Home Automation products were in development in 1980 and there were plenty of them on the market. They used power lines to communicate with intelligent switchboards and applicants using PC. X10 is a prime example of IoT being in use in the late 90s.
In 1990 when even the term IoT was still not coined, John Romkey, a Computer Scientist, connected a toaster to the internet using a simple TCP/IP protocol, making him very popular back then. After a year or so, a few Computer Scientists at the University of Cambridge made a prototype of an internet-connected camera called WebCam these days.
The idea behind the prototype of WebCam was to monitor the level of coffee in the coffee pot and it was astounding. In 1999 Kevin Ashton came up with the term “The Internet of Things”, which we still use today. Kevin used IoT in one of his presentations given to Procter & Gamble to manage the supply chain using RFID modules or internet-connected RFID readers.
Fast-forwarding to 2010, we saw the release of IPv6, which led to a boom in internet and related service, and IoT was no exception. Years have passed since the first appearance of IoT products, and we are still here starting from the perspective of security.
Challenges Being Faced by IoT
We will discuss a few key issues that IoT companies need to resolve to make IoT the next revolution,
It will not be a false statement if we say that most IoT Devices are naturally and inherently insecure and the challenges of securing IoT devices are not countable. Internet-connected thermostats, baby monitors, toasters, coffee machines, intelligent fridges, cameras, and even cars are getting hacked daily. We still see millions of insecure IoT devices manufactured daily, increasing the attack vector and attack area, making the IoT Devices malicious and affecting the devices on the same network on which the malicious IoT Device(s) was connected.
In 2017, a casino’s data was compromised and hacked because of an internet-connected thermostat in one of their fish tanks. There are countless similar incidents where IoT Devices were the bad actors in a hack attempt or a hacked system. Let’s discuss a few well-known IoT security challenges developers and consumers face.
The first and foremost issue and the most prominent IoT security risk is the use of weak passwords, which are set by default. The prime example of weak passwords is in the WiFi routers, which now extend to IoT devices. In 2020, we saw a big password data dump of 500K IoT devices and routers and most of the credentials are valid to this very day.
You buy a new IoT device, connect it to the internet, leave the admin portal password unchanged and forget about it till the day your IoT Device stops working. That’s a usual practice from a consumer perspective because the UX and security of the IoT Device was not a preference for the company designing the IoT Device.
What happens when someone accesses the IoT Device using a default password? in the case of a thermostat, you can change the temperature? or in the case of CCTV cam, you can watch a live camera feed? No, that’s only a single possibly out of infinitely many possibilities. Most IoT devices have a mechanism of uploading the Firmware using their admin portal and a malicious actor can upload malicious Firmware with backdoors in it.
You won’t notice a change in the device’s working, but by uploading the malicious Firmware with backdoors in it, the hacker can now do all sorts of things. They now have a green pass into your home or office network and with some effort, they can access most of the devices, including your smartphones and laptops, within the same network.
Firmware Issues, Poor Update Mechanism, Lack of Regular Patches and Updates
The Firmware of IoT Devices is designed poorly, with many security loopholes related to internet connectivity. The communication methods in the Firmware for internet access and data sharing are deliberately left insecure for reducing the development time. It is true in the case of all hardware devices because the Firmware Development and Hardware Design teams are separate teams. The Firmware team has to develop Firmware before the hardware is sent to the manufacturing facility and it is the manufacturing facility that can upload Firmwareware to thousands of devices.
Once Firmware, without any FOTA(Firmware-Over-the-Air) capability for device update mechanism, is uploaded to the device, then there is no way to update it until and unless all of the devices are flashed with the updaFirmwareware physically by connecting wires. So a lousy firmware with no FOTA capability most likely ruins the whole network where the devices are going to be used.
In most of the cases where FOTA is implemented in Firmware the devices still don’t get any security updates and patches at all. It can be practically confirmed by opening your router admin page and going to the updates section. You will be surprised to know that your wireless WiFi router hasn’t got any update for years.
It is important to note that Firmware issues don’t necessarily start with password guessing. In many cases, the hackers already know the famous and know vulnerabilities in IoT Devices. For example, in the case of routers, an IoT Botnet was a cause of making a large set of devices bad actors in the network.
Bad Hardware Design
Firmware is not the only culprit in making IoT devices insecure; hardware design is equally involved. Due to the time and product costing constraints, companies tend to overlook the essential factors in the hardware design. Encryption modules, secure bootloader chips, etc., are not even part of the hardware design process.
The most apparent and poor practice, which you can confirm with a WiFi router or an IoT device, is that their PCBs expose UART or I2C headers for uploading Firmwareware. Anyone with access to an IoT Device with exposed communication headers can replace the origiFirmwareware with a malicious one without the need of even knowing the password and only within a few hours of effort.
Insufficient Data Protection
Data is the key to any business and the profits are linked to how much data is collected, smartly analyzed and then used in the business decisions. Unfortunately, the reality is that one side businesses are making profits while leaving their customers a vulnerable target to the hackers by practising bad data safety practices. There are two significant factors linked with data security.
Data Communication is the core part of any internet-connected IoT Device. The data is collected from sensors and then forwarded to either a gateway device or directly to a cloud server. The gateway device pre-processes the data and again sends it to the cloud. A typical flow looks like something, as shown in the picture below.
Data Storage and Data Security are also essential things in any IoT Solution and it is not only limited to IoT in the finance industry. Instead, it is a crucial factor in gaining customers’ trust. The IoT Nodes generate a large amount of data which is usually stored on the cloud with providers like Amazon, Azure, or Google Cloud using their data storage services like S3 and the credentials like certificates and environment variable files containing sensitive information like passwords are negligently pushed to GitHub by the development teams.
Once these are uploaded, anyone can access them without using any special tools. Google dork is a google search query that can allow anyone to find any sensitive data over the internet very easily. The good practice is to never store credentials like keys, passwords, certificates, etc., on the internet publically accessible.
Poor IoT Device Management
IoT Device Management lacks the security aspects. The IoT Product design firms design a product with a management portal where users can register their IoT devices to get a live status of their device. It should come with no surprise that the businesses put vendor-lock-in mechanisms so that the consumer can’t use a trustable management platform of their choice. Anyone can witness this practice in sensitive devices like security cameras. Management backend of such IoT devices is written so poorly that you can easily access live camera feeds and sensors’ data by just using a few keystrokes of a google search query.
We discussed earlier the harm a poorly written Firmware could inflict by allowing an attacker to replace the stock firmware with maliciFirmwareware by leveraging the poorly implemented OTA capability by connecting to the same network on which the IoT device is present, but this process does require some effort to get into the network and proceed with the attack.
In case of poor IoT device management portals and backend, it is way easier for an attacker to open the admin portal or the device management dashboard over the internet from anywhere. The prime example of lousy device management is WiFi routers, WebCameras, IP Cameras, baby monitors and thermostats, etc. which are accessible over the internet, have insecure HTTP webpages and allow anyone with a bit of technical knowledge to replace Firmwareware or at least break the device by uploading a random file disguised as a firmware.
A network may have IoT devices which are shadow IoT devices which means that they are unmanaged and are left to function for years and years.
In 2020 a study was published to analyze more than 5 million unmanaged IoT and IoMT(Internet of Medical Things). The findings are shown in the bar chart below
15-19% of IoT Devices running legacy Operating Systems, 20% devices had PCI DSS violations which means that the instruments which use credit cards were on the same VLAN as other devices like computers. 86% of devices in medical fields were posing a health or security risk. 95% of IoMT devices were in the network where Amazon Alexa and Echo were active, recording conversations. While 75% of IoMT devices were violating VLAN isolation requirements.
Insecure interfaces are related to Web Apps, Smartphone Apps, APIs, and other related interfaces that are deliberately made publicly available or publicly accessible due to some vulnerability in the device Firmware or management portal.
The interfaces become insecure because of plain passwords, poor user roles management, and using other insufficient authentication techniques.
Why Identifying and fixing these challenges important?
As we envisioned years back, IoT acceptability is still far ahead and might require several years of work to make IoT devices secure, trustable, and user-friendly. IoT Security standards are needed to be devised and put in place as a strict requirement for the IoT Solutions designers. Usage of secure authentication and authorization frameworks should be used in all devices regardless of their nature.
Identifying the problems is only a first step. The real work still needs to be done, making secure IoT device design frameworks. We can leverage new technologies like blockchain to make IoT Devices trustable and safe, and we can use cryptographic advancements like Zero Trust Authentication or Self Sovereign Identity etc. Only then can we foresee a future in which the IoT devices are natively secure, robust, user-friendly, and help make our day-to-day lives better and easier.