Understanding the Internet of Things Security Vulnerabilities and Challenges

Robert McIntosh

Internet of Things (IoT) devices utilize internet connectivity with embedded technology that allows them to be controlled remotely through computer interfaces giving rise to security vulnerabilities and challenges. With little to no serious security protection consideration given to this industry, security breaches of such devices have reached headline heights. Risk assessment and protection for companies and your home are critical.

It’s the dawn of a new era for a set of networking protocols known as universal plug and play (UPnN) and Internet of Things plug and play.

Wikipedia describes the Internet of Things (IoT) as “the network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data.”

In a Forbes article on merging IoT and blockchain, Imad Labbadi, a leading expert on IoT security and CEO of VeCap states, “There is insufficient protection. Several devices from well-known companies and other vendors have serious breaches in their security systems: insufficient encryption, weak authentication requirements—for example, auto-login, possibility of external connections via VPN. All it takes is one unprotected device to compromise the security of your smart system or smart home. Hackers only need to find that one breaking point to bring down the whole network.”

Security Breaches in Unthinkable Places

Cybercriminals earlier this year hacked a casino by accessing an underwater Internet-connected thermostat located in the lobby aquarium. The cyber breach allowed backdoor access to the casino’s network and ultimately resulted in the breach of their high-roller gambler database. The story went viral and sent chills up and down the spines of those of us in the corporate IT cybersecurity world.

These devices are showing up more frequently in commercial business as well as at home. The following is a partial list IoT devices that can be security risks. Unfortunately, this list is continually growing, as it seems many manufacturers are sacrificing security for functionality.

IoT Security

A Gartner report  last year pointed out the fact that IoT security has “its own unique contexts specific to the vertical.” The fact that there are no universal protocols has resulted in fragmented approaches to security with no true end-to-end secure solution.

Web interfaces built into many IoT devices allow users access to various functions. What is one of the most alluring features of the technology also opens the door to cyber criminals with unauthorized access to the device? Cross-site scripting (XSS), weak credential input, SQL scripting, and user enumeration are a few weak points to consider when accessing specific security vulnerabilities.

Ransomware has spawned a new industry of cybercrime in the IoT space as well and has even made “cybercrime as a service” an actuality. According to an article on security intelligence from IBM, potential hackers with little to no experience have rented ransomware and ransomware delivery systems, causing an unprecedented rise in attacks. Hackers have developed creative ways to hijack IoT devices and demand a ransom, typically in the form of bitcoin. What’s the lowest hanging fruit here? Many devices expose the passwords embedded in the configuration files.

Related: Securing the IoT with Modern Network Access Control

Ransomware May Affect IoT Devices

The now-famous WannaCry ransomware that affected over 55 traffic cameras in Victoria, Australia, disrupted the British National Health Service along with several other organizations in May of last year according to an article in The Guardian. The aggressive attack thought to be the largest ransomware attack in history, affected over 200,000 systems worldwide and continues to remain a threat. The Microsoft Server Message Block (SMB) v 1.0 protocol was targeted. Microsoft released a patch for supported operating systems, but older legacy systems remained vulnerable. In the wake of the attack, Microsoft released an emergency patch for unsupported operating systems. Although this was not a direct IoT hardware threat, the potential is there to affect and infect all devices with a user interface.

IoT Devices Used in DDOS Attacks

In October of 2016, the Mirai IoT botnet attack disrupted much of the Internet on the U.S. Coast with a large-scale distributed denial of service (DDoS) attack. Without going into too much detail, a botnet is simply a network of compromised computers connected via the Internet and used for malicious purposes. The bots form a network controlled by a third party who then transmits malware or spam or launches some form of attack. Mirai specifically targeted the unprotected IoT devices by finding a “back door” opening within the Telnet ports. They then used a combination of known default passwords to hijack devices and form an army of cameras and routers. At its peak, Mirai infected over 600,000 vulnerable IoT devices. The Mirai code was released into the wilds of the Internet and is available for anyone to try their hand at it. Any smart Internet-connected device is at risk.

Crypto-mining Bogs Down Network Speeds

Crypto-mining experienced an 8,500 percent jump in 2018, according to the Internet Security Report released by Symantec earlier this year. Because of the simple code, threat detection tools often are ineffective. The code consumes the central processing unit (CPU), bogs down the network, consumes resources, and increases energy costs. The same report cited a 600% increase in attacks against IoT devices, with 21% originating from China.

Nicole Eagan, CEO of the cyber security company Darktrace, states, “There’s a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”

Simple IoT Security Measures

Stephen Nardone, Director of the Security Practice at Connection, is a leader in the field of IT security risks, frameworks, assessment, strategy, and compliance. Stephen has been a CYTO/CSO for the Commonwealth of Massachusetts and has developed security strategies for various government and private sector organizations. With more than three decades in the field, Stephen understands that cyber threats and cyber attacks are part of today’s technology reality. It’s not a matter of if, but when the breach will happen. “Prepare for ‘the when,’” is one of his standard mantras.

Stephen recommends some very basic strategy to offer some protection from IoT cyber intruders:

  • Connection assessment: The first line of defense is common sense. Consider what you’re connecting to your network and understand with IoT standards and protocols, security blind spots are inevitable. Only connect devices you need and only if secured end-to-end.
  • Change passwords: Many plug-and-play IoT devices are set up with open, default, or no passwords. Set a password, and change often Remember the Mirai attack targeted default passwords.
  • Purchase known technology: Stay away from knock-offs, unknown names, and unproven devices.
  • Install patches and update firmware: Many security issues are due to end users ignoring the latest patches and firmware updates. Cybercriminals target missing patches. Reputable companies are on the cutting edge of security and offer managed patching strategies to avoid cyber penetration.
  • User awareness training: Training employees and learning of all the potential threats is the first course of action. The old saying “knowledge is power” goes a long way. Password and patch management, purchasing decisions, how things are connected to your network, and, of course, social engineering are key awareness training areas.
  • Data protection: Ensure that all users know their role in the oversight of protecting critical data at rest, data in process, and data in motion. Take the time to identify and classify your sensitive data.

What’s Your Weakest Network Security Link?

Supply chain attacks focus on the weakest link within a company’s or home’s supply chain. Take that with the fact there are currently over 9 billion IoT devices, with an estimated 20 billion to be online by 2020, forming a vast network ever reaching into every aspect of our lives, and you have a recipe for a new type of cyber threat. Gartner continues to place IoT security technologies as one of the fastest growing industries in security as the cybercrime threat landscape continues to evolve.

IoT and Blockchain May One Day Work Together

Imagine your network of smart devices working in harmony under limited human interaction and secured by an un-hackable blockchain. The current problems prevalent with both technologies may one day combine to form a new super network. Two emerging technologies currently limited and restricted separately could work together and provide a partnership and form a new break-out technology. IoT, AI, and blockchain working in tandem will eventually bring rise to a new industry of IoT platforms that utilize data gathered from IoT device interaction all secured by distributed ledger technology (DLT). The UK government released a report titled “Beyond Block Chain” a few years ago on the advantages of DLT and usefulness in the public sector.

Connection offers a security assessment service to see where you may be exposed through our security risk management program strategy. Wired and wireless penetration testing with the right tools will identify weak areas. We’ll work with you to help uncover these areas of vulnerability and discuss possible solutions and implementation processes to determine the best course of action. Please don’t wait until it’s too late… prepare your organization for cyber attacks now.

Rob McIntosh is Connection's Director of Segment Marketing, partnering with segment leadership to translate business goals and priorities into a strategy and plan directly impacting revenue, gross profit, and market share. Rob has nearly 3 decades of marketing and sales experience, navigating businesses to scale through effective planning, communications, CRM management and go to market strategy and execution. Since joining Connection in 2018, he has stood up the Connection Podcast Station, launched and e-Sports program and redefined enablement throughout the organization by leading with insight, focusing on impact, and driving sales with more complex solution selling. As a CNXN Helix Center for Applied AI and Robotics member, Rob leads the brand and go to market strategy for the practice.