December 05, 2019 by Tyler Charboneau
As connected devices gain a formidable foothold in our homes and pockets, we must prioritise proactive security
These complex devices face complex risks. The continued success of the IoT will rely on safeguards that can thwart sophisticated new threats. Product designers and engineers in particular must lead this charge.
What we know unequivocally is that the number of smart devices is rapidly rising. These devices contribute heavily to total network traffic. Keep in mind that such devices—routers, thermostats, lighting, and even coffee pots—constantly stream wireless data. While we like to believe our private networks are secure, numerous threats exist. Smart devices are exceptional attack vectors, which amplifies those issues.
These threats are real both at home and the office. Consider how interconnected devices are now: our phones are connected to wireless networks, which are now connected to other smart devices, including crucial hardware like computers and servers. That convenience comes at a potential cost.
There are fewer entities more invested in measuring the prevalence of cyber attacks than F-Secure. The company has monitored attack incidents during the first half (H1) of 2019, through a collection of decoy servers called ‘honeypots’. According to F-Secure, these servers emulate authentic servers that attackers often target.
There have been 2.9 billion global cyber attacks in H1 2019. Though F-Secure credits their honeypots with ‘capturing more data’, its also blamed this increase on infected IoT devices. Smart devices are becoming conduits for attack traffic. IoT devices must fend off attackers, especially as they share connection protocols with other common devices. Even the most obscure tech (like smart toothbrushes) can be vulnerable.
Europe has been particularly hard hit by this hostile traffic. Seven of the top ten attack destinations have been European countries. The vast majority of these attacks have originated outside of Europe. There’s a clear and present danger. What should engineers focus on protecting first?
Diagram of the Honeypot information system. Image Credit: Wikimedia Commons.
Threat modelling is key to combating emerging IoT threats, according to ThreatModeler. It’s essential for engineers to approach safety from multiple angles, to repeatedly ask “what if?”. Flow charts are excellent tools for the job. These allow teams to explore varied outcomes while mapping the inner workings of their devices. These charts even help identify vulnerabilities in connected systems.
This method worked for Microsoft Azure and Virgin Atlantic. Azure is a cloud service used by numerous companies to manage crucial data. This data is often sensitive and/or integral to business success, so protecting it is crucial. We also know aircraft are becoming increasingly reliant on electronic systems to operate. These systems transmit flight data and diagnostics to the ground. Imagine if a remote attacker hijacked these connections. Tampering with on-board systems could pose a serious safety risk.
Five-step recommendation process for designing with security in mind for IoT devices. Image Credit: blog post by Suresh Marisetty on arm Community.
Companies should theoretically be unrivalled experts on their own technologies. This puts them in a perfect position to draw up countermeasures. However, IoT devices integrate technologies from outside vendors. These third-party components are harder to monitor. Designing secure devices requires teamwork and diligence from all parties.
Companies like Apple and Google make their own software frameworks for IoT devices. These first-party tools like HomeKit allow mobile devices to control various smart devices. Apple’s recent Worldwide Developers Conference unveiled a new approach to IoT security. HomeKit Secure Video (HSV) was designed with data privacy in mind. Video streaming is often poorly secured, as are the servers that store home security footage. HSV encrypts all video streams and ensures clips aren’t viewable by third parties.
HomeKit routers also quarantine infected IoT devices on the network, firewalling them to prevent further damage. These are just some of the things IoT-based partnerships can accomplish.
We must consider three main categories when dealing with data, according to the Industrial Internet Consortium: data integrity, data security, and data protection. Attackers can dismantle or interrupt data flow in IoT networks. They can also intercept data, or even erase information. Engineers have to make this as difficult as possible.
The idea behind best practices is that standardised processes give IoT engineers the best chance of avoiding future problems. Breaches and authentication shortcomings can be detrimental. Engineers must also consider use cases when data is ‘at rest’ (i.e. stored), ‘in motion’ (transmitted between locations), or ‘in use’ (being processed or transformed). Each of these instances has unique challenges. The IoT data lifecycle must be safeguarded from start to finish to reduce threats.
The IoT world creates an immense amount of data. Controlling who accesses what and when is essential to creating a safe networking environment—for consumers and companies alike.
Graphs representing the number of honeypot attacks by country. Image Credit: F-Secure.
IoT devices connect to the web via ports. These ports are the keys to different network protocols, which these devices need to operate effectively. F-Secure measured 2.1 billion attacks on TCP (transmission control protocol) ports: Telnet, Server Message Block, and Secure Shell, most commonly. Attackers seem to gravitate to these. It’s also worth noting that the Telnet port isn’t commonly used outside of the IoT any longer. That suggests IoT devices are popular targets. User Datagram Protocol ports are also targeted.
IoT attackers often install malware. Secure List shows us that 15.97% (the highest percentage) of attacks download the Mirai malware onto IoT devices. Trojans and other backdoor malware tools are commonly downloaded. These have the potential to harm data security, privacy, and integrity. The Gafgyt malware is also popular among attackers.
Attackers are using brute force methods to interrupt IoT services. They’re also utilising EternalBlue and EternalRed—two vulnerabilities found within Windows and Linux. Attackers are trying to uncover users’ passwords and other sensitive information. Data theft is a massive concern that engineers must address at all levels. Hardware and software teams must work together to fix weaknesses in embedded systems.
Some device makers are more susceptible than others. Secure List estimates that MikroTik’s technology accounts for 37.23% of infected devices, while TP-Link places second at 9.07%. Different vulnerabilities like Chimay-Red are causing these infections.
Ideally, engineers will harden all components of the IoT experience against these threats. Just like device makers must learn lessons, attackers are also refining their methods to make them more effective. The IoT’s future will require a lot of creativity from engineering teams. Proactive security will ultimately win the day, as long as professionals remain constantly vigilant.
