IoT Security

IoT devices that are commonly hacked. Source: Help Net Security 2019.
IoT devices that are commonly hacked. Source: Help Net Security 2019.

The Internet of Things brings together not just computers but also sensors, cameras and controllers that are connected to vehicles, medical devices, power grids, nuclear plants, and many more critical infrastructure. Securing IoT is therefore a big concern since an attack can be life threatening. An insecure IoT system leads to lower safety, privacy and availability.

Since the mid-2010s, researchers have analyzed IoT systems to identify potential vulnerabilities and possible solutions for the same. Given IoT's large attack surface, better security can be achieved only by securing all parts of the system: from devices to apps, from APIs to network endpoints.

In 2018, Gartner reported that 40% of smart home appliances are in use for botnet attacks. In 2021, 84% of surveyed companies reported an IoT security breach. Clearly, there's much work to be done.

Discussion

  • What are some potential attacks in various IoT verticals?
    Potential attacks in various IoT use cases or verticals. Source: Adapted from Cucu 2017.
    Potential attacks in various IoT use cases or verticals. Source: Adapted from Cucu 2017.

    IoT systems can be hacked regardless of the vertical in which they operate. Consumer appliances, industrial facilities, connected cars, drones, video surveillance systems, power grids and utilities, smart buildings, city infrastructure and transportation systems, medical devices and hospitals, and retail stores are some examples of what can be attacked. We describe a few of these.

    In a connected home, an attacker can see sensitive data sent from a wearable, perform illegal video surveillance, profile individuals, gain control over door locks and sensors, or render appliances inoperable.

    With connected and semi-autonomous cars, hackers can remotely steal vehicles. They can also gain control of a vehicle when it's on a freeway.

    In industrial systems, PLCs and SCADA systems could be targeted. This can halt critical operations, cause accidents or install spyware. Attacks on critical infrastructure such as nuclear power plants can be catastrophic. In one experiment, a software-enabled gun was configured to prevent firing or miss its target.

    In hospitals, patient data could be stolen. Interfering with the operation of a pacemaker or changing dosage can cause death.

  • Could you mention some real-world attacks on IoT devices and systems?

    Researchers have studied vulnerabilities and possible exploits on IoT devices and systems. Some of these include St. Jude Medical's cardiac implants, Owlet Wi-Fi baby heart monitors, TRENDnet webcams, and Jeep SUVs. Ignoring these research findings, we focus on real-world attacks instead.

    In October 2016, Dyn servers experienced a DDoS attack by the Mirai botnet, affecting many commercial websites. Mirai made use of digital cameras and DVR players. The attack involved 100,000 malicious endpoints resulting in an attack strength of 1.2Tbps.

    Stuxnet (botnet) attacked industrial systems back in 2010. . In 2015, 230,000 people were without power in Western Ukraine when an electrical power grid was attacked. In 2021, an attack on the water supply to Oldsmar, Florida changed the level of sodium hydroxide. Fortunately, operators spotted the change and took corrective action.

    Ring doorbells come with a mobile app. In January 2020, the app was reported to leak personally identifiable information to third parties. In December 2020, we came to know of attacks on Ring smart cameras. Hackers could speak to their victims "screaming obscenities, demanding ransoms, and threatening murder and sexual assault."

  • What are the common security vulnerabilities in IoT?

    We note the following vulnerabilities:

    • Weak, guessable, or hardcoded passwords: Dictionary and brute force attacks can exploit this vulnerability. Devices many also have unchangeable credentials and firmware backdoors.
    • Insecure network services: Connected devices may have ports open or services running that aren't required.
    • Insecure ecosystem interfaces: Outside the device, there's an ecosystem of interfaces, APIs, gateways, cloud services and mobile apps. Any of these can be compromised.
    • Lack of secure update mechanism: Updates are risky if done without firmware validation, payload is unencrypted, there's no rollback or notifications. In many cases, vendors don't patch the firmware even for known vulnerabilities.
    • Use of insecure or outdated components: Third-party components are commonly used in today's systems. Software and hardware supply chains could be compromised.
    • Insufficient privacy protection: Personal information is stored insecurely or used improperly.
    • Insecure data transfer and storage: Data is not encrypted during storage, transmission or processing.
    • Lack of device management: This concerns asset management, update management, secure decommissioning, monitoring and response.
    • Insecure default settings: Factory settings are often insecure or even disallow changes to more secure settings.
    • Lack of physical hardening: Devices are hacked in close proximity, thereby enabling remote hacking.
  • Could you elaborate on the different types of IoT security attacks?
    Different types of attacks on IoT systems. Source: Atlam and Wills 2020, fig. 4.
    Different types of attacks on IoT systems. Source: Atlam and Wills 2020, fig. 4.

    IoT attacks can be broadly classified by the layer in which they occur:

    • Physical Attacks: Concern hardware elements and happen in close proximity to the device. Device tampering, physical damage, or draining battery via sleep deprivation are examples.
    • Software Attacks: Buffer overflows, code injection and cross-site scripting are typical techniques. A hacker typically scans for vulnerable devices, infects them, and then steals data or makes devices inoperable.
    • Network Attacks: Can attack remotely via network connections. Sinkhole attack discard packets rather than forwarding them. Man-in-the-middle attack is often employed to attack Wi-Fi routers. Spoofing is another technique in which a malicious devices presents itself as an authenticated one.
    • Encryption Attacks: Even when data is encrypted, side-channel and cryptanalysis attacks are techniques to figure out encryption keys.

    Ultimately, IoT's attack surface is large. An attack can happen on an end device such as a connected thermostat, on its wireless network, on the network's access point, on the ISP gateway or an app that's communicating with the thermostat.

  • Could you share some best practices for better IoT security?
    IoT security best practices involve people, processes and technologies. Source: ENISA 2019, fig. 8.
    IoT security best practices involve people, processes and technologies. Source: ENISA 2019, fig. 8.

    Many of the best practices can be directly derived from the common IoT security vulnerabilities. Security is an end-to-end concern and devices, network, APIs, cloud services and apps — all need to be secured.

    Network endpoints and interfaces should be secured with firewalls, anti-malware, and intrusion prevention and detection systems. For authenticating users and devices, use two-factor authentication, biometrics, Public Key Infrastructure (PKI) and X.509 digital certificates. Data should be encrypted along with mature key lifecycle management. Analytics must be specialized for IoT security with a plan to recover from attacks. Minimize device bandwidth.

    Security by Design is an approach to factor in security at the start of an IoT project. Device IDs and credentials can be embedded during manufacturing. This may be called the Root-of-Trust (RoT) from which other keys and credentials are generated. Micron's Authenta is an example of securing flash memory, thus "hardening" the device against attacks.

    Systems should be designed with countermeasures against Simple Power Analysis (SPA) and Differential Power Analysis (DPA) that exploit emissions from semiconductor devices.

  • What are some challenges in securing IoT systems?

    One challenge with securing IoT is the sheer number and variety of devices, in their billions. The IoT ecosystem is complex and consists of sensor devices, network nodes, many communication protocols, and regulations. If an attack should occur, it's also not clear who should be held accountable: equipment vendor, system integrator, service provider, or the user.

    Businesses are rushing to implement or adopt IoT-enabled data collection and analytics. They're doing this without considering security. When new ventures fail, their devices are abandoned without support or security updates. Even otherwise, many consumers have never done updates on their devices. Worse still, many devices don't even have a user interface to perform updates.

    Many IoT devices are designed to be cheap and disposable, wearables in particular. IoT devices have constraints on processing, storage, battery and communication. As a result, vendors prioritize cost and efficiency over security. One way to mitigate risks is for communication service providers (CSPs) to "harden" their networks in a device-independent manner.

Milestones

Jun
2010

The Stuxnet worm is discovered. It targeted Microsoft Windows systems and a Windows-based Siemens software used in industrial control systems. One of attacked sites was an uranium enrichment plant in Iran. In subsequent years, more related worms and spyware such as Duqu, Flame, and Gauss are discovered. Given their sophistication, security researchers believe that these are state-sponsored.

Sep
2014

Security expert David Jacoby of Kaspersky Lab tries to hack into his own home's electronics devices and consumer appliances. He discovers a number of vulnerabilities. He's able to easily get into his smart TV, game console and storage devices. At the Security Analyst Summit (Feb 2015), other researchers explain how they could hack into police surveillance systems, car washes and fitness bands.

Oct
2016
How the Mirai botnet propagates. Source: Ling et al. 2018, fig. 6.
How the Mirai botnet propagates. Source: Ling et al. 2018, fig. 6.

Mirai botnet launches DDoS attack on Dyn servers, affecting many commercial websites. Digital cameras and DVR players are used for this attack. It becomes the largest such attack to date. The process involves scanning for vulnerable devices, reporting them to the ScanListen server, installing Mirai, registering the malware with the Command and Control (C&C) server, and executing attack commands initiated by a botmaster.

2017
Status of technologies critical to IoT security. Source: Blyler 2017, fig. 1.
Status of technologies critical to IoT security. Source: Blyler 2017, fig. 1.

Forrester Research looks at a number of critical technologies that contribute to more secure IoT systems. All of them are still in the survival or growth stages. Some of these relate to network security, API security, authentication, device hardening, threat detection and device user privacy controls.

Dec
2018
OWASP list of top 10 IoT vulnerabilities. Source: Adapted from Echeverría et al. 2021, table 13.
OWASP list of top 10 IoT vulnerabilities. Source: Adapted from Echeverría et al. 2021, table 13.

OWASP releases a list of top 10 IoT vulnerabilities. This is an initiative of The OWASP Internet of Things Project that was started in 2014. The research community subsequently uses this list to evaluate the security of IoT systems.

Nov
2019

Recognizing the threat to IoT systems, the European Union Agency for Cybersecurity (ENISA) publishes a report describing best practices for IoT security with an emphasis of Software Development Life Cycle (SDLC). This report is meant for IoT developers, integrators and system engineers.

Aug
2020

Under the ioXt Alliance Certification Program, about a dozen IoT devices become the first devices to be certified from a security standpoint. Certified devices include Google Pixel 4, Silicon Labs xG22 for Bluetooth connectivity, and T-Mobile home internet gateway. The Alliance launched the certification program in April 2020 and it aims to establish a global standard for IoT security. The certification program is based on ioXt Pledge but includes device-specific profiles such as Android-enabled devices and smart speakers.

References

  1. Alladi, Tejasvi, Vinay Chamola, Biplab Sikdar, and Kim-Kwang Raymond Choo. 2020. "Consumer IoT: Security Vulnerability Case Studies and Solutions." IEEE Consumer Electronics Magazine, vol. 9, no. 2, pp. 17-25, February 3. doi: 10.1109/MCE.2019.2953740. Accessed 2021-06-21.
  2. Atlam, Hany F. and Gary Wills. 2020. "IoT Security, Privacy, Safety and Ethics." In: Farsi M., Daneshkhah A., Hosseinian-Far A., Jahankhani H. (eds), Digital Twin Technologies and Smart Cities, Internet of Things (Technology, Communications and Computing), Springer, Cham., pp. 123-149. doi: 10.1007/978-3-030-18732-3_8. Accessed 2021-06-21.
  3. Atoui, Roland. 2018. "The Importance of Security by Design for IoT Devices." IIoT, April 25. Accessed 2021-06-21.
  4. BBC. 2020. "Ring doorbell 'gives Facebook and Google user data'." BBC, January 28. Accessed 2021-06-21.
  5. Blyler, John. 2017. "8 Critical IoT Security Technologies." Electronic Design, August 11. Accessed 2021-06-21.
  6. Buntz, Brian. 2016. "The 10 Most Vulnerable IoT Security Targets." IoT World Today, July 27. Accessed 2021-06-21.
  7. Chakray. 2019. "10 security problems of the IOT." Chakray, February 25. Updated 2020-08-14. Accessed 2021-06-21.
  8. Cucu, Paul. 2017. "IoT Security: All You Need to Know and Apply." Blog, Heimdal Security, March 30. Accessed 2021-06-21.
  9. Drozhzhin, Alex. 2015. "Internet of Crappy Things." Blog, Kaspersky Lab, February 19. Accessed 2021-06-21.
  10. Dunlap, Terry. 2020. "The 5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History." IoT For All, June 20. Accessed 2021-06-21.
  11. Echeverría, Aarón, Cristhian Cevallos, Ivan Ortiz-Garces, and Roberto O. Andrade. 2021. "Cybersecurity Model Based on Hardening for Secure Internet of Things Implementation." Applied Sciences, vol. 11, no. 7, 3260. Accessed 2021-06-21.
  12. ENISA. 2019. "Good Practices for Security of IoT - Secure Software Development Lifecycle." European Union Agency for Cybersecurity (ENISA), November. Accessed 2021-06-22.
  13. Fisher, Dennis. 2014. "David Jacoby on Hacking His Home." Threatpost, September 24. Accessed 2021-06-21.
  14. Fretty, Peter. 2021. "Water Supply Cyber Breach Thwarted." IndustryWeek, February 9. Accessed 2021-06-21.
  15. Hajdarbegovic, Nermin. 2015. "Are We Creating An Insecure Internet of Things (IoT)? Security Challenges and Concerns." Toptal, March 3. Accessed 2021-06-21.
  16. Help Net Security. 2019. "Smart home security devices most at risk in IoT-targeted cyber attacks." Help Net Security, June 13. Accessed 2021-06-21.
  17. IEEE. 2017. "Internet of Things (IoT) Security Best Practices." White paper, IEEE, May. Accessed 2021-06-21.
  18. ioXt Alliance. 2020. "ioXt Alliance Newsletter." Q1, ioXt Alliance. Accessed 2021-06-25.
  19. Katz, Hagay. 2019. "IoT Cybersecurity Challenges and Solutions." Blog, Allot, January 8. Accessed 2021-06-22.
  20. Kushner, David. 2013. "The Real Story of Stuxnet." IEEE Spectrum, February 26. Accessed 2021-06-21.
  21. Light Reading. 2020. "ioXt Alliance reveals first wave of certified devices." Light Reading, August 11. Accessed 2021-06-25.
  22. Ling, Zhen, Kaizheng Liu, Yiling Xu, Chao Gao, Yier Jin, Cliff Zou, Xinwen Fu, and Wei Zhao. 2018. "IoT Security: An End-to-End View and Case Study." arXiv, v1, May 15. Accessed 2021-06-21.
  23. Micron. 2021. "10 Ways to Secure the Intelligent Edge on IoT and 5G." Micron. Accessed 2021-06-21.
  24. Minetor, Randi. 2016. "IoT and Security: What does it mean for the water industry." WaterWorld, October 1. Accessed 2021-06-21.
  25. Mossayebi, Shahram. 2021. "An Economical Approach to Creating Unforgeable Identities and Secure Connectivity in IoT Systems." ELE Times, April 4. Accessed 2021-06-21.
  26. Murray, Sarah. 2018. "When fridges attack: why hackers could target the grid." Financial Times, October 17. Accessed 2021-06-21.
  27. Nwazor, Toby. 2018. "IoT Security Challenges and 5 Effective Ways to Handle Them." DZone, November 15. Accessed 2021-06-21.
  28. OWASP. 2018. "Internet of Things (IoT) Top 10 2018." OWASP, December. Accessed 2021-06-21.
  29. Paul, Kari. 2020. "Dozens sue Amazon's Ring after camera hack leads to threats and racial slurs." The Guardian, December 23. Accessed 2021-06-21.
  30. Perficient Latin America. 2018. "The Different Types of IoT Security Attacks." Perficient Latin America, July 15. Accessed 2021-06-21.
  31. Rapyder. 2019. "Top 10 IoT Security Solutions for the Most Common IoT Security Issues." Blog, Rapyder, May 2. Accessed 2021-06-21.
  32. Rouffineau, Thibaut. 2017. "Three flaws at the heart of IoT security." Blog, Ubuntu, March 20. Accessed 2021-06-22.
  33. Tanaka, Shinsuke, Kenzaburo Fujishima, Nodoka Mimura, Tetsuya Ohashi, and Mayuko Tanaka. 2016. "IoT System Security Issues and Solution Approaches." Hitachi Review, vol. 65, no. 8. Accessed 2021-06-21.
  34. Thales Group. 2021. "How to Make Internet of Things Solutions Secure by Design." Thales Group. Accessed 2021-06-21.
  35. Thales Group. 2021b. "IoT security issues in 2021: A business perspective." Thales Group, April 9. Updated 2021-04-25. Accessed 2021-06-21.
  36. Vanwell, Jo. 2021. "IoT Security Breaches: 4 Real-World Examples." Blog, Conosco, January 28. Accessed 2021-06-21.
  37. Wave Computing. 2021. "Security in IoT devices." Blog, Wave Computing. Accessed 2021-06-21.
  38. Woolf, Nicky. 2016. "DDoS attack that disrupted internet was largest of its kind in history, experts say." The Guardian, October 26. Accessed 2021-06-21.

Further Reading

  1. Ling, Zhen, Kaizheng Liu, Yiling Xu, Chao Gao, Yier Jin, Cliff Zou, Xinwen Fu, and Wei Zhao. 2018. "IoT Security: An End-to-End View and Case Study." arXiv, v1, May 15. Accessed 2021-06-21.
  2. Wurm, Jacob, Khoa Hoang, Orlando Arias, Ahmad-Reza Sadeghi, and Yier Jin. 2016. "Security Analysis on Consumer and Industrial IoT Devices." 21st Asia and South Pacific Design Automation Conference (ASP-DAC), January 25-28. doi: 10.1109/ASPDAC.2016.7428064. Accessed 2021-06-21.
  3. Costin, Andrei, and Jonas Zaddach. 2018. "IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies." Presented at Black Hat USA, August 9. Accessed 2021-06-21.
  4. GSMA. 2019. "IoT Security Guidelines for IoT Service Ecosystems." Version 2.1, GSMA, March 31. Accessed 2021-06-21.
  5. IEEE. 2017. "Internet of Things (IoT) Security Best Practices." White paper, IEEE, May. Accessed 2021-06-21.
  6. Byrne, Joseph, Ravi Malhotra, and Geoff Waters. 2017. "IoT Security—Silicon, Software, Manufacturing and Everything In Between." White paper, NXP. Accessed 2021-06-21.

Article Stats

Author-wise Stats for Article Edits

Author
No. of Edits
No. of Chats
DevCoins
7
0
1212
1735
Words
0
Likes
2538
Hits

Cite As

Devopedia. 2021. "IoT Security." Version 7, June 25. Accessed 2021-09-09. https://devopedia.org/iot-security
Contributed by
1 author


Last updated on
2021-06-25 11:09:12
  • IoT Security Model
  • System-on-Chip Security
  • Network Security
  • Cloud Security
  • API Security
  • Power Management for IoT Devices