Forbes says, by the year 2025, around 75 billion IoT devices are going to give you a connected lifestyle. The growing number of IoT devices give us a brief idea about embedded systems becoming a part of our lives. If we look at the number of IoT devices we may have at our home, and you’ll be surprised. We have a smart TV, a smartwatch as an activity tracker, a voice assistant to control things by our voice, a smart plug to connect all our gadgets, a smart lock for our doors, a smart lighting system for ambient lighting based on the environment, and IoT surveillance camera to keep track of the movements and so on. In the last few years, we have seen an increase in the penetration of IoT technology in our lives. At the same time, we have also seen security breaches on a big scale, violating and compromising user privacy. Are we competent enough to handle these vulnerabilities which these IoT devices expose us to?
The aim of developing these IoT devices is to create user convenience and adaptation. This rapid demand has made companies invent and develop more and more smart IoT devices. But to be quick to the market and reach the public at a rapid pace, developers are least bothered to bring in security, as it increases the production time and cost. This has led to more IoT devices coming into the market without proper checking of security issues.
Some may argue about the significance of these vulnerabilities. To understand this, we need to look at some dangerous IoT attacks in the last few years. Naming a few, we have Mirai botnet, Brickerbot, Satori botnet, the Jeep hack, Stuxnet, Cloudbleed and so on. Some many articles and resources clearly explain the intensity and how frightful these attacks are.
These smart IoT devices might have made our lives comfortable, but many of these devices in the market are not secure, keeps our privacy at stake. This does not mean that we should completely avoid using IoT devices. Prevention is better than cure; the developers and the users should take appropriate actions in minimizing these risks.
As a developer, if I want to assess the security of IoT Devices internally, I need to understand the architecture and various components involved in IoT. Then I need to identify the security issues affecting each component of IoT. The IoT architecture is a combination of IoT devices, Firmware/Software/Cloud and Wireless/Radio Communications.
IoT devices include sensors along with the microcontroller. This is the key to any IoT architecture. These sensors collect the information from the environment based on the application and send the data to the cloud for further analysis. Vulnerabilities in these IoT devices include access to root through communication over serial ports such as UART, SPI
I2C, etc. This means the serial port is exposed, and insecure authentication is used in these ports. Other vulnerabilities include extracting the firmware from the ROM Flash using JTAG and so on.
Once the IoT device vulnerabilities are fixed, we need to focus on the Firmware/Software/Cloud component, including firmware, mobile app, and the cloud dashboard. The firmware component runs inside the device and controls various components of the device, the mobile app to configure and control the devices and the cloud dashboard for storage and visualization. Some of the vulnerabilities inside the firmware include the ability to modify the firmware, filesystem extraction through the firmware, hardcoded sensitive values in the firmware such as keys, passwords and so on. The vulnerabilities of mobile apps could be the easy reverse-engineering of the app, insecure authentication, easy dumping of mobile app source code, usage of insecure SDKs etc. Finally, for the cloud side web application, some of the vulnerabilities could be insecure authentication and authorization, sensitive data leakage, client-side injection, etc.
Last but not least, the most important component of any IoT device is the way it forwards the packets to the server/cloud, i.e., the radio communication. There are a lot of communication protocols available in the market for IoT devices. To recall a few protocols, we remember WPAN protocols such as Bluetooth Low Energy (BLE), Zigbee, WLAN protocols such as WiFi, and the LPWAN protocols such as LoRa NB-IOT, RPMA, Sigfox etc. The most common type of vulnerabilities these radio communication faces are replay based attacks, man in the middle (MITM) attacks, extraction of sensitive information from radio packets, jamming based attacks etc.
A developer should assess and check for the chance of exploitation of various components of an IoT device to make the device more secure from these vulnerabilities.
Every IoT device user can take up some precautions to improve IoT security. Doing some small things can make our devices safe and prevent us from getting exposed to attacks. Some thumb rules to follow to avoid exploitation are a) Always say no to default usernames and passwords and immediately change the default password after initial usage of any IoT Device. b) Regularly install security updates and always use the latest firmware, as it will safeguard your device from existing vulnerabilities. c) Never connect to open networks, especially avoid connecting your device to unfamiliar wireless networks that are not password protected. d) Always resist buying from unknown sources, and it’s always better to turn off your devices when not in use.
The IoT may enhance our convenience and simplify our living. Still, it is our role and responsibility to be aware of the potential risks and the consequences. So, security becomes a significant entity for any IoT device connected over the Internet. It becomes crucial for us to enhance or extend security for our IoT devices to mitigate future attacks.