IoT and Security: A brief overlook

“The internet is no longer a web that we connect to. Instead, it’s a computerized, networked, and interconnected world that we live in. This is the future, and what we’re calling the Internet of Things.” — Bruce Schneier

Life before the usage of IoT (Internet of Things) in our everyday life, which is basically just a few years ago, seems very ancient when we think about it now, doesn’t it?

Image Credits: Google

Before indulging deeper into the security aspects, let us first establish a clear understanding of what IoT is.

“The Internet of Things is not a concept; it is a network, the true technology-enabled Network of all networks.” –Edewede Oriwoh

What is the Internet of Things (IoT)?

An IoT system contains both hardware and software components. While it is the presence of such components that makes an IoT system efficient, it is also what makes it prone to security issues.

How so?

Though there are several protocols, software, and techniques, available to secure the software and connectivity of an IoT model, securing the hardware remains a hard task due to the following reasons:

• Lack of universal IoT standards leading to devices having poor security and undiscovered vulnerabilities.
• Incorporating security measures on some of the simplest IoT devices, like sensors, remain a challenge.

Why do we need IoT systems to be secure though?

The advancements in technology have provided hackers with lots of tools to hack into even the most complex of systems. So a hack into a person’s home system or their vehicle is not a concern for just that person, but for everyone who has such systems.

The magnitude of the issue intensifies when we realize that numerous organizations also use such IoT systems to manage their warehouses, and a hack that disrupts their working could cost more than just that company.

The bottom line?

We definitely need maximum possible protection for our IoT systems.

What can we do from our side to deliver that?

Here’s a list of all the things we could do to better equip our systems' security.

1. Be Aware

• Make sure to be aware of the smart objects under your control (their functionality and need) and of the access they have with your private data (don’t permit unwanted access).
• Only keep necessary devices. Check for their necessity in the system at regular intervals.

2. Maintain Private Networks

• It is better to let the IoT devices thrive in their own private network separate from the network containing other devices that carry more personal information (like laptops, tablets, phones, etc.)

3. Have Better Authorization

• Always change default passwords.
• Choose unique and complex passwords for the wi-fi network, the network devices, the connected devices, and the device accounts (if any).
• Opt for 2-factor authentication.

4. Stay Updated

• Keep your firmware and all other related software updated at all times. Checking for updates on the manufacturer’s website periodically is advisable.

5. Provide Network Security

• Install a good network security firewall (like Firewalla, pfSense, OPNsense, etc., )
• Make sure that the network devices (like the router) are not outdated (something people miss out on quite often).

Aaaaand yeah. That’s it.

But wait!

What type of attacks are we talking about exactly?

Though there are several different kinds of cybersecurity attacks in IoT, we’ll be looking at a few of the notably important ones here.

1- Physical Attacks:

Most physical attacks occur from the inside of a company when the device is in good proximity or can be physically accessed.

2- Denial of Service:

Cybercriminals with an aim of slowing down or disabling a service launch a DoS (Denial of Service) attack. They may (or may not) make use of botnets to carry it out.

3- Man-in-the-Middle:

By implementing a man-in-the-middle attack, an intruder can intercept multiple IoT devices' communication, leading to critical malfunctioning.

4- Social Engineering:

Attackers obtain personally identifiable information illegally from the connected devices to gain confidential information such as the home address, bank details, purchase history, etc., of the associated people for social engineering attacks or data and identity theft.

5- Advanced Persistent Threat:

Cybercriminals gain access to confidential information from the network and/or steal data, for a significant time period. Eavesdropping and remote recording (the article attached below shows how it’s a bane here and not a boon like in the generic sense) are good examples of APTs.

If the CIA can compromise our gadgets, can't others do the same? - The Boston Globe

6- Ransomware:

In a ransomware attack, the infiltrators use malware that encrypts our data and “sell” the decryption key to us only after the demanded ransom is paid.

The article below explains how ransomware is a threat to IoT.

The IoT ransomware threat is more serious than you think

“If you think that the internet has changed your life, think again. The Internet of Things is about to change it all over again!” — Brendan O’Brien

Now that we have come to know about the security (or rather its lack thereof) in IoT systems, I wish you the best of luck to explore ways to exploit/provide security to IoT systems.

Stay legal. Cheers!