IoT Security: Inherent Insecure Nature of IoT Devices

by Dec 3, 2021#IoT

IoT Security
Printer Icon

Table of Content

  1.  Connectivity
  2. Devices & protocols
  3. Data analysis
  4. Attack vectors
  5. Common attack scenario

The Internet of Things (IoT) has progressively become a disruptive technology in smart devices in recent years.

This technology can gather and transmit data from smart devices like sensors, expected to reach billions of connected devices by the end of 2022. However, the growth of this industry has also raised several security challenges to which experts have given little attention.

Over the last half-decade, we have seen plenty of security attacks and cases of compromised devices.

Therefore, the security of IoT devices has become a severe concern for researchers, governments, and the general public. In this context, experts have also proposed solutions to manage this security problem. However, most studies and proposals address a segment of this problem (IoT access management) rather than a complete solution.

IoT security is a complex issue because the applications, devices, and protocols used to connect devices vary. Security attacks against IoT devices have become more common and sophisticated, and their consequences have been increasingly severe.

The critical issue is to prevent cyberattacks and a unique point of failure within the system by solving IoT devices’ security challenges and ensuring their integrity.

IoT security has attracted significant interest from scholars, security experts, and researchers, and consequently, many initiatives, reports, and research proposals presented over the past few years.

Here, we identify some of the most representative issues and discuss how these incorporate into a coherent and robust global IoT security approach. We will address the following challenges:

The inherent nature of IoT devices (e.g., simplicity, low cost, small memory footprint) renders them vulnerable to cyber-attacks. Therefore, IoT security is not addressed by only using security solutions (i.e., software, policies, etc.).

 

Connectivity

Connecting IoT devices is the first step towards IoT security. The main concern is the connection method since it determines the type of device and its vulnerability. Several connection modes include but are not limited to wired/wireless, Bluetooth, Wi-Fi, ZigBee, and cellular technologies.

 

Devices & protocols

The wide use of IoT devices (as explained above) provides an opportunity for malicious actors to exploit the weaknesses of those devices to disrupt critical services. As for the protocols, it is crucial to know the vulnerabilities of protocols such as those used in the 4th/5th generation mobile networks and Wi-Fi.

Additionally, one of the solutions proposed to deal with mobile attacks was using a SIM card with additional restrictions that allow authentication, authorization, and tracking of the activities in the network as an alternative to a device-centric approach.

 

Data analysis

One of the challenges in the security of IoT devices is monitoring purposes. In some cases, they do not require authentication or encryption. IoT devices often use raw data to compute and store statistics. There is a need for data aggregations or transformations to improve accuracy, resulting in a new format of information.

For example, smart light bulbs could report their behavior in several ways, e.g., energy consumption. Light bulbs do not require authentication. However, the information does not aggregate. Therefore, using this type of light bulb could enable potential attackers to exploit the lack of security.

In-home automation systems are deployable without requiring any authentication or authorization, although an attacker could compromise it by exploiting the data and information.

One way is to build profiles about the customer and his habits—providing a gateway to the system that allows the attacker to manipulate the system’s internal configuration, detect the presence of the devices in the network, and launch the attack.

 

Attack vectors

IoT devices typically collect data, such as network traffic, network status, and system logs. Many of these data points are sent directly from the device without any aggregation or transformation. This lack of accumulation means that the data harvested by an attacker can build accurate profiles of customers and their habits—using the number of requests sent to a device and the average response time, indicating the customer’s internet access and unusual activities.

Let’s consider for a moment that an attacker could use the information collected from a sensor in a refrigerator to identify when the consumer is using the device and detect any abnormal behavior.

Moreover, attackers could use the collected data to access and manipulate the device’s configuration. For instance, if a connected device sends its location or configuration settings back to the manufacturer’s cloud, an attacker could configure the device remotely to perform a denial-of-service attack, change the device’s IP address, or block the connection with the manufacturer’s cloud.

Furthermore, attackers could use the data sent by the device to see its presence in the network, even if it is off if the machine uses a cloud service for remote control.

Additionally, attackers could use the information gathered to detect the presence of a device in the network. If an attacker detects the device on the web, it can start the attack against the machine.

Lastly, it is possible to exploit the device for other reasons, such as triggering IoT attacks. Alternatively, to send phishing emails.

A common way to use the information to perform an attack is to extract details about the device’s location. For instance, an attacker can send fake emails to device users to lure them to visit a specific page in the web browser.

 

Common attack scenario

The typical way to exploit an IoT device is to send fake requests to extract the data. For example, an attacker could send fake push notifications to an iOS device to manipulate the machine.

An attacker could be in another network or even in the same network as the device. In other words, the attacker could have direct access to the device’s network (for example, the attacker could have control of the device and physically plug the device into a LAN port).

The attacker could also use an indirect way to access the device, for example, by hacking into another machine in the same network and using it to extract information—this is where the vulnerability comes in.

Another possibility is when an attacker has direct access to the device, it might expose it to remote code execution. In this case, the attacker can execute a code execution attack.

However, an indirect attack is possible by exploiting the access points that allow the attacker to connect to the network of the device and any vulnerabilities to intercept the data.

In both cases, the goal is the same: an attacker should obtain the details about the device, for instance, the model name.

In a subsequent article (IoT Devices Security: Overview of Common Attack Techniques & Vulnerabilities), we will dive further into various forms of attack mechanisms and their technicalities. Stay tuned.

f

About Us: Krasamo is a mobile-first digital services and consulting company focused on the Internet-of-Things and Digital Transformation.

Click here to learn more about our IoT services.

RELATED BLOG POSTS

Building Machine Learning Features on IoT Edge Devices

Building Machine Learning Features on IoT Edge Devices

Enhance IoT edge devices with machine learning using TensorFlow Lite, enabling businesses to create intelligent solutions for appliances, toys, smart sensors, and more. Leverage pretrained models for object detection, image classification, and other applications. TensorFlow Lite supports iOS, Android, Embedded Linux, and Microcontrollers, offering optimized performance for low latency, connectivity, privacy, and power consumption. Equip your IoT products with cutting-edge machine learning capabilities to solve new problems and deliver innovative, cost-effective solutions for a variety of industries.

IoT Inventory Management for Multi-Channel Retailers and 3PL Services

IoT Inventory Management for Multi-Channel Retailers and 3PL Services

IoT inventory management revolutionizes multi-channel retail and 3PL services by providing real-time tracking, enhanced efficiency, and scalability. IoT technologies like RFID, Barcode, and BLE seamlessly integrate with warehouse management systems, automating processes and optimizing space utilization. This innovative approach facilitates accurate decision-making, improves customer service, and supports business growth in a rapidly evolving fulfillment landscape.

Optimize Business Operations with Customized Asset Tracking App

Optimize Business Operations with Customized Asset Tracking App

Optimize your business operations with a customized asset tracking app. Manage mobile assets in indoor and outdoor spaces using location services, IoT devices, and advanced connectivity standards. Develop tailored solutions for various use cases, including warehouse logistics, outdoor monitoring, and remote healthcare. Harness the power of cloud-based asset management and integrate with the Google Maps platform for dynamic visualization and enhanced fleet optimization. Work with Krasamo’s IoT development professionals to build a comprehensive asset tracking solution tailored to your unique needs.

AI and IoT: Driving Supply Chain Efficiency

AI and IoT: Driving Supply Chain Efficiency

This paper explores the integration of Artificial Intelligence (AI) and the Internet of Things (IoT) in the supply chain. It highlights the benefits of combining AI and IoT, such as increased visibility of assets, reduced costs and downtime, and improved efficiency. The paper also covers the use cases of AI in supply chain management, including warehouse management, supply network risks and predictions, demand forecasting, transportation optimization, and more. By leveraging cloud services, frameworks, and AI platforms, enterprises can build intelligent and autonomous systems that drive supply chain efficiency.

Develop IoT Asset Tracking Solutions with Krasamo

Develop IoT Asset Tracking Solutions with Krasamo

Krasamo specializes in IoT asset tracking solutions, enhancing operational performance by optimizing asset utilization, location monitoring, and condition tracking. Our customized solutions integrate seamlessly with various systems and offer scalability, cost-effectiveness, and advanced features. Krasamo’s IoT engineers help clients build wireless infrastructures tailored to their specific needs, ensuring end-to-end visibility and efficient asset management.

IoT Supply Chain Solutions Overview

IoT Supply Chain Solutions Overview

Delve into IoT supply chain solutions for enhanced decision-making, operational performance, and cost savings. This comprehensive overview explores supply chain digitization, IoT applications, and key digital technologies like AI, RPA, and Blockchain. Learn how IoT implementation benefits warehouse management, transportation, asset tracking, and inventory management. Furthermore, understand the role of IoT in predictive analytics, sustainability, and customized app development for supply chain management. Transform your business with innovative IoT solutions to stay ahead in the competitive landscape.