Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/8/2019
02:30 PM
Jason Haddix
Jason Haddix
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Your Life Is the Attack Surface: The Risks of IoT

To protect yourself, you must know where you're vulnerable - and these tips can help.

Today, there are more connected devices than humans. The unprecedented growth of connected devices has created innumerable new threats for organizations, manufacturers, and consumers, while at the same time creating opportunities for hackers. The world has seen the risks of this firsthand: Internet of Things (IoT) devices now constitute the largest-scale botnets, able to take down major websites like Twitter, GitHub, and the PlayStation Network. The many ways a hacker could access this data is apparent and quite disconcerting. The first step to protecting yourself is knowing where you're vulnerable.

Connected Devices as the Fastest-Growing Attack Surface
A growing number of households now have an IoT hub — be it Echo or Google Home — a device that takes the place of or attaches to your wireless router and has permissions to do things on your behalf. One of the most immediate security concerns comes with this permission. If your device is set up to purchase things on your behalf, there is nothing to stop someone else within the microphone's listening range, even on your TV or radio, from commanding "Alexa" to buy something for you.

This issue extends to other personal devices as well. For home security cameras, it might be backing up or storing video images. For health tracking devices, it's personal health data such as heart rate, pulse, diet, etc. An Internet-connected stuffed animal was recently found to have exposed more than 2 million voice recordings of children and parents, as well as e-mail addresses and password data for more than 800,000 accounts. In other words, this seemingly innocuous data is highly personal on the individual level and therefore a great risk to individual security.

The Role of Policy and Defenders
Thus far, IoT has gone unregulated and largely unsecured, and given the rapid growth of IoT devices it's no surprise that these devices represent a major and growing threat — and a major opportunity for adversaries. The sheer number and types of the devices being networked and connected to cloud interfaces and on-the-Internet APIs is one the greatest challenges in security today. Each device has its own set of technologies, and thus its own set of security vulnerabilities. Additionally, some of these industries have never dealt with Internet-facing devices before, and their development staff is just not trained in the ways of web application security. High pressure, low awareness, and the absence of a governing body to police the market has resulted in an increase in attacks on these devices. That's why it's becoming imperative to implement global security standards.

Before the industry really starts inking policy, however, we'll continue to rely on hackers to identify vulnerabilities and ultimately improve the way the industry addresses potential risks. This group will be essential for improving the security maturity of the market and ensuring the implementation of security controls for IoT devices, such as toys, thermostats, and even smart cars, which provides a fascinating breeding ground for best practices.

How to Prevent Cyberattacks
There is a lot of work to do for manufacturers, policymakers, researchers, legislators, and companies that are releasing IoT devices, identifying risks, and creating regulations. And unfortunately, IoT extends far beyond household gadgets. From your car to your pacemaker and your Fitbit, any device that connects to the Internet is a potential attack surface.

While the broader security industry addresses these issues, how can you personally prevent cyberattacks in your own digital life?

  • Research your device before purchase: For any device you're considering buying that's connected to the Internet, determine whether the vendor is paying attention to security. Does it have security notes online? Has it had any security research directed at it before, and if so, has it responded well to that research? Use the answers to make a decision about which device to purchase. Amazon reviews and Better Business Bureau reports can be great indicators here.
  • Use strong Wi-Fi encryption: Securing your Wi-Fi at home goes beyond plugging it in and setting a password. The choices for encryption standards typically can be found on vendors' websites, so if you're unsure, it's a good idea to do some due diligence before choosing one. Implementing the most advanced encryption that your router can support (usually called WPA) is the difference between offering someone easy access to your home network and being secure.
  • Check the device for additional security configurations: While updating the device regularly will help avoid unnecessary breaches, it's also a good idea to ensure additional security configurations are in place if available. To find these, log in to the control panel of the device. In the settings section, there will often be additional controls. They can be cumbersome to set up but useful to keep you secure.
  • Disable features not being used: These features will vary by device, but an example would be your laptop's webcam, which could be a threat if it's not disabled or obscured, especially in light of numerous well-documented attacks. Being aware of all enabled features is a great way as a consumer to protect yourself against IoT hacks and malicious actors accessing your personal devices on your network or other places you use devices.

The Future of IoT Security
From the takedown of Dyn to the distributed denial-of-service attack on Brian Krebs' website, the industry has learned some major lessons around IoT security in the past few years. This is causing standards to be created that will help reduce risks. However, change takes time. IoT security is in the standards phase right now, which means that legislators haven't yet prescribed specific policies around what security devices need to have in place for manufacturers to ship them. Given this, consumers must take personal action and be aware of the risks.

Related Content:

 

Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry's relations with researchers. Jason's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MeeraSK
100%
0%
MeeraSK,
User Rank: Apprentice
2/20/2019 | 10:22:06 AM
Do connected home appliances really fall under IoTs ?
 

Please check on iiot-world website about the definition of IoT and IIoT. Couldn't share a link because of the current restriction.
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...