“Security by design is a mandatory prerequisite to securing the IoT macrocosm, the Dyn attack was just a practice run.”
-James Scott, Institute for Critical Infrastructure Technology
Introduction
With the advent of the Internet of Things in every facet of our existence, our lives have never been better. It has become an important hub, promising a “smarter life” by establishing communications between different embedded systems with people. The Internet of Things represents a system which consisting of many different kinds of sensors, used alone or combined together to establish connections between one’s self and the surrounding environment. This new technology is pushing the world towards a more connected state, however, we must not disregard the security hazards that come along. The incredible number of connected devices presents numerous points where a malicious attacker may enter one’s system. If compromised, we may see the greatest leakage of personal and private information in our existence. Although its purpose seems harmless enough, we must acknowledge the danger in the future that hackers have the ability to invade one’s private life through their expansive usage and dependence on the Internet of Things.
Background
Before delving into the dangers that come along with the dependence on the Internet of Things (IoT), one must first understand what they are and do for us.
Sometimes referred to as the Internet of Objects, IoTs promise to bring about a technological revolution to the entire world by connecting many objects together in a seamless experience. Clearly, the Internet has made a monumental impact on communications, business, science, education, and humanity as well, by connecting people from the farthest of places. With the IoTs, the Internet will be further utilized as a means of communications between numerous objects.
Each object should be able to recognize themselves and develop intelligence through the information communicated among themselves. This ideology will help create new technologies and applications to provide services for notifications and entertainment to automation and security. In fact, it is projected that by 2020, tens of billions of devices will be connected to the Internet and 50% of all new businesses will rely on IoTs.
With so many devices on the way, a clear outline was designed such that all devices should be able to communicate with one another. The protocol in which these devices will communicate with one another was established by IBM, known as the Open Systems Interconnection (OSI) model. This describes a stack of seven protocol layers, compared to the 4 used by the TCP/IP model. From the first layer to the last, the layers are represented as Physical, Data Link, Network, Transport, Session, Presentation, and Application. The first two, Physical and Data Link, is concerned with how each device is physically connected to the network via hardware. Network defines how routers deliver packets of data between source and destination hosts while transport focuses on end-to-end communication and provides features including reliability, congestion avoidance, and guarantees that packets will be delivered the same order they were sent. The remaining three layers cover the application-level messaging (ex. HTTP/S).
Furthermore, there are various methods of communication that the IoT network technologies utilize. Each technology has their own advantages and disadvantages, however, the most widely used approaches are also currently cellular, Wi-Fi, and Ethernet. These are mainly aimed at providing low-power, low-cost, and long-range connections (With the exception of Wi-Fi, however, it does provide that highest data throughput of all the current approaches). Additionally, they are often used in large-scale deployments in businesses or education. Other mechanisms include BLE (Bluetooth Low Energy) ZigBee, NFC, and RFID. As these newer designs are improved and optimized, they are planned to supersede the older methods as they will provide higher bandwidth while using significantly less power.
As simple as their purpose may be, there is much more complexity behind IoTs than what a normal consumer realizes. This complexity is important, however, because it is how malicious attackers will exploit security flaws.
Current Problems
With the heavy adoption of IoTs throughout all parts of life, hackers have found more and more loopholes to steal one’s information. The need to provide security for IOT infrastructure is of dire importance. A combination of security flaws, non-updateable software, and ignorant programming all lead to possibilities of huge breaches from the inside. Additionally, IOT devices are generally able to access multiple administrative domains, and access to that would allow attacks to become much more widespread and uncontainable. These devices are appealing as they essentially provide an unguarded entrance towards one’s private information without having to go through the front door.
Often times, corporate greed and ignorance are at fault for security breaches found within IOT appliances. For example, often times the micro-controller within the device will run on older or much simpler software. This is to keep profit margins as high as possible as the process to mass-produce becomes cheaper and less complex. For example, software in routers was found to be running on Linux operating systems, that, on average, were four years old from the time the product was initially released. Whether patches during that time were already incorporated is unknown, as well as if further flaws within that version of the operating system were be found post-release. Hackers can easily infiltrate one’s system because of an out-dated and unsafe operating system. Another problem is figuring out how to update products. A common question that we should be asking is how a computer-chip company such as Broadcom or Qualcomm plans on updating the billions of chips within the IOTs. Unfortunately, these companies have chosen to turn a blind eye begin working on the next updated model than keeping their older products usable. The problem with this process is that there is no incentive or ability to participate software once it’s been mass-produced and released to the public. It also leaves older devices more susceptible to attacks as attackers can target flaws not found before. Furthermore, to make matters worse, often times components will not use all of the source code and replace those holes with “binary blobs”, or indiscernible binary code. The result of this is that companies are shipping out half-baked devices to consumers that can do just what is advertised and that’s about it.
Additional means of exploitation include taking advantage of the risks and vulnerabilities of a certain language. For example, hackers may be able to take advantage of a C-based device via buffer overflow. This occurs as nothing in C is range-checked by default, so it becomes very easy to overflow a buffer. The result of “buffer overflows” is that it may change the address of a function is returned to. Another example is writing too few characters into a buffer. The problem here is that C will continue processing, possibly expecting another byte or null terminator. This could result in outputting more information or hitting protected memory for a DOS attack. Simple code reviews and analysis before shipping would easily solve these problems but companies often forego this in order to expedite the process.
Lastly, often times hackers are as good with social engineering as they are with computers. Hackers will rely on human interaction and trick people into breaking normal security procedures. The data is obtained from the interaction is then used to access private systems and or additional data.
Pressure must be put upon companies so as not to take the easy way out. Meanwhile, consumers should be informed and alerted when security flaws and patches are released. With the possibility of 20-50 billion IoTs expected to flood consumers homes and business by 2020, the need for security has never been greater.
Preventing future IOT attacks
Although the Internet of Things may promise of a life of ease, the increasing adoption and integration of these devices into our lives and infrastructure bring many vulnerabilities as well. Despite all the problems current IOTs face in terms of security, there are still some things that consumers can do to protect themselves. For instance, one can ensure that all their smart devices have all their security features enabled and using secure passwords on them as well. For those who are more technologically adept, they can also enable all security features on all devices, close unused ports on devices and routers, and utilize encryption for all networks.
Conclusion
As long as this problem is ignored, attacks are only going to become more dangerous and fixing devices will become more expensive. Paying this cost now, through better software engineering and facilitation, is much cheaper than paying the cost of a possible security disaster. Nevertheless, this rapid deployment and installation of IOTs will require much effort from both companies and consumers to tackle and create solutions for the dangers that come along with it.
References
- Eastwood, Gary. “5 Of the Biggest Cybersecurity Risks Surrounding IoT Development.” Network World, Network World, 27 June 2017, www.networkworld.com/article/3204007/internet-of-things/5-of-the-biggest-cybersecurity-risks-surrounding-iot-development.html.
- Farooq, M. U., et al. “A Review on Internet of Things.” A Review on Internet of Things, International Journal of Computer Applications, Mar. 2015, pdfs.semanticscholar.org/2006/d0fca0546bdeb7c3f0527ffd299cff7c7ea7.pdf.
- Gerber, Anna. “Connecting All the Things in the Internet of Things.” IBM – United States, IBM, 3 Jan. 2018, www.ibm.com/developerworks/library/iot-lp101-connectivity-network-protocols/index.html.
- Lucciano, Michael. “How Hackers Are Taking Advantage Of IoT Security Vulnerabilities.” Wireless Design and Development, Wireless, 5 Apr. 2017, www.wirelessdesignmag.com/blog/2017/04/how-hackers-are-taking-advantage-iot-security-vulnerabilities.