We all know that the growth of IoT devices has been happening exponentially in the last few years. They are also becoming increasingly indispensable and showing up in our buildings, cities, factories, hospitals, and homes. We also know that from a security point of view, we have a big challenge right in front of us. IoT devices are ubiquitous and interconnected, and this increases the impact of cyber attacks. The other problem is that they have been deployed with numerous vulnerabilities and are sometimes hard to fix, but when exploited, they can cause physical, economic, and health damage.
According to statistics, we have 31 billion IoT devices connected today, and the estimated number will grow to 75 billion by 2025.
But why is security so hard on IoT devices? There is a different number of reasons. Some of them include the limitations in computer power on IoT devices, scalability due to their colossal interconnectivity, need for valid security models specific to IoT devices.
It’s essential to categorize the IoT devices where they belong to set the right level of security. There are four major categories of devices – Industrial Internet-of-Things (IIoT), Internet of Medical Things (IoMT), Smart cities, and smart homes.
The top security issue on IoT devices is weak default credentials. This vulnerability was the entry point for many well-known cyber attacks, like the Mirai botnet. Once inside the network, additional devices are infected, which await instructions to commence a Distributed Denial-of-Service (DDoS) attack. One of the premier Web host providers, Dyn, which hosts Twitter, Reddit, GitHub, and Netflix, became a victim of a Mirai attack resulting in the unavailability of the Web sites mentioned above for several hours. Contrary to laptop and desktop computers, many IoT devices operate 24/7 and are always available for a botnet attack. Many IoT manufacturers want to benefit from the first-mover advantage and, thus, release a user-friendly product needing more security. Malware in IoT devices mostly remains unnoticed due to the minimal necessity of interactions with user interfaces. Those are the significant reasons IoT devices are suitable for creating botnets.
The big problem is that the consequences of IoT security negligence do not rest on themselves. In 2008, a comprehensively monitored pipeline transporting crude oil from the Caspian Sea to the Mediterranean exploded without triggering a single distress signal. Immediately after the blast, Partîya Karkerên Kurdistanê (PKK) claimed credit, while official sources blamed malfunctions. Similarly to the Mirai botnet, the adversary’s entry points were cameras. Therein after, the pipe pressure was probably increased while simultaneously manipulating the data displayed in the operational control room until the explosion occurred. 2010 the computer worm Stuxnet was discovered. This cyberattack is suspected of collaboration between intelligence organizations to prevent Iran from producing weapons-grade uranium. The precision of this cyber attack made the computer worm exploit zero-day vulnerabilities to cause physical degradation in machines connected in a completely isolated network. These cases serve as powerful precedents from when IoT devices were much smaller.
The good news is that the security landscape of IoT is on the move and in the right direction. Nevertheless, it needs to enhance its speed since many IoT devices and potential threats increase exponentially. Secure products, well-aligned to determine security requirements stated in detail, are to be developed by manufacturers soon. More affordable security measures need to be offered and tailored to resource-constrained IoT devices. Consumers will have to be responsible and security-aware, supported by regulations, guidelines, and governments that pay attention to this market sufficiently. Consumers, manufacturers, and governments have to take on their role to exploit the power and innovation IoT offers, but they need to make the world a safer place at the same time.
If you want to know more about IoT security and how to pentest IoT devices, check out this course: https://www.lufsec.com/product/iot-pentest/.
Take a pick here: