IOT by the Numbers
According to statistica the number of devices connected in the IoT in 2018 will be 23 billion.
A factor contributing to this boom has been demand from consumers, who seem to love purchasing new devices with ‘never knew I needed this’functionality. It’s also been boosted by the rush of companies eager to meet this perceived demand—cars, fridges, lighting, home security and even industrial machines. If you can name it, there’s a good chance there’s a ‘smart’ version on the market today.
The Insecurity of the Internet of Things
The issue with so many of these devices on the market is that each has a relatively short life span. This usually means there is little to no plan for support or upgrades once the device comes off the assembly line. Once purchased, these IoT devices are rarely updated, whether that is for compatibility or security. Of course, this creates potential vulnerabilities in every network with an IoT device, whether at home or at work.
Too often the manufacturers creating these devices are working within a very tight profit margin, so the focus is on making a product as cheap as possible. This effort to keep production costs down is why many of these companies only consider security as an afterthought. The result is that many of these devices leave the assembly floor with hundreds of exploits waiting to be found.
This issue is increased when these devices are placed in a corporate environment. Securing common devices is mostly completed through a patch management lifecycle. These tasks include: maintaining current knowledge of available patches, deciding which patches to apply for which systems and when, testing the patches to ensure there are no issues causing business disruption. Unfortunately for IoT devices, the manufacturer is unable to supply patches and businesses are unable to take of advantage of their patch management lifecycles.
As IoT was initially consumer focused security wasn’t the primary concern, and that trend followed into the Industrial IoT. The distributed nature of the Industrial IoT makes it open to many security threats, as the pervasiveness allows any interruption in the network to affect systems over large distances. This becomes extremely difficult to remediate over a distributed network because of different stakeholders controlling different devices and the nature of coordinating patching.
Encryption is also a weakness for the IoT, even if the algorithm is strong, the implementation may be insecure, such as sending the shared keys in clear text; as an exposed decryption key can render an IoT device vulnerable to attack. Many IoT devices are lower powered and thus can only use ‘lower level’ algorithms that do not require as much processing power.
Hacking Internet of Things devices
Penetration testers are given a wide range of protocols and applications to attack IoT devices. The threat surface is quite large thanks to the network, the applications, firmware, encryption and hardware that are all related to the IoT device. Architectures (such as ARM, MIPs, Power PC etc.) as well as different communication protocols like ZigBee, Software Defined Radio (SDN), and Near Field Communication (NFC) provide many different avenues to evaluate and potentially exploit.
Distributed Denial of Service attacks (DDoS) are one of the most popular methods of exploiting IoT devices. DDoS attacks aim to take websites, servers and other internet connected devices offline by overloading the victim’s device with too much network traffic for it to process.
The most famous DDoS attack that made headlines is the infamous Mirai botnet attack; Mirai is malware that targets networked devices running Linux. Each system it controls can then be used as part of a DDoS attack. To spread the Mirai malware, attackers targeted web cameras and other IoT devices. One of the exploits used was an SSH vulnerability over a decade old, something which could and should have been fixed with a patch. Mirai became a worldwide issue as a result IoT manufacturer’s consistent disregard for security.
Another notable attack on IoT is that Medical Devices were targeted for the first time in 2017 with ransomware. The Ransomware was WannaCry, an advanced and extremely widespread ransomworm. WannaCry was estimated to have affected more than 300,000 devices according to Wikipedia. This was not unexpected, as many hospitals do not have the money or funding to update their devices, many are also running Windows XP and other legacy systems. Security Researchers have been identifying numerous vulnerabilities in Medical IoT devices—such as pacemakers—for a while now.
However, criminals do not discriminate on who or what they attack, whether it is a hospital as in the WannaCry instance, or attacking banks. Security needs to be considered for every device that can be accessed remotely. The future does not look bright for IoT devices. Secure IoT devices do not seem to exist.