SoS Musings #36 - Stop Attackers From Pulling the Strings on the Internet of Things
SoS Musings #36 -
Stop Attackers From Pulling the Strings on the Internet of Things
The Internet of Things (IoT) refers to the system or network made up of physical devices that are connected to the internet and are capable of sending and receiving data. The support provided by IoT devices for expanded internet connection extends beyond traditional devices such as laptop computers, desktops, smartphones, and tablets to various consumer devices embedded with technology that make it is possible for them to communicate or interact over the internet such as smart appliances, wearables, toys, speakers, TVs, and more. According to a report released by Market Forecast in April 2019, titled "Global IoT Security- Market and Technology Forecast to 2027," the current market for IoT security spending is estimated at around $10 billion and is expected to reach $74 billion by 2027. The Statista Research Department had projected the amount of IoT devices to hit 31 billion by 2020 and 75 billion by 2025. IoT offers a number of advantages for consumers, including support for efficiency through Machine-to-Machine (M2M) communication, automation, ease of control, information-sharing, and product monitoring. However, the amount of data being transmitted via IoT devices, as well as the insecurity in the design, development, configuration, and implementation of these devices, makes them more vulnerable to hacking. The exponential growth in the use of IoT devices by commercial entities and consumers as well as recent discoveries surrounding vulnerabilities contained by IoT devices calls on manufacturers, consumers, the security community, and government to increase efforts toward improving the security and privacy of these devices.
In recent years, there have been several discoveries of vulnerabilities in IoT devices and incidents involving the exploitation of these flaws that pose threats to the security and privacy of users. Paul Marrapese, a security engineer, discovered more than two million vulnerable IoT devices, including IP security cameras, baby monitors, and smart doorbells manufactured and distributed by vendors such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM. According to Marrapese, the vulnerability of these devices to getting hijacked by hackers derive from flaws contained by the Peer-to-Peer (P2P) communication technology, called iLinkP2P, which is a firmware component that enables the devices to talk to vendors' servers through the P2P protocol. Researchers at North Carolina State University discuss their findings of extensive design flaws in "smart home" IoT devices in a paper, titled "Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things.” Such flaws could allow threat actors to execute remote suppression attacks in which security-related signals from IoT devices are blocked. One such example would be when a motion sensor is tripped by movement, and the attack would prevent homeowners from being notified in the event that a break-in occurs. Security researchers at F-Secure disclosed flaws in the KeyWe Smart Lock IoT device designed to allow homeowners to lock and unlock their homes via an app. The vulnerabilities found in these smart locks could be exploited by attackers using inexpensive network-sniffing equipment to intercept traffic between the mobile app and the smart lock to recover the key required to unlock the device. The FBI issued a warning about cybercriminals' abuse of unsecured smart TVs to gain entry into homes and listen in on users via TV microphones and built-in cameras. Similarly, hackers can spy on users via IoT robot vacuums, as discovered by researchers at Checkmarx. The exploitation of vulnerabilities found in the internet-connected Trigo Ironpie M6 smart vacuum cleaner enables hackers to control the vacuum and monitor the video feeds recorded by the device's cameras. One incident that garnered major headlines is the access of an indoor Ring camera by a hacker to harass an 8-year old girl in her bedroom. Ring claimed that the incident was not the result of a breach of compromise of Ring's security, but the result of a potential credential-stuffing attack, calling on users to stop reusing credentials across different services. Other major IoT security incidents include the leak of millions of voice recordings by an IoT Teddy Bear and the exposure of kids' GPS data by an IoT smartwatch.
The growth in botnets accompanies the increasing number of insecure IoT devices. An IoT botnet is a network of IoT devices infected with malware that allows malicious actors to gain control over them and perform different types of attacks such as Distributed-Denial-of-Service (DDoS) attacks to overwhelm targets, credential-stuffing attacks to take over accounts, web application attacks to steal data, and spamming. IoT botnets can have a wider impact than traditional botnets in that they can be composed of hundreds of thousands of devices. According to Radware, there are several reasons as to why IoT devices are attractive targets for attackers when building botnets. Cybercriminals perceive IoT as low-hanging fruit because of such problems as IoT devices already having default passwords and exposed services. Also, IoT devices are rarely monitored, inadequately maintained, poorly configured, and always functioning, allowing attackers to strike them at any time and exploit significantly large numbers of devices. In addition, the malware used to enslave IoT devices is often found to be capable of easily changing devices' factory-set (default) passwords in order to block users from logging into their devices. One IoT botnet that gained worldwide attention in 2016, is the infamous Mirai botnet that crippled Krebs on Security, the French cloud computing company OVH, and the Internet performance management and web application security company DYN, through the launch of massive DDoS attacks performed via more than 600,000 IoT devices such as air-quality monitors, personal surveillance cameras, routers, and digital video recorders (DVRs). Other notable large scale IoT botnet attacks include Linux.Aidra, Bashlite, LuaBot, Remaiten, and Linux/IRCTelnet. In 2019, researchers at Imperva discovered a massive botnet attack, similar to that of a Mirai botnet, which used more than 400,000 IoT devices to perform DDoS attacks against an online streaming application. Researchers said this particular botnet produced more than 292,000 requests per minute. The recruitment of IoT devices by botnets can create a significant loss of operation and downtime for organizations.
Manufacturers, developers, and consumers must be aware of the security problems commonly found with IoT devices so that better choices can be made in the production, implementation, and management of such devices. The Open Web Application Security Project (OWASP), a nonprofit organization dedicated to improving software security, released a list of vulnerabilities commonly associated with IoT devices. Included on the list is the hardcoding of weak credentials into IoT devices that can be easily brute-forced by attackers. IoT devices often run on insecure network services, leaving them vulnerable to attacks in which the data they store or transfer is stolen or remotely controlled by hackers. Insecure ecosystem interfaces resulting from lack of authentication, encryption, and filtering contributed to the vulnerability of IoT devices to compromise. Many IoT applications lack mechanisms for security updates such as firmware validation since vendors and enterprises often do not consider the future of IoT devices and how they might be implemented. IoT devices also often use insecure third-party software or hardware components that leave them vulnerable to compromise. Other vulnerabilities highlighted by OWASP include inadequate privacy protection, lack of data encryption, poor security management, and insecure default settings. Increased understanding of these vulnerabilities can improve efforts to bolster IoT security.
Efforts are being made in the realms of academia and industry to improve IoT security. Researchers at Massachusetts Institute of Technology (MIT) built a chip to efficiently execute public-key encryption at a significantly higher speed for IoT devices while also consuming less power and memory. MIT researchers also conducted research aimed at securing IoT devices in the coming era of quantum computers. They developed a novel circuit architecture capable of protecting low-power IoT devices from quantum computer attacks using lattice-based cryptography. Perry Alexander, director of the Information and Telecommunication Technology Center at the University of Kansas, and his multidisciplinary team of researchers, including computer engineers, psychologists, sociologists, and philosophers, received funding from the National Security Agency (NSA) to improve IoT cybersecurity. This team is working to develop technology to address IoT side-channel attacks, enhance IoT devices' resiliency against interruptions, and advance human behavior to improve secure interaction with such devices. A team of Penn State World Campus researchers developed a multi-pronged data analysis approach that combines different methods involving the use of statistical data, machine learning, intrusion detection tools, visualization tools, and more for strengthening security for IoT devices including smart TVs, home video cameras, and baby monitors, and wearables. Innovators at Purdue University developed hardware technology that uses mixed-signal circuits to reduce electromagnetic and power information leakage that can be leveraged in side-channels attacks against IoT devices. Another hardware-based technique to increase IoT security has been developed by engineers at Rice University, which aims to defend against new types of attacks specifically designed to compromise IoT and mobile systems. The engineers' custom-built circuits are energy efficient and would make IoT systems 14,000 times stronger than existing protective technologies. Rapid7 IoT research lead Deral Heiland, gave a talk in which he emphasized the importance of developing a comprehensive IoT security testing methodology that would help companies determine the traits of IoT to improve the detection and security of IoT devices. Heiland addressed the characteristics of IoT technology, which are based on four key areas, including management control, cloud service APIs and storage, the capability to be moved to the cloud, and embedded technology. According to Heiland, companies can improve the protection of their IoT ecosystem if they know the traits of this technology and apply a methodology in the development and testing of IoT. A Swiss firm specializing in cryptography Teserakt, introduced a cryptographic implant called E4 that IoT manufacturers can integrate into their servers to ensure end-to-end encryption for IoT devices. In an effort to save IoT from botnets, researchers at the Department of Information Engineering at the University of L'Aquila, Italy, are developing an approach to detecting and stopping botnet attacks using deep learning techniques. Testing of their approach showed that it could detect botnet attacks on systems with an accuracy of 97%. Security experts call for continued collaboration and innovation in IoT security research and development.
The government is continuing efforts towards promoting and regulating IoT security. In 2019, the Internet of Things Cybersecurity Improvement Act was introduced to establish a vulnerability disclosure process for agencies to report the vulnerabilities they find in the IoT devices used by federal agencies. The bipartisan bill would prohibit U.S. government agencies from purchasing IoT devices from companies that fail to adopt the coordinated vulnerability disclosure policies. The bill would also require the National Institute of Standards and Technology (NIST) to provide guidance to federal agencies on how to manage IoT security risk and properly used such devices. Such legislative efforts push manufacturers of connected devices to consider security in the design and building of these devices.
As the number of IoT devices, as well as the frequency and sophistication of IoT attacks, continue to grow, research and development efforts surrounding IoT cybersecurity solutions must continue.