Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

10/19/2017
12:00 AM
Michal Salát
Michal Salát
News Analysis-Security Now
50%
50%

Can the IoT Be More Secure?

The IoT has lots of insecurity built in – but here are some ways to make it more secure.

In today's digital world, we are literally surrounded by "smart" devices, or Internet of Things (IoT) devices. Making devices smart is a trend to be applauded, but there is one very important thing that is frequently an afterthought: security.

Manufacturers of common things, like toys, furniture, cars and medical devices are "enhancing" their products by adding "smart" features to make them more attractive; even water bottle manufacturers are starting to produce connected bottles. Why does it seem so hard to make them secure -- and why does it even matter?

Why IoT devices are so unsecure
IoT device manufacturers are pressured to produce smart devices and deliver them to market quickly and at an affordable price. This causes them to often neglect security. For example, a toaster manufacturer who may now be producing smart toasters never had to think about securing toasters from hackers before, which is another reason why security is sometimes weak or incomplete.

Moreover, there are no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority. Smart devices that don't include the basic principles of modern security are therefore shipped out to the world.

How hackable are IoT devices?
Since smart devices lack security, they can be hacked using a wide range of existing methods, from pretty easy ones -- like brute forcing login credentials -- to more sophisticated methods such as using various exploit techniques, or reverse-engineering firmware or operating systems and looking for zero-day vulnerabilities. Services and exploits that can be used to hack IoT devices are sold on the darknet, giving more and more people the power to take control of them.

Hackers are also constantly trying to infiltrate new types of networks and forms of communication used by IoT devices, in order to hack them.

How difficult is it to hack an IoT device?
The simplest way to hack a smart device is to brute-force passwords or try to gain access to a device by using the device's default login credentials. Botnets, which can be rented on the darknet, make this script kiddie-method easy to use to infect thousands of devices at once. Many manufacturers use the same default login credentials for all the devices they produce to save on costs, rather than creating a unique password for each device.

One of the biggest IoT threats of last year was the Mirai botnet, which infected thousands of smart devices, by using default login credentials, to perform massive DDoS attacks. Since Mirai's source code was published, pretty much anyone can run their own IoT botnet or rewrite the code and therefore, many mutations of Mirai have appeared.

Other ways to infect an IoT device are much more complex, expensive to purchase and therefore not as common. Reverse-engineering firmware or an operating system, for example, requires advanced technical knowledge and takes time. Zero-day exploits that take advantage of vulnerabilities cost thousands of dollars.

A recipe for better IoT security
A possible and effective way to dramatically improve IoT security is to give consumers the possibility to easily change the login credentials of their smart devices. To encourage consumers to change their IoT devices' login credentials, manufacturers can, for example, make creating a unique and strong password a mandatory requirement when setting up a device for the first time.

This, of course, cannot be applied to all scenarios, but simply changing default login credentials would greatly reduce the number of "unsecured" devices and make it harder for script kiddies, "wannabe" hackers, and simple search bots to gain access to IoT devices. Alternatively, IoT device manufacturers could give each device a unique and random password and send this along with the devices to their customers.

Issuing software updates to patch vulnerabilities, on the other hand, would help secure smart devices from exploits. Manufacturers currently often use outdated versions of various libraries and operating systems for which plenty of powerful exploits exist, leaving devices vulnerable to attack. There are many devices where it is impossible to update the device's firmware, so if a hacker were to exploit a vulnerability, there would essentially be no other option left than to disconnect the device from the network, permanently, and to replace it with a more secure device.

Securing smart devices will not only protect people's privacy and help prevent DDoS attacks, but can also prevent much worse things from happening. There have been proof-of-concept attacks that show how entire IoT networks can be infected by targeting a single device, such as a light bulb or traffic sensor.

These proof-of-concept attacks demonstrate what a massive problem vulnerable smart devices can be and the damage that can be caused if they are controlled by the wrong people. Imagine hackers controlling traffic flow or turning off lights in an entire city. Smart device manufacturers should collaborate with security experts to ensure a security layer is included in their devices and pen-test their products on a regular basis.

Related posts:

— Michal Salát is the threat intelligence director at Avast, driving research projects to discover security vulnerabilities in computer, mobile and IoT platforms.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internet—and What Your Organization Can Do About It
The Threat from the Internet—and What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...