The concept of the Internet of Things (IoT) envisions a world in which billions of interconnected objects possess artificial intelligence, internet, and sensing and actuation capabilities. The idea suggests that instead of having a small number of powerful computing devices in our lives, we might have a large number of devices that are relatively less powerful.
In other words, having computing and internet capabilities in just about every mundane object we have. An earlier buzzword for roughly the same concept was “ubiquitous computing”. IoT has only enhanced the concept of internet integration.
IoT Device Security
By the end of 2019, there were around 9.7 billion active IoT devices, a figure that is expected to grow up to a whopping 24.1 billion by 2030, according to a research published by Transforma Insights. IoT devices have already overtaken the human population. The concept has come a long way since capturing public attention in 2011 when Nest Learning Thermostat was introduced. But then the question arises, are IoT devices secure?
At first glance, IoT appears sufficiently secure with relatively few security issues. Developers use secure frameworks and encrypted communication protocols for devices in most cases. However, let’s consider the flip side with several examples.
In November 2016, four security researchers—Eyal Ronen, Colin O’Flynn, Adi Shamir, and Achi-Or Weingarten—came up with an interesting proof-of-concept (PoC) worm pertaining to Philips home devices. They demonstrated how the hard-coded symmetric encryption keys used by Philips devices could be exploited to gain control over the target devices over ZigBee. It also included automatic infection of Philips Hue bulbs placed near each other.
At the Def Con 24 event, security researchers from security firm Merculite delivered a presentation titled “Picking Bluetooth Low Energy Locks from a Quarter Mile Away”. The presentation disclosed security vulnerabilities in a number of smart door lock products. The vulnerabilities discovered were of varying types and differed from product to product. Vulnerabilities included the transmission of passwords in clear text, susceptibility to replay-based attacks, reversing mobile applications to identify sensitive information, fuzzing, and device spoofing.
For instance, Quicklock Padlock sends a Bluetooth Low Energy (BLE) packet containing the opcode, old password, and new password when a user tries to reset the password. However, because authentication happens over clear text communication, an attacker can then use the old password to set up a new password for the door lock, rendering the device useless for the original owner. The only way to reset it would be to remove the device’s battery after opening the enclosure.
Perhaps the most popular IoT hack of all time was the Jeep Hack. In 2015, two security researchers, Dr. Charlie Miller and Chris Valasek, demonstrated how they could remotely hack and control a Jeep using vulnerabilities in Chrysler’s Uconnect system. This resulted in Chrysler having to recall 1.4 million vehicles. The hack took advantage of a variety of vulnerabilities, including extensive efforts in reverse engineering various binaries and protocols.
Amongst the first vulnerabilities that made the attack possible was the Uconnect software. The weakness allowed anyone to remotely connect to the software via a cellular connection. Port 6667 was accessible with anonymous authentication enabled and found to be running D-Bus over IP, which is used to communicate between processes. After interacting with D-Bus, a list of available services was obtained.
One service named NavTrailService was found to have an execute method, hence allowing the researchers to run arbitrary code on the Jeep. Once arbitrary command execution was gained, it was possible to send CAN messages taking control of the various elements of the vehicle, such as the headlights, brakes, steering wheel, and so on.
Why Do Vulnerabilities Exist?
The scenarios addressed give birth to another question: if there are so many secure frameworks and encrypted protocols available, then why do such grave vulnerabilities exist? Firstly, IoT is an enormous field. It is an emerging technology that cuts through a wide range of disciplines including software, electronics, experience design, and product design. There are around 20 popular frameworks and about 14 communication protocols. Every company wants to get its share of the pie in the market. They want to bring their products to market at the earliest time possible with the available resources. In simple words, IoT devices are extremely complex and the market is fragmented.
Secondly, there is lack of security awareness among the developers. Developers working on IoT products are often less knowledgeable, if not completely unaware, about the possible security vulnerabilities in IoT devices. They are often already extremely busy and are prone to overlooking any security loopholes.
Thirdly, there are numerous stakeholders involved in the production of IoT devices. For IoT devices to work, they require different components. Most of the time, different components are manufactured by different vendors, assembled by another vendor, and finally distributed by another one. This is. a severe a supply-chain-based issue. If there is an issue in just one component or its framework, the entire product is left susceptible to attacks.
Another issue is the usage of insecure frameworks and third-party libraries. Developers often use existing libraries. It’s a convenient solution that saves time and effort. However, it comes at the cost of introducing potentially vulnerable codes into an otherwise secure product. Companies want their products to hit the market as early as possible. Business priorities belittle the security perspective. resulting in security being underestimated until the product suffers a security breach.
In any case, one thing is clear, the outcome of a security breach could be severe. At the present moment, several security vulnerabilities were exposed by security researchers. But, flaws can also be exploited by an attacker. If smart devices are infected by ransomware like WannaCry, things might turn into a nightmare.
The policymakers of the digital world are struggling with the fast pace of the rise of IoT devices. They have not arrived at a clear conclusion for strict quality controls and safety regulations and until they do, device security will be compromised.