We are living in a connected world, where nearly all devices are becoming connected. The internet of things (IoT) is coming up in a big way and with amazing opportunities – but it also brings serious security threats. IoT connects physical devices, so the hacking of IoT devices has the potential to cost human lives. Now is the time to measure and plan for IoT vulnerabilities and their prevention. The following are some of the biggest IoT security concerns. (For more on IoT security, see 10 Steps to Strengthen Your IoT Security.)
Practically speaking, this refers to vulnerabilities that may exist in network systems thereby allowing hackers to again access. This is one major concern, as the intruders get access to the connected devices through the network. Further implications can be access to unauthorized and potentially confidential data that can then be used for other crimes.
Certain problems that can lead to an unsecured network are open ports (like with Universal Plug and Play (UPnP)), User Datagram Protocol (UDP) services that are exploitable, buffer overflow, denial of service (DoS), network device fuzzing, etc. However, there are countermeasures to such problems, including:
- Only making necessary ports available
- Protecting services from buffer overflow and fuzzy attacks
- Protecting services from DoS attacks for devices in the local or other networks
- Not leaving network ports open to UPnP
Unsecured open ends like open ports, USB connectors, mobile charging points, etc., are also responsible for injecting malware into IoT devices. Physical tampering of devices allows an attacker to disassemble a device and gain access to storage media and data present on that medium. Furthermore, if such a device is used for maintenance or configurations of certain control systems, access in the wrong hands can wreak havoc.
Again, though, adoption of certain measures can help in prevention of physical tampering. For example, data storage should be encrypted and further made difficult to remove. Another option is to make sure only necessary external ports required for product function be allowed access. Limitation on administrative capabilities of the device can also be a counter against physical tampering. Furthermore, keeping equipment in a secure location which allows access only to authorized personnel can cut down on risk.
Weak Web Interface
Web interfaces are used to interact with IoT devices. While this demands simplicity for user interaction, if it is not secured there is every possibility of it being hacked. Certain issues that can certainly lead to an attacker gaining unauthorized access to a device include weak default credentials, exposure of credentials in network traffic, session management, cross-site scripting (XSS), SQL injection, etc.
Countering these issues can be done in several ways. The change of default usernames and passwords must be forced during initial setups. Methods that are used for password recovery must be robust enough to not allow information leakage. Passwords must also have a policy that allows a setup of strong pass codes. Additionally, they must not be exposed in network traffic. Development of interfaces must be done in a manner such that they aren’t susceptible to XSS and SQL injection. Also, account lockouts on a specified number of failed attempts can be used.
Outdated Protocols and System Updates
Some smart devices may be using outdated protocols and may not have been updated regularly. This is a weak point and the device can be hacked easily. The very idea behind updates from a developer are to fix bugs and vulnerabilities in the system over time. However, using un-updated software largely defeats the purpose. In fact, many smart systems that are used to control electronic items like refrigerators, air conditioners, etc., can easily fall prey to lack of software updates. Hence, the only way to be sure that system vulnerabilities are patched is via regular updates.
Also, the use of outdated protocols can increase risk and is of serious concern. One example of such a protocol is the Session Initiation Protocol (SIP).
Data and Device Encryption
Sometimes smart IoT devices are not encrypted properly. This is largely prevalent amongst local networks and also over the internet to a large extent. Transmitted data, without encryption, is basically there amongst traffic for easy interpretation. Very often, data remains unencrypted or is vulnerable because of poor implementation of SSL/TLS. Such data, in the wrong hands, leads to compromise, tampering, and modification of data. Thus, the way to prevent this is to make use of SSL/TLS with proper implementation. The use of industry standard encryption processes can also aid in better data safety during storage or transmission. (To learn more about IoT safety, see The Key Risks Associated With IoT - And How to Mitigate Them.)
Systems that are known to enjoy complete autonomy are often an easy target for hackers. Since these systems seldom require human intervention in their operations, they are difficult to track and also pose immense risk. For example, think of a self-driving car that can be hacked to ignore speed limits. The results clearly can be disastrous. There are at least ten known ways to attack neural networks, which happens to be the base for the working of autonomous systems. One such example is a black box attack, where inputs can be sent to an unknown system and information derived from collecting the outputs.
The only way to outdo such attacks would be to develop more layered and complex systems so that they are more difficult to interpret and hack. Also, human intervention from time to time can help in patching flaws and guarding against such attacks.
Dubious makers of devices as well as hackers can often track you stealthily via your use of smart devices. Such concerns are raised due to the collection of personal data that can be looked into using automated tools. These tools can then identify specific patterns that represent sensitive data.
To counter this, the use of devices that come from well-known companies can potentially be a solution to such an issue. Another way to ensure safety is to see that only data required for the functioning of the device is being accessed or a limit can be set as to what extent data may be collected. Data encryption is also a protective stance to keep collected data safely and prevent misuse.
IoT is here to stay and will become even larger in the coming years. Therefore, despite the vulnerabilities that exist in IoT systems and devices, the sole idea is to be cautious and controlled so that security issues are properly addressed.