Alan runs a start-up that provides smart home security solutions. Just 8 months into his operations, customers started complaining of exorbitant electricity bills as well as poor performance. Initially, he took them to be a one-off incident but when the customer support team escalated the issue on priority, he was forced to sit up and take notice. It being a small team Alan took it upon himself to investigate the matter.
Tracing the complaints backward from the current date, he was able to pinpoint the week when the number of complaints was 4 times the average. And after that, the number of cases increased slowly but steadily. Further research showed that a device in their latest client's network had been breached.
The attacker had placed crypto mining bots on all the weak devices in that client's network, which were using the devices' processing power to mine cryptocurrencies in the background. Hence the decreased performance and inflated power bills. Through that single vulnerability, the attacker was slowly able to penetrate other clients' network, via the company's access mechanisms to provide support.
If you feel that attackers using crypto bots on the IoT devices installed in your clients' network is a far-fetched idea, you couldn't be more wrong. The 2019 Ponemon Sullivan Privacy Report revealed that data breach due to unsecured IoT devices or applications had increased from 15 % to 26% in just three years. In the same period, cyberattacks increased from 16 % to 24%.
The actual number of a data breach in any organization would be much higher. This is because, for the purpose of surveys, a data breach is defined as attacks that have been confirmed to access sensitive protected data and/or disclosed to unauthorized persons. This essentially means that breaches that have not been detected do not count.
According to the 2019 Statista report, there will be 38.6 billion IoT devices by 2025. Considering the rapid digitization and IoT adoption by organizations post COVID-19 restrictions, this number is bound to increase. As the number of connected devices increases, the number of security incidents increases proportionately.
What are the IoT security threats
If the experts were asked to point at the single biggest problem with IoT devices security, it would be this — device security is the last priority in the development life cycle. With so many things to consider while designing the device — reliability, minimum utilization of resources, wi-fi enablement, inexpensive, etc. — security is usually added as an afterthought. IoT architecture is multi-layered. Smart devices are at its core but they are only one of the layers.
The architecture also includes edge computing devices that define the communication protocols for connectivity, the cloud where all the data is stored, analytics layer where all the analysis actually happens, and the business layer where all the collaboration and decision making based on the analytics occurs. IoT system design must include security at all these levels.
Let us look at the threats that arise if even one of these layers is left insecure:
- Devices are shipped with default passwords that are usually very weak.
- Counterfeit IoT devices that can be plugged into any existing IoT network are flooding the market to provide cheaper options to the end-users.
- Users are not aware of security risks.
Minor IoT attacks are neglected by the managers - Homes and offices that are seeing an exponential increase in IoT devices that can be compromised are at the maximum risk of physical security as well as financial crimes.
- Hacked healthcare IoT devices can lead to loss of lives.
- Smart vehicles can be hijacked remotely, without the need for hackers to be present physically.
Someone who is not part of the solution is part of the problem. Let us look at the solutions to these problems.
How to ensure IoT security
IoT security must be implemented at multiple levels. The most important task is of course securing the devices that make up the IoT ecosystem. Next comes the communication channels between the devices and then the cloud, where data is stored. As IoT is a relatively new technology, the standard protocol for communication between the devices is still being developed by the formation of IoT alliances.
As an IoT provider, whatever the product or service you offer, you must use the latest and strongest available protocols as per the use case. After the devices and communication channels are secured, data privacy and integrity must be taken care of. And last but not the least, all web, mobile and cloud applications built on the IoT network must be completely secure.
Here we discuss some of the ways to take care multi-layer IoT security:
Use strong, non-default passwords to enhance IoT Security
Saying this seems childish but strong passwords are always the first line of defense against any security threat. But it is also a fact that many organizations continue using the default passwords and thus, launching brute force attacks on such devices becomes just a matter of time.
In 2016, the Mirai botnet brought down US east coast Internet service in a DDoS attack by using a public list of 62 standard passwords to enter open ports on the network. Unfortunately, the lesson does not seem to have been learned because even two years later 15% of IoT devices still used the default password they were shipped with.
Here is what can be easily done to overcome this challenge:
- Hardware manufacturers must stop shipping the IoT devices with default passwords. How difficult can it be to intimate the username and password to the customers in separate communication via, say, Email? If financial Institutions handing out debit and credit cards to their customers can do this securely, surely the hardware manufacturers can too. The system is already in place, it’s just a matter of adoption.
- After installation, the user must be forced to change the default password the first time the device is switched on. In smart offices or homes where the device may be accessed by multiple users, continuing with the default password seems intuitive as well as easy. However, it can spell doom for IoT security, devices as well as the network.
- Passwords used must be strong and should comprise of a combination of numbers, letters, and special characters, however difficult they are to remember. And then again, the users don’t need to remember all the passwords; they can simply be noted down in an easily accessible place.
Update devices regularly without backdoors to secure IoT devices
Regular updating of devices is essential to push security patches as well as improvements in the software. However, this can prove challenging on two fronts. One, the manufacturers leave a back door open for pushing these updates and security patches, which can be an easy passive attack point for hackers and botnets.
Passive attacks are used by hackers to explore devices and networks to analyze traffic and enumerate vulnerabilities. The data gathered through passive attacks can then be used for the active attack where a user or the network is compromised.
The only solution to avoiding passive attacks is to close all back doors and push the updates through the users. Which brings us to the second problem. The end users may not update the devices when prompted to do so. This might be because the updating requires some device downtime which they are unwilling to do.
The way around this could be to ensure updates by configuring routers or apps during the time when the device is in the least use. All stakeholders must be educated that regular device updates are essential to maintain IoT security so that they do not feel them be disruptions.
Educating the end-user
Making the end-users of the IoT ecosystem aware of security issues is an important cog in the wheel of IoT security. They must be educated about the issues that may arise due to the use of default passwords for convenience or counterfeit devices to save a couple of bucks.
As you can surmise from the story we began with, end-users and their devices are the weakest links in the whole IoT network. Attackers know this and try to hack the network and the devices connected to it via them.
These are some ways in which end users can ensure better IoT security:
- Using strong passwords that are tough to crack and keeping them in a notebook rather than using a password manager. Passwords must be changed regularly, maybe even once a month.
- Disabling plug and play features can improve the security of IoT devices because universal plug and play protocols assume that all requests for access come from a trusted source. Which is an ideal but not exactly the correct scenario, as we all know?
- IoT networks must be exclusive to the users within the house and inaccessible for outsiders.
- Devices need to be updated regularly, hence they should not mind facing a small amount of downtime if required in order to introduce security updates.
Securing communication channels
All the devices in an IoT ecosystem communicate with each other and with cloud apps or services. It is important to ensure that these communications are completely secure. The ideal scenario would be to encrypt all messages before sending them over the network and using strong TLS protocols.
Encrypting all the messages may not be possible because not all devices are equipped to do so. For sending encrypted messages devices need to have a minimum level of processing capabilities, which drives their costs. This challenge can be circumvented by putting constrained devices on a different network, whose messages can be encrypted by router before sending over the external network. Putting them on separate networks also makes them less vulnerable to passive attacks.
Communication channels can also be secured by using firewalls, ensuring the physical security of routers and gateways, turning off OS features not in use, randomly generated OTP for identification and authorization, etc. You will be surprised to know that many in-house security incidents occur simply because the device was easy to access physically.
Ensuring security compliances
Data storage must always be according to compliance with the legal and regulatory frameworks in force where the business is operating or its customers reside. However, this can be resource-intensive in terms of cost, time, and personnel requirements, which leads many organizations to be lax about it. But this wreaks havoc on the overall IoT security. Here are some suggestions for ensuring data privacy:
- The first lines of defense against a data breach are redacting or anonymizing sensitive data before it is stored or transmitted. Particularly sensitive information like identification data can also be decoupled from other data generated for greater safety.
- Data that is not required must be disposed of immediately, in a way that it cannot be accessed by anyone in any circumstances.
- Data integrity can be enforced by integrating IoT systems with Blockchain technologies.
Detecting and managing vulnerabilities
The proverb “Prevention is better than cure” applies fully to IoT security because the cost of security breaches is very high. And despite all efforts at security, right from the design phase, breaches are inevitable. So, it makes sense to be proactive about detecting the vulnerabilities of the IoT system and manage them until a security patch can plug the gap. Some of these steps include:
- Monitoring activity logs and network communications for deviations
- Performing ethical hacking and penetration testing
- Using continuous security intelligence analytics to identify security incidents as soon as possible
- Automating security incident response to minimize loss
- Maintaining device registers to enable isolation of compromised devices and network segments
- Deploying rules engines to automate vulnerability management
How TechAhead ensures IoT security
For the IoT experts at TechAhead, security is not an afterthought or last-minute addition to the solution architecture. We take a security-by-design approach to IoT development. We understand that neglecting IoT security to decrease costs in the short term may lead to security breaches that prove expensive in the long run.
Some of the ways in which our experts incorporate security in all IoT projects include:
- Building secure web and mobile apps
- Ensuring security compliance as per client policies
- Designing IoT network separate from other networks
- Using unique strong passwords for IoT devices
- Minimizing the use of universal plug and play protocols
- Testing hardware devices for backdoor openings
Summary
A data breach is an attack that has been confirmed to access sensitive protected data and/or disclosed to unauthorized persons. Data breach instances have increased from 15% to 26% between 2016 and 2019. Owing to better Internet penetration, the number of connected devices is increasing every day and will be reaching 38.6 billion by 2025.
This has led to a proportionate increase in a security incident. Internet of things security challenges arise from the use of default or weak passwords, insecure devices, ports and applications, and undetected vulnerabilities.
These are some of the ways in which security threats can be minimized:
- Changing default passwords and using strong ones
- Updating devices regularly
- Educating the end-user about the importance of IoT security
- Securing communication channels between the devices and cloud
- Ensuring security compliance
- Detecting and managing vulnerabilities proactively
