The Internet of Things (IoT) is a quickly growing segment of the internet. While other components of the internet are reliant on people exchanging information, IoT enables connectivity between devices that gather, transmit and receive data. It’s easier to think of IoT as similar to the web, email or social networks, but instead of connecting people, it connects smart machines.
In recent years, IoT has become embroiled in controversy related to security issues. Many of the problems have been previously experienced by other major internet components. Remember the many vulnerabilities of Adobe Flash, a technology that’s being systematically replaced by native browser functionality for the sake of making web browsing a safer experience?
The problem with IoT security is related to the incredibly fast expansion of smart home automation devices connecting to the network. As of 2019, the IoT’s growing pains have become particularly painful with several factors at play.
Before getting into the security threats impacting IoT in 2019, it helps to review some history. Computers have been interconnected since the development of the Advanced Research Projects Agency Network (ARPANET) of the United States Department of Defense.
Once ARPANET became the internet, it didn’t take long for the computer science department at Carnegie Mellon University to connect a Coca Cola vending machine to the internet by means of the name/finger protocol running as a daemon. The CMU internet Coke machine was connected in the early 1980s.
Other devices followed, such as a hot tub in Michigan and a variety of web cams that users could access through their browsers and see the world. The first wave of IoT mostly returned information, and it could hardly be considered smart. This would later change as device-to-device (D2D) and machine-to-machine (M2M) communications were eventually developed.
Security in Modern IoT
These days, devices connected to IoT include routers, printers, thermostats, refrigerators, webcams, and home automation hubs powered by artificial intelligence constructs, such as Amazon Alexa and Google Assistant. There are also smart locks, smartwatches, and many more gadgets that we either keep at home, carry or even wear around.
The security implications are even greater than we think once we add the next wave of devices that will connect to the IoT: automobile navigation and infotainment systems, advanced medical devices, and automated teller machines, and the list extends beyond what we can even imagine.
With the above in mind, here are seven of the most common IoT threats to expect to either become or remain popular in 2019:
1. Hijacked Devices Sending Spam Emails
Smart appliances, such as the Samsung Family Hub refrigerator, have the same computing power and functionality of a modern tablet, which means they can be hijacked and turned into email servers.
In a 2014 investigation by information security research firm Proofpoint, a smart refrigerator was found to have sent thousands of email spam messages without its owners being aware of the problem.
2. Hijacked Devices Conscripted Into Botnets
Similar to the aforementioned smart refrigerator sending spam email, IoT devices can be forced to join malicious botnets for the ultimate purpose of conducting distributed denial-of-service (DDoS) attacks.
Hackers have targeted baby monitors, streaming boxes, webcams, and even printers to carry out massive DDoS attacks that have crippled domain name system servers.
3. The Shodan IoT Search Engine
Since 2009, the Shodan search engine has been revealing quite a few security flaws inherent to IoT. Some of them focus specifically on Australia.
A few years ago, Shodan developer John Matherly wrote a blog post explaining how BigPond, now known as Telstra Media, configured networking devices such as wireless home routers running OpenSSH, a popular suite of IoT connectivity tools, on a fairly standard port that shared the same keys on more than 50,000 devices.
A hacker familiar with remote management of routers could easily take advantage of common SSH keys to intrude upon a home network and search for unprotected IoT devices. It should be noted that Shodan provides substantial information about unsecured devices.
4. Privacy Leaks
Skilled hackers can cause considerable damage just by identifying an unsecured IoT device that is leaking the internet protocol (IP) address, which can in turn be used to pinpoint residential location.
Information security experts recommend securing IoT connections by means of virtual private networking (VPN) technology. It’s now possible to encrypt all traffic through your ISP by installing a VPN on your router, and the same functionality isn’t far off for other IoT devices. With the right VPN, you can protect an entire smart home network and keep your IP private.
5. Unsecured Devices
This threat has been the most insidious since the inception of IoT, and device manufacturers have been partly complicit.
When IoT devices are shipped to stores with default “admin” usernames and “1234” passwords (here’s how to create a strong password), consumers cannot be reasonably expected to change and secure the credentials unless the manufacturer insists upon it through instructions and reference materials.
6. Home Intrusions
This is the scariest threat because IoT bridges the virtual space with the physical world.
As discussed, unsecured devices may broadcast IP addresses that can be discovered through Shodan searches, and hackers can take advantage of this vulnerability by locating residential addresses and selling this information on underground websites to criminal outfits that operate outside the internet.
This is why securing device credentials and connecting through VPNs is vital to IoT security.
7. Remote Vehicle Hijacking
As smart driving cars move from “that would be cool” to near inevitability, the question becomes, how do we prevent these cars from being hacked?
One can only imagine the consequences of a malicious attacker gaining remote access to your moving vehicle. Thankfully, automakers are paying close attention to this risk.
In the past, the Sync infotainment system, developed through a partnership between Microsoft and the Ford Motor Company, presented a few issues that could have compromised connections. But this was way before wireless broadband enjoyed widespread use, thus giving developers time to take appropriate action.
More recently, Chrysler quickly moved to patch the infotainment system of the Jeep Cherokee after two security researchers were able to gain wireless control of some functions.
The Bottom Line
IoT can be forgiven for delusions of grandeur and the conviction that it’s a big deal. The reality is that it IS a big deal and destined to get bigger.
Unfortunately, the accompanying headaches will get progressively larger as well, unless manufacturers and others associated with this burgeoning industry get serious about security issues.
Written by Dan Fries, Technical Writer at Threatpost.