Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

// // //
12:00 AM
Michal Salát
Michal Salát
News Analysis-Security Now

Can the IoT Be More Secure?

The IoT has lots of insecurity built in – but here are some ways to make it more secure.

In today's digital world, we are literally surrounded by "smart" devices, or Internet of Things (IoT) devices. Making devices smart is a trend to be applauded, but there is one very important thing that is frequently an afterthought: security.

Manufacturers of common things, like toys, furniture, cars and medical devices are "enhancing" their products by adding "smart" features to make them more attractive; even water bottle manufacturers are starting to produce connected bottles. Why does it seem so hard to make them secure -- and why does it even matter?

Why IoT devices are so unsecure
IoT device manufacturers are pressured to produce smart devices and deliver them to market quickly and at an affordable price. This causes them to often neglect security. For example, a toaster manufacturer who may now be producing smart toasters never had to think about securing toasters from hackers before, which is another reason why security is sometimes weak or incomplete.

Moreover, there are no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority. Smart devices that don't include the basic principles of modern security are therefore shipped out to the world.

How hackable are IoT devices?
Since smart devices lack security, they can be hacked using a wide range of existing methods, from pretty easy ones -- like brute forcing login credentials -- to more sophisticated methods such as using various exploit techniques, or reverse-engineering firmware or operating systems and looking for zero-day vulnerabilities. Services and exploits that can be used to hack IoT devices are sold on the darknet, giving more and more people the power to take control of them.

Hackers are also constantly trying to infiltrate new types of networks and forms of communication used by IoT devices, in order to hack them.

How difficult is it to hack an IoT device?
The simplest way to hack a smart device is to brute-force passwords or try to gain access to a device by using the device's default login credentials. Botnets, which can be rented on the darknet, make this script kiddie-method easy to use to infect thousands of devices at once. Many manufacturers use the same default login credentials for all the devices they produce to save on costs, rather than creating a unique password for each device.

One of the biggest IoT threats of last year was the Mirai botnet, which infected thousands of smart devices, by using default login credentials, to perform massive DDoS attacks. Since Mirai's source code was published, pretty much anyone can run their own IoT botnet or rewrite the code and therefore, many mutations of Mirai have appeared.

Other ways to infect an IoT device are much more complex, expensive to purchase and therefore not as common. Reverse-engineering firmware or an operating system, for example, requires advanced technical knowledge and takes time. Zero-day exploits that take advantage of vulnerabilities cost thousands of dollars.

A recipe for better IoT security
A possible and effective way to dramatically improve IoT security is to give consumers the possibility to easily change the login credentials of their smart devices. To encourage consumers to change their IoT devices' login credentials, manufacturers can, for example, make creating a unique and strong password a mandatory requirement when setting up a device for the first time.

This, of course, cannot be applied to all scenarios, but simply changing default login credentials would greatly reduce the number of "unsecured" devices and make it harder for script kiddies, "wannabe" hackers, and simple search bots to gain access to IoT devices. Alternatively, IoT device manufacturers could give each device a unique and random password and send this along with the devices to their customers.

Issuing software updates to patch vulnerabilities, on the other hand, would help secure smart devices from exploits. Manufacturers currently often use outdated versions of various libraries and operating systems for which plenty of powerful exploits exist, leaving devices vulnerable to attack. There are many devices where it is impossible to update the device's firmware, so if a hacker were to exploit a vulnerability, there would essentially be no other option left than to disconnect the device from the network, permanently, and to replace it with a more secure device.

Securing smart devices will not only protect people's privacy and help prevent DDoS attacks, but can also prevent much worse things from happening. There have been proof-of-concept attacks that show how entire IoT networks can be infected by targeting a single device, such as a light bulb or traffic sensor.

These proof-of-concept attacks demonstrate what a massive problem vulnerable smart devices can be and the damage that can be caused if they are controlled by the wrong people. Imagine hackers controlling traffic flow or turning off lights in an entire city. Smart device manufacturers should collaborate with security experts to ensure a security layer is included in their devices and pen-test their products on a regular basis.

Related posts:

— Michal Salát is the threat intelligence director at Avast, driving research projects to discover security vulnerabilities in computer, mobile and IoT platforms.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Practical Network Security Approaches for a Multicloud, Hybrid IT World
The report covers areas enterprises should focus on for their multicloud/hybrid cloud security strategy: -increase visibility over the environment -learning cloud-specific skills -relying on established security frameworks -re-architecting the network
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-05-09
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
PUBLISHED: 2022-05-08
ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
PUBLISHED: 2022-05-08
marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
PUBLISHED: 2022-05-08
NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.