The Internet of Things, also known as IoT, is the concept of setting up everyday appliances, objects and wearable devices with an Internet connection to allow the exchange of data and information. Thing of washing machines that send you a text when the load is done, or air conditioning you can turn on from an app on your phone. The technology has gained a lot of favourable attention and is becoming increasingly popular.
It is estimated by Gartner that 20.8 billion IoT devices will be in operation by the year 2020, with much of this growth predicted to be majorly in business and enterprise activity. It has therefore become particularly attractive to cybercriminals who have shown a growing interest in targeting IoT devices, or leveraging the growing ubiquity of IoT devices in order to facilitate attacks.
The sky-rocketing popularity of IoT offers a concrete platform on which cybercriminals can attack, as the majority of IoT devices contain outdated connection protocols and operating systems. Examples of this may include: remotely controlled lightbulbs and Wifi-enabled In-vehicle infotainment systems (IVIs), which are most commonly run through Linux and are created in C language, where safe complier actions are overlooked. Dated connection protocols, such as TCP/IP (1989, RFC 1122), ZigBee (2004 specification) and CAN 2.0 (1991), are used, and can cause the device to allow unauthorized access when exploited.
Additionally, man-in-the-middle attacks (where a third party secretly relays and possibly hinders messages between two unsuspecting parties, and will therefore gain access to their devices) can be caused when a TCP/IP protocol is exploited.
Gaining access to IoT devices involves several stages: Investigation and Proof of Concept (PoC), Taking Control of the Device and ensuring that Maximum Damage is caused.
Investigation and Proof of Concept (PoC)
Programmers can concentrate on investigating around a target device, searching for vulnerabilities and considering PoCs from which they can discover exploits to use against the target. Cases of these PoCs incorporate weaknesses and vulnerabilities that can be found on Digital Audio Broadcasting radio collectors that are coordinated in IVIs, as well as further validation imperfections in associated lights which can give information a chance to be stolen – even from networks that are air-gapped.
Taking Control of the Device
It is at this stage that cybercriminals work on:
- Locating their default and/or embedded authentication
- Using fuzz tools with the purpose of exploiting protocol bugs
- Finding input validation bugs such as buffer overflow and SQL injection.
Github, a web-based code hosting services, holds many open source research tools (such as Modbus, Fuzzer, the CANard tool) that are vulnerable to misuse by hackers to cut time on this step.
In order to take control of the device, hackers can use attack vectors – some of which include:
- Utilizing exploits or the default username/password to get to the device, and finding an inside system from which they can lead parallel movement.
- Implanting, and thereby building a botnet, and creating a network for the bot to allow further control.
- Initiating a Distributed Denial of Service attack. IoT devices produce an ideal environment in which DDoS may attack as it needs a vast amount of data to act effectively. For example, thousands of compromised CCTVs which formed a botnet was recently used as a source of network traffic, which was needed to perform a DDoS attack.
- Implanting a bitcoin-mining program. An individual IoT device has low CPU power; however, when many of them are infected, a vast amount of processing power is initiated. This huge amount of power is used to mine for bitcoins.
DVRs, which were used for security camera video-recording, were infected with a similar form of malware in April 2014.
Ensuring Maximum Damage
The hacker then has the ability to cause as much distress to the victim as possible. This may range from changing items on people’s automated grocery list to locking their car’s brakes and steering functionality. This will have a huge impact on the daily lives of millions and will cause major disruptions and safety threats.
IoT device security is largely forgotten about by vendors who are more concerned about their functionality and performance. Search engines such as Shodan and ZoomEye contribute to worsening the situation by providing archives of potentially vulnerable connected devices and systems. It is predicted that 25% of observed cyber-attacks on businesses will have IoT involvement by 2020.
The growing popularity in the use of IoT devices means that IoT device security is quickly gaining interest – so quickly in fact, that world-wide spending on IoT security has been predicted to reach $547 million in 2018. Tesla and Fiat Chrysler are but a few of those that looked at IoT device security by developing bug bounty programs for the purpose of protecting their connected cars.
The Automotive Information Sharing and Analysis Centre (Auto-ISAC) in the US, has worked with 15 automobile manufacturers in creating a list of most effective methods for their vehicle security against cyber-attacks.
Although threats such as cyber extortion and ransomware is technically possible in IoT, it is unlikely to be in effect within the coming years. The process of hacking IoT devices requires specifically dedicated time and resources. It also involves tailoring the attacks to specific victims and organizations through which they can proceed to make money on their attacks through extortion.
Furthermore, it is not a feasible option, specifically for malefactors such as ransomware operators, whose fast-paced systems work by attempting to establish quick ROI from as many targets as possible.
In spite of this, the growing interest and demand for IoT devices, along with the seemingly easy method of defying their security measures (or lack thereof), and the financial benefits of the extraction of money of their owners, are a dangerous blend.
Although there is no specific method for ensuring total security of the devices, counteractions such as the use of a security audit when designing IoT hardware and software, the implementation of security gateways, the introduction of endpoint monitoring and real-time log inspection, play a key role in reducing these risks.