Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

// // //
12:00 AM
Michal Salát
Michal Salát
News Analysis-Security Now

Can the IoT Be More Secure?

The IoT has lots of insecurity built in – but here are some ways to make it more secure.

In today's digital world, we are literally surrounded by "smart" devices, or Internet of Things (IoT) devices. Making devices smart is a trend to be applauded, but there is one very important thing that is frequently an afterthought: security.

Manufacturers of common things, like toys, furniture, cars and medical devices are "enhancing" their products by adding "smart" features to make them more attractive; even water bottle manufacturers are starting to produce connected bottles. Why does it seem so hard to make them secure -- and why does it even matter?

Why IoT devices are so unsecure
IoT device manufacturers are pressured to produce smart devices and deliver them to market quickly and at an affordable price. This causes them to often neglect security. For example, a toaster manufacturer who may now be producing smart toasters never had to think about securing toasters from hackers before, which is another reason why security is sometimes weak or incomplete.

Moreover, there are no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority. Smart devices that don't include the basic principles of modern security are therefore shipped out to the world.

How hackable are IoT devices?
Since smart devices lack security, they can be hacked using a wide range of existing methods, from pretty easy ones -- like brute forcing login credentials -- to more sophisticated methods such as using various exploit techniques, or reverse-engineering firmware or operating systems and looking for zero-day vulnerabilities. Services and exploits that can be used to hack IoT devices are sold on the darknet, giving more and more people the power to take control of them.

Hackers are also constantly trying to infiltrate new types of networks and forms of communication used by IoT devices, in order to hack them.

How difficult is it to hack an IoT device?
The simplest way to hack a smart device is to brute-force passwords or try to gain access to a device by using the device's default login credentials. Botnets, which can be rented on the darknet, make this script kiddie-method easy to use to infect thousands of devices at once. Many manufacturers use the same default login credentials for all the devices they produce to save on costs, rather than creating a unique password for each device.

One of the biggest IoT threats of last year was the Mirai botnet, which infected thousands of smart devices, by using default login credentials, to perform massive DDoS attacks. Since Mirai's source code was published, pretty much anyone can run their own IoT botnet or rewrite the code and therefore, many mutations of Mirai have appeared.

Other ways to infect an IoT device are much more complex, expensive to purchase and therefore not as common. Reverse-engineering firmware or an operating system, for example, requires advanced technical knowledge and takes time. Zero-day exploits that take advantage of vulnerabilities cost thousands of dollars.

A recipe for better IoT security
A possible and effective way to dramatically improve IoT security is to give consumers the possibility to easily change the login credentials of their smart devices. To encourage consumers to change their IoT devices' login credentials, manufacturers can, for example, make creating a unique and strong password a mandatory requirement when setting up a device for the first time.

This, of course, cannot be applied to all scenarios, but simply changing default login credentials would greatly reduce the number of "unsecured" devices and make it harder for script kiddies, "wannabe" hackers, and simple search bots to gain access to IoT devices. Alternatively, IoT device manufacturers could give each device a unique and random password and send this along with the devices to their customers.

Issuing software updates to patch vulnerabilities, on the other hand, would help secure smart devices from exploits. Manufacturers currently often use outdated versions of various libraries and operating systems for which plenty of powerful exploits exist, leaving devices vulnerable to attack. There are many devices where it is impossible to update the device's firmware, so if a hacker were to exploit a vulnerability, there would essentially be no other option left than to disconnect the device from the network, permanently, and to replace it with a more secure device.

Securing smart devices will not only protect people's privacy and help prevent DDoS attacks, but can also prevent much worse things from happening. There have been proof-of-concept attacks that show how entire IoT networks can be infected by targeting a single device, such as a light bulb or traffic sensor.

These proof-of-concept attacks demonstrate what a massive problem vulnerable smart devices can be and the damage that can be caused if they are controlled by the wrong people. Imagine hackers controlling traffic flow or turning off lights in an entire city. Smart device manufacturers should collaborate with security experts to ensure a security layer is included in their devices and pen-test their products on a regular basis.

Related posts:

— Michal Salát is the threat intelligence director at Avast, driving research projects to discover security vulnerabilities in computer, mobile and IoT platforms.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-06-27
HTTP::Daemon is a simple http server class written in perl. Versions prior to 6.15 are subject to a vulnerability which could potentially be exploited to gain privileged access to APIs or poison intermediate caches. It is uncertain how large the risks are, most Perl based applications are served on ...
PUBLISHED: 2022-06-27
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. glpi-inventory-plugin is a plugin for GLPI to handle inventory management. In affected versions a SQL injection can be made using package deployment tasks. Thi...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 There are cases where LAM instantiates objects from arbitrary classes. An attacker can inject the first constructor argument. This can lead to co...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 the session files include the LDAP user name and password in clear text if the PHP OpenSSL extension is not installed or encryption is disabled b...
PUBLISHED: 2022-06-27
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In versions prior to 8.0 incorrect regular expressions allow to upload PHP scripts to config/templates/pdf. This vulnerability could lead to a Remote Code Execution if th...