IoT Security – Subject of research and concern
In late 2019, Security experts from CheckPoint uncovered a security flaw in Philips Hue Smart Light Bulbs. Hackers could exploit this flaw to gain entry into the targeted Wifi Network.
The firm’s researchers identified vulnerabilities in the ZigBee low power Wifi protocol used by Philips and many other product vendors. CheckPoint researchers were able to install malicious firmware on the light bulb and take over the lightbulb’s control bridge. In short, eventually, hackers could create a backdoor from the target network back to themselves.
Before publicly releasing this report, CheckPoint worked with Philips to identify solutions to the vulnerabilities. Philips remediated the weakness, but several other vendors still use the vulnerable ZigBee protocol in many other IoT devices. This case study is an excellent example of the proliferation of IoT devices leading to a broader attack surface for commercial businesses and consumers.
IoT is the concept of connecting digital identity to physical objects and networking those identities and their data together. It is projected that there will be 64 billion IoT units in operation by the end of 2023. Its goal is to improve our quality of life by improving efficiency, creating value and reducing costs. However, with all these advantages comes governance, security and data concerns along with new hurdles (and opportunities).
IoT security is critical, with attacks having already infiltrated networks via this attack surface. This being said, many insecure practices are still being followed by IoT users and equipment manufacturers. The reasons for this vary from budget restrictions to insufficient knowledge on how to protect their IoT ecosystems.
Even though securing IoT devices and platforms is quite complex, it does not require new ideas or principles.
Five major issues need to be covered to protect an IoT ecosystem; Vulnerabilities, Device Updates, Information Theft, Device Management and Physical Hardening.
Strong authentication and authorisation mechanisms are required to mitigate insecure APIs, cloud and mobile interfaces in the IoT ecosystem. The use of an effective device identity mechanism helps differentiate between a valid endpoint and a rogue one by forcing the endpoint to authenticate itself.
Adversaries seek to exploit weaknesses in the services and communication protocol running on the IoT devices to compromise and breach sensitive or confidential information exchanged between the device and a server.
Weak or Hardcoded passwords are the easiest route for attackers to compromise IoT devices. Managing passwords in a distributed IoT ecosystem is a time consuming and challenging responsibility. Advanced privilege access manager (PAM) solutions can prove to be a good solution for this particular concern.
- Device Updates:
Recently it has been observed that unauthorised firmware updates are a significant threat for the IoT ecosystem. A corrupted update can significantly disrupt the operations of IoT devices and can result in major financial and operational losses, especially in sectors like energy and healthcare. IoT service providers need to ensure that access to the updates repository is secure and that the source of the updates is verified.
- Information Theft:
There are many IoT use cases where IoT devices need to collect personal data. This must be stored securely to comply with various privacy regulations such as CCPA and GDPR. Lack of appropriate controls can result in users’ privacy breaches and legal consequences.
- Device Management:
One of the most difficult yet essential aspects of protecting the IoT ecosystem is device management. All devices need to be managed closely throughout the IoT ecosystem’s lifecycle. Key areas that need to be covered include asset management, update management, system monitoring and response capabilities.
- Physical Hardening:
Physical device access may not be at the forefront of our minds when discussing IoT security, but this is an area of concern that shouldn’t be overlooked. Hackers can physically open and program an IoT device to access to the inner components, ports, pins and then access the network. IoT service providers must consider adding physical security options such as closing off unused ports to enhance the device security posture.
Security Best Practices to Secure IoT Ecosystem
Following security best practices may significantly reduce the risks and prevent threats to an IoT ecosystem. First and foremost is to ensure that the IoT service provider regularly checks for patches and updates. The Philips smart light bulb is a classic example where ZigBee’s vulnerability was patched, but many vendors kept using the unpatched version of the protocol.
Next in line is applying network segmentation. Users can minimise attacks by creating an independent network for IoT devices and keeping it segregated from guest connections. Network segmentation helps prevent the spread of attacks and isolates problematic devices if they cannot be taken offline immediately.
Thirdly, monitoring baseline network and device behaviour can help users watch for deviations that may hint at malware infections. This network monitoring is known as cyber security detection and is often combined with automated response capabilities. Organisations that leverage cyber security detection and response solutions detect cyber security threats using analytics to identify abnormal activities in their environment and respond quickly to defend against the attack.
Lastly, we must remember that IoT devices use not only internet protocols but also a set of IoT specific protocols like LoRA, LoRAWAN and nRF24. Administrators must understand the whole set of protocols used in their IoT systems to reduce risks and prevent threats.
For small businesses, particularly those that are new to the core concepts of IoT, the overhead of avoiding IoT cybersecurity pitfalls can seem intimidating. As a whole, the complexity and lack of widespread, established best practices in the industry create unique challenges and opportunities where cybersecurity is concerned.
Interestingly, many of the exploited vulnerabilities in IoT devices could have been mitigated through basic security hygiene such as changing default passwords, updating the firmware and patching known vulnerabilities.
IoT is transforming how we live today and it will continue to do so for years to come. Threats and vulnerabilities mentioned above will also remain there and will continue to grow too. It is a challenge for IoT service providers to make sure that they are not only on top of these issues but are also able to deliver efficient IoT solutions which are safe and capable enough to protect their users’ data.
Written by: Arsalan Iqtidar Khan
References and Further Reading: