CICYBER
Monday, May 3, 2021
Earth [1]
Internet of Things (IoT) is a term that describes networks of physical objects integrated with technology to connect and exchange data with various devices and multiple systems over the internet with the use of sensors and mini processors through machine learning. Over time, they have been increasingly used in our daily lives. Some examples include wearable fitness trackers, voice assistants, healthcare applications, and smart cars. These devices contain and process large amounts of data connecting individuals to multiple devices while most are under the same network connection. Devices being connected to the internet makes them vulnerable to multiple attacks. Based on the 2020 Unit 42 IoT Threat Report published by Palo Alto Networks, 98% of IoT device traffic is unencrypted which makes IoT devices highly vulnerable to cyber attacks, and confidential data can be easily exploited.[2] In addition to personal use, they are progressively used in healthcare industries. IoT is used to track patients’ medication, treatment plans, and monitor any critical medical conditions. Further, they are used in the economic development of nations. IoT devices integrate monitoring, service, and quality assurance of their products. The precision of manufacturing also improves significantly with the involvement of technology.
With the large dependency on technology and machines, people are encouraged to evolve their functionality and make these IoT devices more user-friendly. The Food and Agriculture Organization (FAO) reported that smartphones improved the lives of farmers by reducing their distance to markets and being able to perform most trading activities online. In Sri Lanka, FarmerNet, allows farmers to trade via text messages and provide e-vouchers for customers.[3] Further, they are used in water management and energy storage industries. We can sense any potential leaks or risks in water treatment or distribution facilities being integrated with sensors and additional protective measures. However, if these facilities or their networks were to be hacked, it would cause a significant amount of distress. Undetected attacks could cause immense suffering to the public, as hackers target and weaponize the Internet of Things for larger campaigns or use them to spread malware to a wider network, control device operations, or collect and alter data. Security is extremely vital to keep various public and private sectors in a region running efficiently. The Initial step to security is identifying vulnerabilities in the system and understanding ways perpetrators could violate them. Vulnerabilities often stem from the limitations of devices’ software and communications as well as human error, which often contributes to the appearance of security breaches and loopholes. Incidents might be explained by a sum of non-technical factors, which include the need to reduce costs in the product (thus impacting the built-in security), a lack of sufficient experience given the recent nature of IoT devices, or an asymmetry of information on the user’s side.
How vulnerable are IoT devices?
As the IoT grows, the number of devices that are vulnerable to cyber attacks grows. As of Sunday, March 21, 2021, there are an estimated 21.5 billion interconnected devices in the world that make up the IoT[5]. With that many devices in existence, millions of devices were manufactured without built-in security features, leaving them vulnerable for cybercriminals to exploit them. Many manufacturers focus on solely developing the product and mass-producing it to maximize revenue but disregard the importance of effective security measures that are needed for the device to function safely in the IoT. The devices that are being pushed out to the public do not have the necessary built-in security that is needed to counter the large number of attacks that are launched on these devices daily. Security vulnerabilities in millions of IoT devices allow cybercriminals to put devices offline or take control of them remotely, in attacks that aim to gain wider access to affected networks.
Weak, guessable, or hard-coded passwords are one of the main reasons why IoT devices are so vulnerable. Weak passwords make it easier for cybercriminals to infiltrate devices and exploit them. A device’s password is one of the first lines of defense, so when it is a common or easily guessable password, it allows for a quick unauthorized entry into the device. Hackers will focus on devices with weak passwords and deploy large-scale botnets and other malware to gain access to IoT devices. There are many IoT devices, with millions being added daily, so managing device passwords at scale is quite a difficult task, especially since IoT devices do not have human operators to suggest password change. User and manufacturer lack of security awareness could expose smart devices to vulnerabilities and attack openings, and only an increased focus on security in the masses will deter cybercriminals from attacking IoT devices.
A lack of a secure update mechanism contributes to the list of IoT vulnerabilities, making them more susceptible to cyber-attacks. When designing devices, manufacturers must think of implementing an update mechanism for timely updates. Many companies worldwide continue to struggle with keeping their IoT devices up to date, due to them rarely publishing updated security patches. This stems back to manufacturers disregarding device longevity and solely focusing on designing and mass-producing the device to sell as much as possible. After they begin to accumulate revenue, some companies will forget about the integrity of their devices, and ignore the fact that cybercriminals will be trying to exploit their devices. Devices need to be able to receive Over-the-Air (OTA) updates to mitigate the risk in this vulnerability. This feature allows the user to update the device to the latest security patches to minimize the number of attack vectors in applications, firmware, and operating systems. An increase in secure update mechanisms across devices globally will enhance the security of IoT devices, by allowing them to update to security patches to counter new threats. A lack of device management, insecure data transfer and storage, insecure network services, insecure ecosystem interfaces, use of insecure or outdated components, insufficient privacy protection, insecure settings by default, and lack of physical hardening are some of the other factors that make IoT devices so vulnerable[6].
Attackers take advantage of these IoT vulnerabilities through malware and botnets. The Mirai malware which is popular among cybercriminals focusing on IoT devices creates a botnet largely consisting of IoT devices. It infects a device through brute force password attempts where it goes through known default credentials that allow access to the device. Many cybercriminals will utilize a password list that was published in 2009 containing username and password information on more than 30 million accounts for brute force password entry. Many hackers still use this list to this day, as it contains millions of passwords, with the majority of them being common reused passwords. Once the Mirai malware is inside the device, it forces the device to scan the internet for vulnerable devices, which tend to be IoT devices. Once a large enough botnet is made, they are used to launch a distributed denial of service (DDoS) attack on an organization. This commonly results in the organization’s network and services it provides via the internet going down. This is why creating strong, unique passwords or passphrases, and enabling two-factor authentication is of great importance when setting up IoT devices because not doing so leaves your devices even more vulnerable to cyber threats. IoT devices are quite vulnerable to cyber attacks, but by both manufacturers, and users practicing practical, and effective cybersecurity methods, IoT devices will become less prone to cyber-attacks.
Deterring and countering the threat
As observed in the examples above, safeguarding the Internet of Things is a complicated task given the scale and the scope of data that is being generated or collected daily. In addition to this, we must take into account the fact that much of this information is accessed by third parties. Therefore, awareness should be promoted for all links in the supply chain, from manufacturers to vendors and developers, who can eliminate vulnerabilities external to the product itself. Manufacturers particularly need to address known vulnerabilities, not only in recent and future products but also in existing ones through patching, as well as reporting the termination of support for the oldest of them. Security should be considered from the design phase and guaranteed after continuous penetration tests. Roles and privileges should be established in the development process, to avoid altogether abuse of staff access to the technology and reducing the risk surface. It is recommendable that companies as a whole “have a system in place for accepting vulnerability reports from outside entities on their deployed products”.[7]
Technology-wise, the improvement of encryption techniques and the adoption of multiple authentication mechanisms and secure web interfaces would greatly contribute to making IoT safer for users. In the medium to long term, it would be perhaps interesting to leverage existing resources like blockchain to help secure IoT devices through their decentralization. According to Deloitte, there are many benefits to be extracted from this connection: the distributed ledger in a blockchain system would be tamper-proof, removing the need for trust among the involved parties in the supply chain.[8] No single organization has control over the vast amount of data generated by IoT devices. Blockchain would also provide an even more robust level of encryption and ensure anonymity in information records. However, there are issues to overcome when choosing this option: one of them is that blockchain mining requires a large amount of processing power and many IoT devices lack the necessary power.[9] Undeniably, when writing about long-term solutions, there's no quick fix.
Concerning user-related vulnerabilities, CTG encourages the implementation of cybersecurity best practices within companies and organizations, which includes benefiting from strong or hard-to-guess passwords and training on IoT-specific cyber threats. Likewise, relevant stakeholders should allocate the necessary resources for updates, despite the novelty of the Internet of Things applications, and prevention, which must include a strategy or incident management plan. IoT devices become exposed over time to hackers if bugs are not fixed regularly, therefore California’s and Oregon’s IoT cybersecurity laws or the UK’s law proposition require all IoT devices sold in their respective territories to be equipped with security features “such as unique passwords, regular security updates, and vulnerability disclosures”.[10] Nonetheless, these are only some of the very few examples of Internet of Things security regulations, as many countries keep falling behind disregarding the potential for misuse. In the US, local efforts seemed to have taken the lead, as The Internet of Things Cybersecurity Improvement Act was only enacted in December 2020.[11] Far from promoting a uniform policy regarding IoT security within its territory, the document aims to establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government.[12] It requires the National Institute of Standards and Technology (NIST) to publish guidelines and standards for the security of all connected devices that will be used and managed by federal agencies, with a positive implementation of policies for responsible disclosure of vulnerabilities. Finland, Singapore, or Japan are other examples of countries that have published specific laws regulating the security of these devices, while the UK still relies on voluntary standards, a much less reassuring measure. The European Network and Information Security Agency (ENISA) too has recently issued Guidelines for Securing the Internet of Things or Good Practices for Security of IoT (addressing secure software development lifecycle). On the other hand, this last option might be the right step towards finding a balance between innovation and risk management[13], which implies working with the private sector and industries concerned, which would probably favor standards instead of new laws.
To conclude, discussions regarding IoT vulnerabilities and potential solutions should be encouraged at the international level, for example within the OECD Global Forum on Digital Security for Prosperity. As the organization describes, constructive debates “can lead to the development of analytical work, principles and (useful) international policy recommendations”.[14] Some of the last OECD reports, dated 2021, include “Understanding the digital security of products: An in-depth analysis” and “Enhancing the digital security of products: A policy discussion”, summarized in the document “Smart policies for smart products: A policy maker’s guide to enhancing the digital security of products”. Policymakers can profit from other countries’ successes and challenges by putting in practice policies that have proved successful elsewhere, since, the OECD explains “some cutting edge policies developed nationally have formed the basis of emerging international norms”. Furthermore, international organizations and mediators aside, states could benefit from partnerships more focused on threat-monitoring and intelligence sharing with a variety of agencies and companies.
AOCs around the world have developed and implemented various policies to counter the ever-growing threat of IoT device and system vulnerabilities. Some are easily understood and followed by all employees, while others are more specific and innovative. With the ever-growing threats and vulnerabilities against IoT devices, they are encouraged to evolve security measures over time. Understanding various approaches that perpetrators take to attack the facilities and steal valuable information makes the evolution and execution of security measures more efficient. This report discusses the importance of IoT vulnerabilities and potential consequences in addition to measures that could be taken to protect against increasing cyber-attacks. This
The concerning and growing threats could be managed if they are addressed at an early stage and immediate action is taken.
________________________________________________________________________ The Counterterrorism Group (CTG)
[2] 2020 Unit 42 IoT Threat Report, Palo Alto networks, March 2020, https://unit42.paloaltonetworks.com/iot-threat-report-2020/
[3] IoT can make a difference in the developing world, Open Access Government, June 2020, https://www.openaccessgovernment.org/iot-can-make-a-difference-in-the-developing-world/87666/
[4] How Many IoT Devices Are There in 2021? [All You Need To Know], Tech Jury, March 29, 2021, https://techjury.net/blog/how-many-iot-devices-are-there/#gref
[5] Top 10 IoT Vulnerabilities in Your Devices, Key Factor , October 28, 2020, https://blog.keyfactor.com/top-iot-vulnerabilities#insecure-settings-by-default-9
[6] Smart Yet Flawed: IoT Device Vulnerabilities Explained, Trend Micro, May 2020, https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/smart-yet-flawed-iot-device-vulnerabilities-explained
[7] Perspectives: Can blockchain accelerate Internet of Things (IoT) adoption?, Deloitte, https://www2.deloitte.com/ch/en/pages/innovation/articles/blockchain-accelerate-iot-adoption.html
[8] Is Blockchain the Solution to IoT Security?, IEEE Innovation at Work, 2018, https://innovationatwork.ieee.org/blockchain-iot-security/
[9] IOT SECURITY ISSUES IN 2021: A BUSINESS PERSPECTIVE, Thales Group, April 2021, http://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/magazine/internet-threats
[10] Main Current Legal Requirements for IoT Security, Vaadata, January 2021, https://www.vaadata.com/blog/main-current-legal-requirements-iot-security/
[11] IoT Cybersecurity Improvement Act of 2020, H.R.1668, Public Law No: 116-207, (2020), https://www.congress.gov/bill/116th-congress/house-bill/1668/text
[12] Perspectives: Cyber risk in an Internet of Things world, Deloitte, https://www2.deloitte.com/us/en/pages/technology-media-and-telecommunications/articles/cyber-risk-in-an-internet-of-things-world-emerging-trends.html
[13] The Global Forum on Digital Security for Prosperity, OECD, https://www.oecd.org/digital/global-forum-digital-security/