The “Secure” Internet of Things

29th January 2017 | All

The Internet of Things (IoT) seems to be on-trend nowadays and no hype cycle seems complete without it, increasingly everyday devices are being connected to networks to provide a range of different functionalities. Many have attempted to define The IoT, the most accurate in many opinions comes from the Oxford dictionary, “the interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data”.

All in all, What is The IoT actually used for?

With that said, some of you may be asking, “what is The IoT actually used for?” The IoT exists everywhere and can be used for anything, from a smart coffee machine to a household securely monitored by an alarm or IP-camera. The IoT has assumed a place in our lives which, in theory, is great but in practice introduces a plethora of risks and vulnerabilities with which to contend with.

In general, each device communicates differently with a cloud server or a mobile application depending on the device’s usage. In detail, a sensor or IoT device can communicate through the use of wireless protocols such as Bluetooth or Zwave to a central IoT device, often known as ‘the hub’, this hub then sends messages through the router either directly to a mobile application or to a cloud server.

What are the potential risks and impact?

Even though The IoT has its benefits and has the potential to make our lives more convenient, the security risks behind The IoT might well have the opposite impact. The activities undertaken by malicious users when exploiting The IoT would frighten you, with some known examples including:

  • Monitoring fitness trackers to track the movement of users.
  • Taking control of garage doors or smart locks, providing access to homes or commercial property.
  • Spying on CCTV systems or home security cameras to gain information about the residents.
  • Arming or disarming home security alarms with the intent of breaking into a household undetected.

From penetration testing of a number of devices through which several were made vulnerable due to the poor implementations of security protocols used for communication, for example accepting a self-signed certificate on the mobile application. The aforementioned example could potentially be used to exploit a vulnerability allowing the malicious party to become the ‘man in the middle’, and allowing the theft of credentials used to authenticate users with their IoT device.

With one of the latest outbreaks of the Linux/IRCTelnet botnet were 3,500 devices were infected in a period of just 5 days, devices were attacked by exploiting a vulnerability in an open Telnet port creating a backdoor and being controlled through the use of the Internet Relay Chat (IRC) by sending commands. The IoT devices were then used to perform Distributed Denial of Service (DDoS) attacks. Some say these attacks are only the beginning, and the future will present ever more lethal cyber-attacks from insecure implementations in The “secure” Internet of Things.

Author: Antonis Charalambous, Cyber Security Consultant, Unipart Cyber Security

Antonis Charalambous is the newest member of the team at Unipart Cyber Security, looking to secure the future for businesses and enable them through effective cyber security measures and implementations.