Devices that connect to the internet are quickly becoming an integral part of our daily lives. Thousands of Smart TVs, Smart Homes, and even children’s toys incorporate the Internet of Things (IoT) to help improve functionality and make life a little easier to live.
However, this newfound connectivity comes at a price. There have been many recent reports about IoT devices getting compromised by malicious hackers. As more and more companies start to adopt and incorporate internet connectivity into their products, many people are wondering about potential IoT security issues.
The general public has little to no control over how well the manufacturers implement security measures in their IoT devices. Despite this, there are a few vulnerabilities that the consumer can take into consideration that will allow them to make a more informed buying decision.
Lack of Security Upgradability
Many IoT device manufacturers do not include a secure way of upgrading the device.
If a new vulnerability is discovered and made public, there is zero chance of that device getting a security patch.
Many manufacturers will use third-party vendors to buy hardware or software components. If a malicious bad actor compromises the supply chain, every single device will be compromised from day one.
Default Settings are Insecure
When products ship from the factory, they will sometimes come with insecure default settings. This will allow the end-user to easily modify these settings, which can lead to one or more vulnerabilities. The problem with this is that the end-user will never know that they have accidentally compromised the device until it’s too late.
In 2014, Asus router users got a rude awakening one morning when a hacktivist left them a little love note on their hard drive. Fortunately, all it did was alert them to the security flaw and then directed them to a website that showed them how to fix the problem.
Insecure Web Interfaces
Many IoT products require the end-user to access a web interface to configure various aspects of the device or for the device itself to receive updates. An attacker will simply use weak passwords or capture plain text credentials to gain unauthorized access. In addition to data loss, this can also lead to denial of service and in some cases, a complete and total takeover of the device by a bad actor.
Poor Authorization/Authentication
The attacker will brute force insecure passwords or credentials that are poorly secured, which will allow them to attack a specific interface. The most common result of this attack is a denial of service.
In 2015, ethical hackers demonstrated their ability to take complete control of a Jeep Cherokee by attacking the head unit via the internal WiFi-connectivity. When the Jeep engineers designed this system, they had the WiFi password generate automatically based upon the time the car and head unit are started up. The hackers were easily able to brute force the system to get the password and gain control over the car.
No or Poor Encryption
Believe it or not, some manufacturers will not include transport encryption, which can allow malicious actors to easily view transmitted information over the network. This kind of attack can lead to a compromised account or complete and total control of the device.
The Hello Barbie doll listens to a child’s voice, then sends that data to a server where AI processes the information and then returns an appropriate response. While there are no known reports of vulnerabilities in this system, it’s easy to see how weak IoT security measures could potentially negatively affect the safety of children’s toys.
No Physical Hardening
In addition to software and network vulnerabilities, many IoT devices can be compromised via physical attacks. A lack of hardening measures will allow the attacker to take complete and total control of the device. This type of security issue will require many manufacturers to spend extra money on R&D until the physical security market comes out with a product that they can implement in their products.
Using Outdated or Insecure Components
There’s no valid reason why the costs of manufacturing should impact overall security. Insecure software libraries, OS platforms, or third-party software/hardware components from a supply chain that’s been compromised might be cheaper, but they pose a considerable security risk. The solution is simple. Manufacturers need to source their parts from reputable vendors regardless of the increased cost.
What Does the Future of IoT Security Hold?
As of 2016, there were around 400 million IoT-connected devices. By 2020, this number is projected to increase to 18 billion. As consumers and businesses take advantage of the multiple benefits that internet connectivity brings, it’s safe to assume that security breaches will occur more often unless the industry starts taking proactive steps to secure their devices.
Consumers can take steps on their end by only purchasing IoT devices that have enabled the above security measures. This can frequently be challenging as the average consumer doesn’t have the time or technical knowledge to know what to look out for when purchasing an IoT device for their home or family members.