Table of Content
The Internet of Things (IoT) has progressively become a disruptive technology in smart devices in recent years.
This technology can gather and transmit data from smart devices like sensors, expected to reach billions of connected devices by the end of 2022. However, the growth of this industry has also raised several security challenges to which experts have given little attention.
Over the last half-decade, we have seen plenty of security attacks and cases of compromised devices.
Therefore, the security of IoT devices has become a severe concern for researchers, governments, and the general public. In this context, experts have also proposed solutions to manage this security problem. However, most studies and proposals address a segment of this problem (IoT access management) rather than a complete solution.
IoT security is a complex issue because the applications, devices, and protocols used to connect devices vary. Security attacks against IoT devices have become more common and sophisticated, and their consequences have been increasingly severe.
The critical issue is to prevent cyberattacks and a unique point of failure within the system by solving IoT devices’ security challenges and ensuring their integrity.
IoT security has attracted significant interest from scholars, security experts, and researchers, and consequently, many initiatives, reports, and research proposals presented over the past few years.
Here, we identify some of the most representative issues and discuss how these incorporate into a coherent and robust global IoT security approach. We will address the following challenges:
The inherent nature of IoT devices (e.g., simplicity, low cost, small memory footprint) renders them vulnerable to cyber-attacks. Therefore, IoT security is not addressed by only using security solutions (i.e., software, policies, etc.).
Connecting IoT devices is the first step towards IoT security. The main concern is the connection method since it determines the type of device and its vulnerability. Several connection modes include but are not limited to wired/wireless, Bluetooth, Wi-Fi, ZigBee, and cellular technologies.
Devices & protocols
The wide use of IoT devices (as explained above) provides an opportunity for malicious actors to exploit the weaknesses of those devices to disrupt critical services. As for the protocols, it is crucial to know the vulnerabilities of protocols such as those used in the 4th/5th generation mobile networks and Wi-Fi.
Additionally, one of the solutions proposed to deal with mobile attacks was using a SIM card with additional restrictions that allow authentication, authorization, and tracking of the activities in the network as an alternative to a device-centric approach.
One of the challenges in the security of IoT devices is monitoring purposes. In some cases, they do not require authentication or encryption. IoT devices often use raw data to compute and store statistics. There is a need for data aggregations or transformations to improve accuracy, resulting in a new format of information.
For example, smart light bulbs could report their behavior in several ways, e.g., energy consumption. Light bulbs do not require authentication. However, the information does not aggregate. Therefore, using this type of light bulb could enable potential attackers to exploit the lack of security.
In-home automation systems are deployable without requiring any authentication or authorization, although an attacker could compromise it by exploiting the data and information.
One way is to build profiles about the customer and his habits—providing a gateway to the system that allows the attacker to manipulate the system’s internal configuration, detect the presence of the devices in the network, and launch the attack.
IoT devices typically collect data, such as network traffic, network status, and system logs. Many of these data points are sent directly from the device without any aggregation or transformation. This lack of accumulation means that the data harvested by an attacker can build accurate profiles of customers and their habits—using the number of requests sent to a device and the average response time, indicating the customer’s internet access and unusual activities.
Let’s consider for a moment that an attacker could use the information collected from a sensor in a refrigerator to identify when the consumer is using the device and detect any abnormal behavior.
Moreover, attackers could use the collected data to access and manipulate the device’s configuration. For instance, if a connected device sends its location or configuration settings back to the manufacturer’s cloud, an attacker could configure the device remotely to perform a denial-of-service attack, change the device’s IP address, or block the connection with the manufacturer’s cloud.
Furthermore, attackers could use the data sent by the device to see its presence in the network, even if it is off if the machine uses a cloud service for remote control.
Additionally, attackers could use the information gathered to detect the presence of a device in the network. If an attacker detects the device on the web, it can start the attack against the machine.
Lastly, it is possible to exploit the device for other reasons, such as triggering IoT attacks. Alternatively, to send phishing emails.
A common way to use the information to perform an attack is to extract details about the device’s location. For instance, an attacker can send fake emails to device users to lure them to visit a specific page in the web browser.
Common attack scenario
The typical way to exploit an IoT device is to send fake requests to extract the data. For example, an attacker could send fake push notifications to an iOS device to manipulate the machine.
An attacker could be in another network or even in the same network as the device. In other words, the attacker could have direct access to the device’s network (for example, the attacker could have control of the device and physically plug the device into a LAN port).
The attacker could also use an indirect way to access the device, for example, by hacking into another machine in the same network and using it to extract information—this is where the vulnerability comes in.
Another possibility is when an attacker has direct access to the device, it might expose it to remote code execution. In this case, the attacker can execute a code execution attack.
However, an indirect attack is possible by exploiting the access points that allow the attacker to connect to the network of the device and any vulnerabilities to intercept the data.
In both cases, the goal is the same: an attacker should obtain the details about the device, for instance, the model name.
In a subsequent article (IoT Devices Security: Overview of Common Attack Techniques & Vulnerabilities), we will dive further into various forms of attack mechanisms and their technicalities. Stay tuned.