IoT devices are now an essential part of consumers, organizations, and government operations. The Internet of Things is growing popular, and there are lots of new products launching every day in the market. Everyone just started to see the benefits of these devices because of increased efficiency, automation, and making things cost-effective.

However, IoT devices which are not secure by design can increase the security vulnerability. Attackers can leverage any vulnerability in IoT devices for their benefit.

Smart devices are collectors of data, including personal information (your name, age, health data, location, and more). It can store information on the device or send it to the remote server in the cloud.  Every connected device can add another privacy concern, especially since most of them connect to your Smartphone. Attackers can get access to this device and can steal your identity and cause privacy violations.

You can perform many actions on your Smartphone like checking feed from the home security cameras, lock or unlock a door, adjust lighting or temperature, pre-heat the oven, or turn off a TV.  But the more functionality you add to your Smartphone, the more information you store in the device. It could make a Smartphone and anything connected to them vulnerable to a multitude of different types of attacks.

Management and communication of IoT devices

IoT devices need to keep updating their internal software and interaction with other devices. Every IoT device needs to connect to a management device, known as a command and control (C&C) center. C&C is doing software maintenance, configurations, firmware updates to patch bugs and vulnerabilities, as well as the provisioning and authentication of tasks, such as device enrollment.

Interaction between devices happens via the application program interface (API). Other applications or devices can use this smart device’s API to gather data and communicate. Some APIs even allow control over devices.

What did security researchers find while testing the security of IoT devices?

Do you think your smart device is secure then let’s have a look at some smart devices and see how hackers can exploit the security weakness of these devices –

Smart padlock: This is a Bluetooth enabled device and can be accessed using fingerprint. This lock also had an app to control and configure it. In 2018 some researchers found below security vulnerability –

  • The lock was using a Bluetooth low-energy (BLE) MAC address for device identification. Broadcast of this happens publicly across the network, so all a hacker needed to unlock the device was the BLE MAC address.
  • The app was communicating using HTTP means there was no transport encryption. It was a significant security flaw.

iKettle: Researchers found that after doing a factory reset, it was exposing the Wi-Fi password, and the default password for it was in the manual itself. So any hacker can easily steal your Wi-Fi password and can get access to all your information.

Smart Toys: Smart toys interact with kids by listening to them and providing them responses by searching appropriate information for a database on the cloud. These smart toys also store it’s owner’s data so they can offer a more personalized response to them. This device contains a speaker, microphone, and Bluetooth. Any hacker can connect to this toy via Bluetooth and can talk to your kid and make them vulnerable to life-threatening.

Wireless security camera: Smart wireless cameras are coming with lots of features like image sensors and connectivity options. They can do face recognition, read vehicle number plates, and notice human behavior. It makes them a perfect choice for personal and commercial use. If the feed that these cameras are providing via the internet is not encrypted, then a hacker can get access to this can use it for his benefit.

Smart Thermostat control: It can change temperature smartly.  Attackers can get access to these can increase the heat, which will result in increased power demand, which can bring down the power grid.

The smart controller in Vehicle: Attacker can hack the intelligent controller of your vehicle and make it not to start till you pay a ransom.

IoT Security Threats

Command and Control centers and APIs effectively manage day-to-day IoT operations. That said, their centralized nature creates many exploitable weak spots, including:

Outdated software: Often, devices run on outdated software, leaving them open to newly discovered security vulnerabilities.

Weak authentication: Manufacturers often release IoT devices (e.g., home routers) containing easily predictable passwords that might be hardcoded by vendors or users. When remote access is open, these devices become an easy victim for attackers running automated scripts for bulk exploitation. The product should not have a default or hardcoded password.

Vulnerable APIs: As a gateway to a C&C center, APIs are a frequent target by many threats like Man in the Middle (MITM), code injections (e.g., SQLI), and distributed denial of service (DDoS) assaults.

Vulnerable Connected Devices: Once an unsecured device is running in-network, it becomes an attractive target for attackers to:

  • Disclose content stored or transmitted by the device.
  • Use the device’s trusted status to gain access to other connected systems in the network.
  • Take control of the device for other illegal activities.

What security measures users can seek for IoT?

IoT device users should abide by below underlying security best practices –

Device Firmware updates: Device should be able to upgrade the firmware and should be able to check if it is downloading the legitimate updates or not. If a device does not have auto-update functionality, then check the device manufacturer’s website for firmware updates. Upgrade your router firmware too.

Separate Network for IoT devices: Create different VPNs for IoT devices so that the impact of an attack will be minimum.

Strong Device Authentication: Each IoT device can have a unique cryptographically-based identity for authentication when a connection happens to a gateway or central server. With this unique ID in place, you can track each device throughout its lifecycle, communicate securely with it, and prevent it from executing malicious processes. If a device exhibits unexpected behavior, you can revoke its privileges.

Strong Passwords: Use unique and strong passwords for device accounts, Wi-Fi networks, and connected devices. Don’t use common words that are easy to guess, such as “password” or “123456.”

App downloads: Always read the data privacy policy of the apps you use. You need to know how they plan on using your information and more. What data the device or application wants to access? If the app’s functionality does not need it, then deny permission.

Do researches before you buy: Smart devices collect a lot of data. You should know about types of data these devices collect, how it’s stored, and protected if it is going to be available to third parties. Read reviews about the device.

What security measures manufacturers and vendors can take?

 Manufacturers of IoT devices are trying to make cheap and fast delivery to market, so security is the last thing on their list. Manufacturers should action and invest in IoT security management tools so that their brand name does not get affected via security attacks.

Security Testing and penetration test: Experts should perform this testing before launch.

User Notification: They should notify the user about the new security patches or version upgrade for devices.

Enable smart password management: It mandates default password changes on first use. Each user should get a unique key for the product instead of the default for all devices.

Disable Remote access and debug Interfaces: They should disabling remote access to a device by default. The only essential function should be allowed. Do not keep “debug interfaces” open by default. It leaves a back door entry for attackers.

Access Control for APIs: The introduction of a strict access control policy for APIs should happen.

Command and control center security: The Addition of security measures for protecting against compromise attempts and DDoS attacks. All web interfaces provided for IoT devices should be safe and should be free of any security vulnerability like SQL injection or cross-site scripting.

Privacy and Encryption: No personal data, including a Wi-Fi password, will be readily accessible if a hacker gets access to the device. The device should use encryption to store data. All communication between the IoT device and the user should be encrypted.