As multiple technologies are converged to achieve greater efficiency in certain tasks, we often witness an emergence of new types of hardware and software.
In recent times, IoT (Internet of Things) devices have gradually become common in both individual consumer and institutional or industrial settings.
Whether it is lighting, and home security appliances controlled via a tablet screen, or sensors that contribute to the control of valves, pumps and other elements of manufacturing plants, the ability of these objects to connect and exchange data over the internet is becoming more vital.
However, due to factors such as limited computational power and an overall design approach that is consumer-focused and cost-stringent, these devices are massively constrained when it comes to implementing conventional security measures like firewalls, encryption, and patching systems.
In theory, how could these vulnerabilities be exploited?
These vulnerabilities may be exploited through:
· An external attack that targets an internet-facing device within the network and takes control of it.
· An attack that takes advantage of loopholes in the network’s software library to target particular devices.
· A broadcast attack that can compromise multiple devices on the network concurrently.
· A covert “occupation” of an affected device to maintain access to the wider network over a long period of time.
· A more complex attack on a device on the network from outside the boundaries of the network to circumvent NAT (Network Address Translation) settings.
· Responding to packets that travel outside the network’s boundaries, also as a way of dodging NAT configurations.
So, what does a real-life exploitation of these IoT vulnerabilities look like?
Manifestations of these attacks may range from data theft from a printer to malfunctioning control devices in industrial operations.
There are also scenarios in which IoT devices will be used to attack others such as the 2016 Mirai malware attack that compromised a major DNS provider and multiple websites associated with it.
This botnet infected at least 65,000 devices within the first 20 hours, with these infections eventually reaching 200,000. Some of the vendors with the most infected devices included Huawei, Cisco, ZTE, Dahua, MikroTik and ZyXEL.
Another example is in the set of vulnerabilities known as Ripple20. Ripple20 is particularly unique since the magnitude of exploitations made possible in this case is greatly amplified by the supply chain factor.
With a widely distributed software library in this case, the vulnerabilities associated with it end up spreading across devices in the fields of medicine, transportation, retail, aviation, government, home appliances, power grids, networking, manufacturing etc.
The prominent affected vendors here are Intel, Schneider Electric, Rockwell Automation, HP, Baxter, and Caterpillar among others.
Additionally, minimal market incentives along with the nature of numerous IoT development boards have led to situations where these devices succumb to MiTM attacks due to predictable keys and overall weak SSH implementation.
This has left many stakeholders pushing for better government regulation regarding the security of IoT devices and the broader internet.
What are some of the efforts being made to solve these problems?
On September 23rd, 2015, a group of technology providers and telecommunication company officials came together and founded the Internet of Things Security Foundation (IoTSF) in a bid to disseminate knowledge and best practices on how to secure the Internet of Things.
Furthermore, Mozilla launched Project Things in 2017, facilitating the routing of IoT devices through a secure Web of Things gateway.
KBV research also estimates a 27.9% growth rate in the general IoT security market between 2016 and 2022 in response to wider usage of the Internet of things.
Going forward, the extent to which IoT devices are interconnected and the resultant ripple effect of vulnerabilities in one area means that business heads and decision makers in various organizations relying on IoT devices should constantly pursue greater security.
Wondering what the best approach to IoT security is?
Let the experts at ASB Resources examine the scale of your organization’s IoT usage and recommend the appropriate measures for any vulnerabilities you might be exposed to. Schedule a call with one of our experts today!