We Should Talk about IoT Security
Originally published on June 22, 2018 by Patrick Gebhardt
Last updated on February 10, 2020 • 8 minute read
The digitalization is progressing and with it the Internet of Things (IoT). Smart devices communicate with each other and network even the most sensitive areas to make life easier for users. We have recently written about LPWA and will continue to publish a lot about Smart Home and IoT on our blog. But let's talk today about something that is often forgotten. IoT also has a downside, as numerous cyber-attacks in recent months have shown the danger that can emanate from all-encompassing networking. But how easy is it really to hack an IoT device?
In short: It is comparatively simple. Once cybercriminals have discovered vulnerable IoT devices, they just need to know how to hack the device - and that's surprisingly lightweight. The easiest way to hack a smart device is to use the Brute-force method to determine the password or to use the factory default login data. Botnets that can be borrowed from the Darknet make it easy to infect thousands of devices in one go. Because it is clear that many manufacturers use the same standard log-in data for all their devices for cost reasons, instead of defining a separate password for each.
What Does the Past Teach Us?
That IoT devices have never really been safe. And it is obvious that certain risks will intensify. One of the worst threats on the Internet of Things in the last two years has been the Mirai Botnet, which infected thousands of smart devices by triggering massive DDoS attacks using standard logins. It has been shown that cheap Chinese products, such as webcams, were among the most vulnerable IoT devices. Most of these are products that should only be used at most in an isolated environment. Since the source code of Mirai was published, practically everyone can operate his own IoT botnet or rewrite the programming code arbitrarily - therefore numerous mutations of Mirai have emerged. Other ways to infect an IoT device are much more complex and only available for an expensive price - and therefore less common. The reverse engineering of firmware or an operating system requires profound technical knowledge and investments in time. However, this is exactly where security strategies can be applied.
So What Can Be Done about It?
A possible and effective solution to improve security in IoT would be to allow users to easily change the login data for their smart devices. This only helps with the cheapest methods used by cyber criminals, but these were and are precisely the most frequently used. For example, manufacturers could "force" their customers to change the login data of their devices by making the entry of a unique and "strong" password a mandatory step in the initial start-up of the device. In fact, changing the login data would significantly reduce the number of "vulnerable" devices and make it much more difficult for hackers and bots to enter IoT devices. Alternatively, IoT device manufacturers could assign a unique, randomly generated password to each device and send it to the customer along with the device.
The Problem with Keys
Integrating safety into the devices right from the start will prove to be more difficult and tedious than expected. This applies equally to IoT devices intended for end users and those used in companies. So it would be hypocritical, at least here, if all manufacturers of IoT devices were criticized. An example: encryption. You have the ability to encrypt data that an IoT device collects both while it is on the device and when it is sent to another device (or analyzed in the cloud). As far as encryption is concerned, there are many very good recommendations as to which algorithms are suitable and available with which key lengths. In addition, there are several open source encryption solutions. But it is much more difficult to protect and manage the keys associated with it - and insufficient key management invalidates the entire encryption process. A poorly managed key can render the encrypted data unusable, for example, if the key used to encrypt the data in question can not be made available within an authentication process. The sheer number of devices in IoT exponentially exacerbates the challenges of encryption and key management.
And the Bright Spot
In addition it must be said here that unfortunately still too many IoT devices are too weak for a powerful encryption. With little storage space, a good SSL implementation is usually not possible. It can also be assumed that manufacturers of IoT devices, especially for devices for end customers, will continue to bring devices to the market that are poorly or not at all secured. That's just the way it is - there's nothing we can do about it. However, consumer safety awareness is growing (although not yet strong enough to change purchasing behavior). Cool features and an affordable price are still the deciding factors here. For the first time, Amazon Echo and Google Home are at the top of the wish lists of technology-savvy consumers. On the other hand, there is a small but growing group of consumers who have serious concerns about the safety of these products. Especially with devices that overhear pretty much everything that is spoken within their range. The first major waves of attacks, such as the Mirai Botnet, have attracted the attention of security experts. The average consumer is not yet aware of the scope of these types of attacks. Nevertheless, the pressure on manufacturers is growing and with it the demand for better security and data protection measures.