslaved devices. And it wasn’t even that hard to create in the first place.

Manufacturers use a handful of default password and usernames to protect an IoT device. So, there are possibly a few thousand password combinations to protect tens of millions of smart devices.

All it took were a few simple lines of code, designed to test each of those default passwords. A device could be hacked and enslaved within a few seconds, so long as the user didn’t change the standard login information.

But IoT botnets aren’t the only type of threat. Researchers have proven more than once that it’s possible to physically take control of a car by breaking into apps that control onboard software. For now, this has only been done in experimental situations, but as Internet-connected cars gain ground, it’s only a matter of time until it happens to someone, somewhere.

Researchers from the Russian cybersecurity firm Kaspersky for instance, managed to open up car locks, simply by hacking into an app.

IoT Security Vulnerabilities

Simplicity and ease of use are crucial principles in the IT and electronics industry. Every software and device out there is designed to be as easy to use as possible, so as to not confuse consumers and discourage them from using the product.

Unfortunately, this often means that some products cut corners, and don’t implement security features consumers might find too clunky.

Insecure Default Login Credentials

In practice, manufacturers might hide the Change password/Username options deep in the user interface, out of sight for most users. No wonder so many people kept their default user names and passwords.

If each IoT device had a randomized username and password, Mirai might not have happened in the first place. But that is too expensive a process in competitive industries with razor-thin profit margins.

Poor Software Updates

What’s more, many IoT creators don’t even patch or update the software that came on their devices. If a device has a software vulnerability (there is a nearly 100 percent chance that it does), there’s little one can do to prevent an attacker from exploiting it without help from the manufacturer.

Communication Isn’t Encrypted

Other IoT devices lack basic encryption to hide the data sent between the device and the central server. This can potentially expose the user’s personal information, if a malicious hacker can snoop in on his personal information.

Another thing that IoT devices do, is that some of them ask for more permissions than they need to.

One time, numerous Amazon Echo users were surprised to see their device ordering dollhouses after a TV anchor said the phrase, “Alexa ordered me a dollhouse.”

In that case, the device had permission to do a purchase all by itself. Each extra permission in an IoT device adds another vulnerability layer which can be exploited. The fewer permissions, the more secure your device is.

computer spyInsecure User Interface

A device’s user interface is usually the first thing a malicious hacker will look into for any vulnerabilities. For instance, a hacker might try to manipulate the “I forgot my password,” in order to reset it or at least find out your username or email.

A properly designed device should also lock out a user from attempting to login too many times. This stops dictionary and brute force attacks that target passwords, and greatly secures device credentials.

In other cases, the password might be sent from the device to the central server in plain text, meaning it isn’t encrypted. Pretty bad if someone is listening in on the device and reading all of its data.

Poor Privacy Protection

Internet connected devices are data-hungry beasts, but some of them have a greater appetite than others. The less information they have, the better, since it limits how much cybercriminals can learn if they hack devices.

As a rule, try to look into what type of data a device will store. Be critical of those that harvest data they don’t need, such as coffee machines storing location information.

The Main Types of Attacks Against IoT Devices

Smart devices can be hacked in a number of ways, depending on the type of vulnerability the attacker decides to exploit.

Vulnerability Exploitation

Every software has its vulnerabilities. It’s nearly impossible not to. Even Google, with all its resources, hasn’t been able to stamp them out from Chrome.

Depending on the type of vulnerability, you can use them in multiple ways.

  • Buffer overflows. This happens when a device tries to store too much data into a temporary storage space. This excess data then spills over into other parts of the memory space, overwriting it. If malware is hidden in that data, it can end rewriting the code of the device itself.
  • Code injection. By exploiting a vulnerability in the software, the attacker is able to inject code into the device. Most often, this code is malicious in nature, and it can do a multitude of tasks, such as shutting down or taking control of the device.
  • Cross Site Scripting. These work with IoT devices that interact with a Web-based interface. Basically, the attacker infects the legitimate page with malware or malicious code, and then the page itself will infect the IoT device.
[hs] IoT vulnerability exploit

Malware Attacks

The most frequent and well known malware attacks on PCs target a device’s login credentials. But recently, other types of malware such as ransomware have made their way onto IoT devices.

For one, many base their operating system on Android, so the malware is mostly interoperable, requiring only minor modifications.

Smart TVs and other similar gizmos are most exposed to this kind of threat, since users might accidentally click on malicious links or download infected apps.

[hs] Types of iot malware

Password Attacks

Password attacks such as dictionary or brute force target a device’s login information by bombarding it with countless password and username variations until it finds the right one.

Since most people use a simple password these attacks are fairly successful. Not only that, but according to one study, nearly 60 percent of users reuse the same password. So if an attacker gets access to one device, they get access to all devices.

[hs] IoT password attacks

Sniffing / Man-in-the-Middle Attacks

In this attack, a malicious hacker intercepts the Internet traffic that goes into and out of a smart device.

The preferred target is a Wi-Fi router, since it contains all the of the traffic data sent of the network, and can then be used to control each device connected to it, even PCs or smartphones.

[hs] IoT Sniffer attacks

Spoofing

Spoofing works by disguising device A to look like device B. If device B has access to a wireless network, then a disguised device A will trick the router into allowing it on the network. Now that the disguised device A can communicate with the router, it can inject malware into. This malware then spreads to all other devices on the network.

[hs] IoT Spoofing_2

Botnet Enslaving

IoT devices are prime candidates for a botnet. They are both easier to hack, and harder to diagnose if they’re compromised. Once your device is enslaved, it can be used for a wide variety of cybercriminal activities, such as DDoS attacks, sending spam emails, performing click fraud (basically using the enslaved device to click an ad) and Bitcoin mining.

Mirai is the biggest IoT botnet we know about, and it was built on the backs of default passwords and usernames.

[hs] IOT Botnet

Remote Access

Taking control of an IoT device doesn’t sound so menacing at first glance. After all, it’s not as if a malicious hacker could poison you if he hacked your coffee maker.

But things will quickly get serious if the attacker takes control of your car as you’re driving it. This isn’t even hypothetical situation, it’s actually been done, albeit by cybersecurity researchers. In that example, the whitehat hackers were able to hack into the car’s braking system and acceleration.

Some people now use smart locks to secure their homes, but ultimately they’re just software on hardware. At DEF CON 2016 (the biggest “hacker” conference in the world), researchers tested out 16 smart locks and proved how many of them used very simple security features such as plain text passwords. Others were vulnerable to device spoofing or replay attacks.

[hs] Remote acces attack on IoT devices

Data Leakage

Smart devices process a lot of personal information, such as:

  • Medical data
  • Location data
  • Usage patterns
  • Search history
  • Financial information, etc.

Whitehat researchers proved it was able to hack into a smart speaker and analyze data from its sensors to figure out if you are home or not. This would be extremely useful for a burglar seeking empty homes to steal from. In a fairly high profile case, the German government banned a children’s doll because it recorded so much information, it was labeled as a “spying tool.”

Devices which leak information from inside the privacy of your own house are dangerous for a wide variety of reasons. Recordings of sensitive conversations and intimate acts can then be used as blackmail tools against a person or outright publicized to damage a person’s image.

[hs] Types of info

For instance, how would you feel if an intimacy device sent “usage data” to the manufacturer’s central servers?

You’d probably ask ‘Why on Earth did they think it was a good idea to make this Internet-connected?,’ to which we can only say: data hunger.

A more worrying scenario is the possibility of hacking IoT devices used in the healthcare industry. In theory, a cybercriminal could hack a pacemaker or an insulin pump, and then demand a ransom from the victim in order to keep the devices working properly.

When Central Servers Leak Data

Sometimes, companies are the ones that leak information, and not the devices. Such was the case of a teddy bear that spilled recordings from nearly 2 million kids and parents.

This kind of information goes into the company’s cloud. If that’s compromised, chances are each one of its consumers are also hacked.

One major weakness of IoT devices is that is that many of them send data over unsecured ports. In other words, you can actually see the data live, without requiring a password and username. All it takes to view this data is a paid account at Shodan, a search engine for Internet-connected devices.

Why There Isn’t a Uniform Solution to Traffic Filtering

Another possible way to limit the damage caused by IoT devices is to filter out some of the bad traffic sent over the wider Internet.

ISPs could theoretically identify and filter out any malicious traffic they see on their network. But the process wouldn’t be foolproof, and false positives would be a likely possibility.

Another possibility would be for traffic filtering to be applied at a user level. Smart and secure traffic filtering hardware such as Bitdefender Box or Luma Wi-Fi System are making their way onto the market, with more to come. Unfortunately, they are expensive and it remains to be seen if users will consider them as worthwhile investments.

How to Improve Your IoT security

Change your default passwords and usernames.

The Mirai malware is still out there, actively seeking out more IoT devices to enslave into the botnet. Fortunately, it’s a fairly simple malware, and can be easily countered by setting up a strong and secure password and changing your default username.

For the best results, we recommend passwords at least 10 characters long, that have at least one capitalized letter, one normalized one, one number and one special character, such as an "*" or a "&.”

This website helps determine password strength. Also, try to have a different password for each device. That way, if one device gets hacked, the others can be relied on.

Update to the Latest Software

The manufacturers of the best IoT devices release frequent updates to improve functionality and also patch IoT security vulnerabilities. For this reason, try to make sure devices receive these updates whenever they are available.

Unfortunately, not all manufacturers release updates on a regular basis. Many don’t even bother to update them at all, and effectively abandon customers to their own devices (pun intended).

When in the research phase of a purchase, look into the update cycle of the product.

If you can’t find one, and reviewers are openly lamenting the non-existent software updates, then chances are that company wants to cut costs. And frequently, that means cutting costs from customer support as well.

update cycle

This is the update policy for a software called Open Nebula. Not all developers are this thorough in their patching policies, but it is an example of good practice. On a more similar note, here’s a small sample of Microsoft’s update policy for various Windows software versions.

Login Lock Settings

Even strong passwords and custom usernames can be vulnerable to a dictionary or brute force attack. These will bombard a login page with countless password combinations, until it hits the right one.

iPhones for instance, have a setting which locks the PIN authentication after too many attempts. At the 10th attempt, it completely wipes the device.

IoT devices with good built-in security should have a similar option you can use to ensure their login integrity.

Two-Factor Authentication

The IoT has lagged behind other services in implementing two-factor authentication, but recently Nest announced it will roll out two-factor authentication to secure it’s thermostats and smart cameras.

For the time being, most devices don’t have two-factor authentication, but as the industry matures, the feature will become more and more prevalent.

In the meantime, be sure to activate it whenever devices support it.

Physical Weaknesses of IoT Devices

Sometimes, all it takes to infect a PC is to introduce a USB stick in it and let Windows autorun the USB, and by implication the malware.

The same principles apply to smart devices. If it has a USB in it, then all a malicious hacker has to do is to plug it in, wait a bit, and that’s it.

If possible, place devices in such a way so that sticking a USB stick in them isn’t a straight forward process.

Encryption

Most smart devices work by communicating with a central server, Internet network or smartphone. Unfortunately, the information isn’t properly encrypted in most cases. Either the devices are too small to carry a strong processor, or the manufacturer decided to cut costs (including security features).

Whenever available, we strongly recommend you activate the option to encrypt the data it sends and receives.

Create a Second Network

A good way to secure smart devices is to create a separate network for them to communicate in. This network isn’t connected to the Internet, and so there is minimal chance for malware to make its way onto these devices.

This system does come with a set of drawbacks however. If you want to control smart devices from smartphones, you’ll need to switch between Wi-Fi’s to control your IoT network. In this case, device owners either have to learn to how automate everything, or use Z Wave switches to go between networks.

Secure Home Wi-Fi

Wi-Fi routers are one of the first attack points for a malicious hacker. To make sure it is secure, we suggest you do the following:

  • Use strong and secure passwords
  • Change usernames, and make them non-recognizable. Don’t make it easy for an attacker to identify Wi-Fi systems.
  • Set up a firewall to protect Wi-Fi. In most cases, the firewall will be software based, but some routers come with a hardware one pre-installed.
  • Disable guest network access for the wireless network. Here’s a guide to disable this for Linksys routers.

A guest network is a second Wi-Fi created from a router, which limits access to a core network. In theory, it should offer extra security, by isolating guests on the separate network. However, most Wi-Fi routers set up an insecure guest network, which can act as a window to core Wi-Fi.

Here’s a more in-depth guide on how to protect a wireless network from outside intrusion.

Disconnect From the Internet

Devices such as Smart TVs don’t need to be permanently connected to the Internet. By keeping them off the Internet, you can limit the time interval in which a cybercriminal could attempt to break its security.

Read Device Manuals for Security Tips

Most people only use a device’s manual during installation and to figure out how to use it. But manuals often contain a lot of useful tips and tricks that can improve the performance of a device and make it more secure. Take time to go through the manual to see if there’s anything useful in it.

Download Security Applications

Some smart devices such as TVs are powerful enough to run apps. Even simple, free versions of antivirus apps can significantly boost security.

For the best results, we recommend using the paid version of an antivirus app, since it will unlock its full functionality.

Use a Hardware Solution for IoT Network Security

A dedicated security solution for an IoT network can make all the difference between an infected or clean device. There are quite a few security solutions available, even if the market isn’t as developed as it is for desktop or mobile.

Here are some viable software/hardware products, with links explaining how they work.

Summary Checklist

[hs] Keep-my-computer-safe_2017

IoT is one of the biggest technological trends since the smartphone, and promises to be just as impactful. Unfortunately, the promise and opportunity they offer are just as tempting for cybercriminals as they are for regular customers.

On the bright side however, the IoT industry knows its shortcomings, and together with cybersecurity experts and companies are moving forward to improve on their track record.

The post was originally published on Heimdal Security’s website.

Paul Cucu

Paul Cucu is a security evangelist with Heimdal Security of Copenhagen. The team has more than 10 years of experience in cybersecurity, from identifying threats to developing software that can filter and block malware from entering computers, protecting confidential information and keeping intellectual property and data off of hackers’ servers.