These complex devices face complex risks. The continued success of the IoT will rely on safeguards that can thwart sophisticated new threats. Product designers and engineers in particular must lead this charge.
What we know unequivocally is that the number of smart devices is rapidly rising. These devices contribute heavily to total network traffic. Keep in mind that such devicesârouters, thermostats, lighting, and even coffee potsâconstantly stream wireless data. While we like to believe our private networks are secure, numerous threats exist. Smart devices are exceptional attack vectors, which amplifies those issues.
These threats are real both at home and the office. Consider how interconnected devices are now: our phones are connected to wireless networks, which are now connected to other smart devices, including crucial hardware like computers and servers. That convenience comes at a potential cost.
The Global Attack Pandemic
There are fewer entities more invested in measuring the prevalence of cyber attacks than F-Secure. The company has monitored attack incidents during the first half (H1) of 2019, through a collection of decoy servers called âhoneypotsâ. According to F-Secure, these servers emulate authentic servers that attackers often target.
There have been 2.9 billion global cyber attacks in H1 2019. Though F-Secure credits their honeypots with âcapturing more dataâ, its also blamed this increase on infected IoT devices. Smart devices are becoming conduits for attack traffic. IoT devices must fend off attackers, especially as they share connection protocols with other common devices. Even the most obscure tech (like smart toothbrushes) can be vulnerable.
Europe has been particularly hard hit by this hostile traffic. Seven of the top ten attack destinations have been European countries. The vast majority of these attacks have originated outside of Europe. Thereâs a clear and present danger. What should engineers focus on protecting first?
Diagram of the Honeypot information system. Image Credit: Wikimedia Commons.
Securing Data and Preserving Privacy
Threat modelling is key to combating emerging IoT threats, according to ThreatModeler. Itâs essential for engineers to approach safety from multiple angles, to repeatedly ask âwhat if?â. Flow charts are excellent tools for the job. These allow teams to explore varied outcomes while mapping the inner workings of their devices. These charts even help identify vulnerabilities in connected systems.
This method worked for Microsoft Azure and Virgin Atlantic. Azure is a cloud service used by numerous companies to manage crucial data. This data is often sensitive and/or integral to business success, so protecting it is crucial. We also know aircraft are becoming increasingly reliant on electronic systems to operate. These systems transmit flight data and diagnostics to the ground. Imagine if a remote attacker hijacked these connections. Tampering with on-board systems could pose a serious safety risk.
Five-step recommendation process for designing with security in mind for IoT devices. Image Credit: blog post by Suresh Marisetty on arm Community.
Engineering Cooperation Between First and Third Parties
Companies should theoretically be unrivalled experts on their own technologies. This puts them in a perfect position to draw up countermeasures. However, IoT devices integrate technologies from outside vendors. These third-party components are harder to monitor. Designing secure devices requires teamwork and diligence from all parties.
Companies like Apple and Google make their own software frameworks for IoT devices. These first-party tools like HomeKit allow mobile devices to control various smart devices. Appleâs recent Worldwide Developers Conference unveiled a new approach to IoT security. HomeKit Secure Video (HSV) was designed with data privacy in mind. Video streaming is often poorly secured, as are the servers that store home security footage. HSV encrypts all video streams and ensures clips arenât viewable by third parties.
HomeKit routers also quarantine infected IoT devices on the network, firewalling them to prevent further damage. These are just some of the things IoT-based partnerships can accomplish.
Best Practices Make Safe IoT Possible
We must consider three main categories when dealing with data, according to the Industrial Internet Consortium: data integrity, data security, and data protection. Attackers can dismantle or interrupt data flow in IoT networks. They can also intercept data, or even erase information. Engineers have to make this as difficult as possible.
The idea behind best practices is that standardised processes give IoT engineers the best chance of avoiding future problems. Breaches and authentication shortcomings can be detrimental. Engineers must also consider use cases when data is âat restâ (i.e. stored), âin motionâ (transmitted between locations), or âin useâ (being processed or transformed). Each of these instances has unique challenges. The IoT data lifecycle must be safeguarded from start to finish to reduce threats.
The IoT world creates an immense amount of data. Controlling who accesses what and when is essential to creating a safe networking environmentâfor consumers and companies alike.
Graphs representing the number of honeypot attacks by country. Image Credit: F-Secure.
What New Threats Are Emerging?
IoT devices connect to the web via ports. These ports are the keys to different network protocols, which these devices need to operate effectively. F-Secure measured 2.1 billion attacks on TCP (transmission control protocol) ports: Telnet, Server Message Block, and Secure Shell, most commonly. Attackers seem to gravitate to these. Itâs also worth noting that the Telnet port isnât commonly used outside of the IoT any longer. That suggests IoT devices are popular targets. User Datagram Protocol ports are also targeted.
IoT attackers often install malware. Secure List shows us that 15.97% (the highest percentage) of attacks download the Mirai malware onto IoT devices. Trojans and other backdoor malware tools are commonly downloaded. These have the potential to harm data security, privacy, and integrity. The Gafgyt malware is also popular among attackers.
Attackers are using brute force methods to interrupt IoT services. Theyâre also utilising EternalBlue and EternalRedâtwo vulnerabilities found within Windows and Linux. Attackers are trying to uncover usersâ passwords and other sensitive information. Data theft is a massive concern that engineers must address at all levels. Hardware and software teams must work together to fix weaknesses in embedded systems.
Some device makers are more susceptible than others. Secure List estimates that MikroTikâs technology accounts for 37.23% of infected devices, while TP-Link places second at 9.07%. Different vulnerabilities like Chimay-Red are causing these infections.
Ideally, engineers will harden all components of the IoT experience against these threats. Just like device makers must learn lessons, attackers are also refining their methods to make them more effective. The IoTâs future will require a lot of creativity from engineering teams. Proactive security will ultimately win the day, as long as professionals remain constantly vigilant.