Security Vulnerabilities with the Internet of Things can be Disastrous

The internet of things (IoT) is a technology that is used by almost everyone. It was predicted that there would be 18 billion IoT devices in the world, which is almost 3 devices per person. They can handle all kinds of data, from your heart rate to a live feed of your house. Even though we know that anything that handles this much data should have secure communication, that is not the case.

What is IoT?

IoT uses sensors to collect data and uses that to communicate with other devices. An example is a smart home. A smart home has a smart thermostat, which uses sensors to detect the temperature in the house, and turns on or off the air conditioning or heating system until the temperature reaches what it should be. The thermostat could communicate with the smart blinds to close them when it is too hot. The smart blinds could communicate with the smart light switches to turn the switches on when the blinds are closed, and vice versa. As you can see, there are many ways that a smart home system can stay connected, all using the power of IoT.

Why is Security Important?

IoT devices handle lots of data and communication. A hacker can not only access all the data that had been generated before by that device, but they could intercept data sent from other devices in the same network, and even send their own, altered data.

This might not seem like a huge problem when you think about smart thermostats. However, there are examples of IoT security compromises resulting in large amounts of data being stolen. In an American casino in 2017, attackers were able to hack into a smart fish tank using its thermostat. They used this seemingly irrelevant vulnerability to get access to the casino’s database, which they stole huge amounts of data from. This data could contain user financial information, which could be very bad if accessed by a bad actor.

Imagine if a security camera inside your home was hacked. The attacker would have a live video feed of your house, where they could overhear conversations revealing important personal information, or they could find out the times you aren’t home to conduct a robbery. Having a Google Nest IoT device connected to your Google Account can allow attackers access to all the data stored on your account, including passwords.

Another reason why someone might want to hack your IoT devices is to create a botnet for a Distributed Denial-of-Service (DDoS) attack. This would use the IoT devices to overwhelm the target with internet traffic. This might not affect the owner of the IoT device, but the person or company being attacked could face huge problems. The more devices in the botnet, the worse the attack becomes for the victim.

What are the current vulnerabilities and how can they be fixed?

IoT device manufacturers could use outdated components that have security vulnerabilities that are already discovered. This can be exploited by hackers who know the vulnerabilities, and know that devices won’t get updated.

Possibly the easiest to exploit security vulnerability (but also the easiest to fix) is the devices using weak or even hardcoded passwords. Weak passwords (like 1234, password, etc.) are very easy for attackers to brute force, which allows them access to the device easily. This is not as efficient for the attackers as the other methods. Hardcoded passwords (or passwords stored in the source code) are even worse. Since usually, users don’t bother to change the password, once the hacker knows the default password, they can attack an extremely large amount of devices. This is much easier to execute.

Both of these vulnerabilities have simple solutions. To fix the hardcoded/weak password issue, all you need to do is make the user set a password with a minimum security level. The issue of outdated components can be fixed by the manufacturers maintaining security updates on the devices, kind of like what Microsoft is doing with Windows 7. They can also notify the user about these vulnerabilities, and give them a free or discounted upgrade if they trade it in.

However, this next one can’t be solved as easily due to the power of social engineering. The communication between the cloud server and a device (like between a security camera and a server in the cloud that allows you to watch the footage back without having to store it on the camera itself) is usually . The communication between devices is usually encrypted, so it usually is not that efficient for an attacker to try to hack an individual home network. However, an attacker could try and forge a digital certificate to basically pretend that they are either the server or the device (a Man In The Middle attack). They can do this in many ways, like by pretending they need a new certificate because of a technical limitation, or because they forgot the old one. If they attacked the server, they can intercept communications between every device connected to that server, which allows them access to many more devices. They could also attack the device, which would be easier, but wouldn’t allow them as much data.

Though rare, this has happened, with attackers posing as companies like Microsoft, Mozilla, and others in the 2000s. Even though those compromises weren’t used to intercept data being sent between IoT devices, and even though they were eventually caught, the damage that could be caused if this attack were carried out today would be unimaginable. While the social engineering attempts might not work against big certificate authority companies, it could be much more easily carried out against small companies that don’t give their employees proper security training.

This can also allow the hackers to upload their own custom firmware. These updates could introduce a vulnerability on purpose, which they could easily exploit. Just like the other vulnerabilities, they could sit there and do nothing, long after they have already gained access. This can allow the hackers to perform the attack unexpectedly.

What is being done?

It is hard to combat social engineering. Companies have tried using in-house PKI (Public Key Infrastructure) management to make sure that they know exactly who has access to their certificate. However, as the company grows, this becomes much harder as more certificates need to be issued and more customer service problems need to be solved. This makes it hard for any company to do their PKI management in-house managed by humans.

Automated PKI management fixes all of these problems. It has all the advantages of in-house PKI management, with basically none of the disadvantages. Certificates have a life and death, and need to follow specific rules. These parameters make it much easier for it to be automated. It also allows all the certificates to be immediately replaced within seconds once a breach has been detected. It can also adapt to changing requirements for the certificates immediately.

Internet of Things, like many other emerging technologies, can be a double-edged sword. It can bring lots of benefits, like making our lives more convenient by removing the need for people to be physically present to press a light switch. However, if strong enough security standards, like automated PKI management, are not developed, then it can be just another method in a hacker’s toolkit.