How to secure Internet of Things?
The world we live in today is connected 24*7, with people always being attached to technology, even when on the move. And what is taking this mobile connectivity to another level is the Internet of things (IoT). Our household items are increasingly getting connected to the internet, with a simple device like a mobile. And while the purpose behind this effort had been to simplify our lives with providing us the ease to regulate things even while being away from home, it also has served as another channel for hackers to rake in some money.
What is the Internet of Things?
The Oxford definition of the Internet of Things is “a proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data.” Simply put, any ‘thing’ which can be assigned an IP, and is able to connect to other ‘things’, falls under the Internet of Things. Therefore, examples of IoT devices would be toll booths, refrigerators, webcams, cars ( oh yes!), ACs, TVs, lighting systems, telephones, traffic control systems, home security systems, DVRs…even sprinklers and many more…The response for IoT is impressive with many industries adopting this new technology. The concept of smart homes is fast building up throughout the world.
The multi-connectivity of the devices sounds great! But this multi-connectivity is the weakest point for IoT devices. If one device gets hacked into, the hacker can use it to control all the other devices and retrieve sensitive information like bank credentials and passwords.
Scary indeed.
What do the stats for the future of the Internet of Things say?
The data for IoT growth is overwhelming. The International Data Corporation predicts that 30 billion ‘things’ will be connected to the internet by 2020 and that revenue from the IoT will reach $9.54 trillion. According to Gartner, by 2020 the Internet of Things will be made up of 26 billion units while IDC values the Industry to be around $8.9 trillion and puts the number to approximately 30 bn. Cisco has made a prediction of around 50 billion by 2050, with a valuation of $14.4 trillion by 2023.
The increase in the number of connected devices will directly result from many folds, in the increase in hacking attacks and attempts, and therefore security concerns as well. Hence, it is important to understand which data is accessed by IoT devices to perform their normal functioning and the security risks associated with them.
Security Threats to the internet of things
HP released a study on Internet of Things and found that 7 out of the 10 internet-enabled devices which they tested were vulnerable to some form of attack. 10 of the most used IoT devices were examined. The list included thermostats, smart TVs, webcams alarm systems, device further used for controlling multiple devices, and was found to have a number of vulnerabilities, providing the hackers with not one, but multiple entry points into the user’s premises.
For each device, 25 vulnerabilities were found and the vulnerabilities varied from bad passwords, poor software security, the transmission of unencrypted data, and insecure web interfaces. And all devices included mobile applications which can be used to access or control the devices remotely.
Concerns:
OWASP has released an Internet of Things Top 10 2014 list, which gives an insight on the concerns for the Internet of Things. Vendors can use this to review the IoT devices, find the vulnerabilities and fix them up before hackers exploit them.
The OWASP Internet of Things Top 10 – 2014 list is as follows:
- I1 Insecure Web Interface
- I2 Insufficient Authentication/Authorization
- I3 Insecure Network Services
- I4 Lack of Transport Encryption
- I5 Privacy Concerns
- I6 Insecure Cloud Interface
- I7 Insecure Mobile Interface
- I8 Insufficient Security Configurability
- I9 Insecure Software/Firmware
- I10 Poor Physical Security
Measures to be taken to protect your security:
Currently, all the threats that are affecting IoT devices are related to the application and mobile security and network security. As the report states, even if there are one or two issues afflicting a mobile application, and this affects the mobile phone, due to inter-connectivity, the issue spreads out to the connected devices, so the vulnerability and therefore the problems multiply much fold causing multiple entry points for hackers.
To protect yourself from being a victim of the Internet of Things attack, you can follow the following steps:
- Use strong passwords. It’s not that difficult, really! – Out of the devices tested, 80% of the IoT devices and their cloud and/or mobile app components allowed users to keep lame passwords.
Do you know, which is one of the most commonly used passwords?
“I love you”
And the hackers love you too, for using it! - Regular security scans– Perform regular website security scan of your IoT devices and applications, and check them for vulnerabilities. The security scans should include automated and manual application scanning. If you find one device infected, do a thorough scan of all others and fix the issues immediately.
- Regular network traffic scans- Scan your network traffic and review it manually
- Keep up with the software updates– Install all the latest patches available, because believe me, the hackers do keep an eye on the latest vulnerabilities found and who have been lazy enough to ignore the patches provided.
- Encryption– Any device connected to the internet is constantly sending and receiving data, the same is with IoT devices. But what has been found is that the data being exchanged by IoT devices between the device, cloud and mobile app, is mostly un-encrypted. This made the data susceptible to be tampered with and maliciously handled. Transport encryption is very important and should be treated more carefully.
- Many of the IoT devices show the tendency of sensitive information leakage, where an attacker is able to determine the valid user accounts by using password reset features. For example, a hacker attempts to log into a device by entering a user name and password. The device prompts back that ‘your password is incorrect’, due to this response, the hacker is assured of the fact that the user name that s/he entered was valid.
- Indusface’s recent analysis of bugs found in H1-2014 showed that 48% of the websites are suffering from sensitive information leakage vulnerability.
- Production Security standards– IoT vendors should implement security standards for all devices, before production. Devices should use updated versions of the software.