Smart objects and smart homes are shifting from a fun project to be presented at tech shows to a more common reality, worldwide. At the same time, as we all know, malicious threats are becoming more advanced and harder to keep at bay through legacy security solutions like anti-virus software.
But while other pieces of technology are striving to keep up with the threatscape and strengthen their defenses, smart objects are notoriously lagging behind. While your desktop, laptops and networks have decent security measures installed, for better or for worse, the Internet of Things (IoT) is often laid bare. In this guide, we’ll explore the main risks of smart objects and the most serious IoT security risks which still need to fixed.
Only by raising more awareness around the inherent flaws of smart objects security can we hope to become more accountable and proactive about it, at an industry-wide level. A better security for everything – smart objects included – begins with a more solid education regarding cybersecurity risks. Right now, the internet of things is the area which needs this the most.
Why Are There More Security Issues with IoT than with Computer Systems?
To put it bluntly, the industry experienced a developing boom fueled solely on consumer enthusiasm and a rush for innovation. The security of all the beautiful new things invested was sadly an afterthought in most cases. Even if developers were very much aware that this will need to be addressed, the market mentality of big tech is ‘let’s see if this can sell first’.
Since smart objects were a whole new area of products altogether, there was always a chance that it won’t catch. There was no point investing a lot into creating a comprehensive layer of security around them until then, right? But since the public responded very enthusiastically to the new products, market logic dictated that they were made available for sale. That’s why, historically speaking, security of smart objects was pushed aside as a future-day priority, and hence why there are more security issues with IoT.
The rather unfriendly interface is also a contributing factor: how can you convince people to manage their smart objects security in the same way they do on a computer, if they can’t access it as conveniently? While the major cybersecurity companies have started developing some specific IoT protective solutions, the niche is still rather young and not widely adopted.
To be fair, there was also another factor to consider, one which made the risks of smart objects not that high. Initially, the stakes of IoT security were not actually that high. What could a hacker do with your smart bulb? Turn off the lights while you’re busy preparing dinner? The implications were laughable, compared to the huge potential for financial and data loss derived from a computer hack.
But that assumption, while true at some point, soon became ungrounded in reality. As IoT hacks and security incidents have shown, these smart objects are often just a gateway for hackers to gain access into your entire network. If the smart objects in your home don’t have that much security, but they are connected to the same Wi-Fi as the rest of your house, this is a great opportunity for serious threats.
Unfortunately, where there’s a lot of opportunity for hackers to find a vulnerability to exploit, there will be a lot of hacking activity, too. It’s like a game of demand and offer, and no one knows this better than us, the pentesters who have to deal with vulnerability management behind the scenes. To cut a long story short: if you build it (the vulnerability), they will come.
If breaking into smart things is much easier than breaking into laptops, computers or servers, then the opportunity will definitely be exploited. What was holding hackers back until recently was precisely the lack of something important enough to gain. But since this has started to change, more malicious actors are focusing their efforts on smart objects. Sadly, the cybersecurity of these objects is not yet up to the challenge.
10 Current Security Issues of Smart Objects and IoT
To give you a better grasp on the exact type of security vulnerabilities specific to smart objects and the Internet of Things, we’ve put together this brief list of the most common of them which are still unaddressed.
Some of them can be worked around, but only with a fair degree of technical know-how, which regular users don’t have and companies are failing to address in a systematic way. In any case, since the industry is still spitting out thousands of new smart gadget models every quarter, it’s maybe time to realize that the gadget craze comes with a cost.
There’s no way to properly test and secure all these different objects in such a short time. The issues described below are a direct consequence of this fast-tracked design and production model.
#1. Infrastructure smart objects are becoming targets
IoT and smart objects doesn’t refer only to gadgets and lightbulbs. The term can include high-profile, extremely important infrastructure systems, such as nuclear powerplants or smart buildings.
As the recent ransomware attack on Baltimore has shown, the impact of attacks targeting a smart city can be severe. We don’t even want to image the harm which could be done if a hacking group managed to gain access to a national network of critical infrastructures.
#2. IoT provides a massive influx of new types of data
When the data which can be gathered through IoT devices is more varied than computer-gathered data tended to be so far, we have a problem. Data wealth is a good thing only when it can be properly secured and stored.
But currently, most smart object producers do not collect data from their users safely, precisely because some types of data are new and a coherent storage system is yet to be developed. Unfortunately, some of this data can also be quite sensitive. Just think of medical data or biometrics, gathered by all the health and fitness IoT devices.
#3. IoT-driven financial crime is on the rise
Even though smart objects are not perceived as directly connected to internet banking, for example, a security breach in one of them is enough to compromise the entire network. As long as the smart object which was hacked is connected to the local wi-fi system, all the data from the other connected devices is exposed. Therefore, it’s not uncommon for hackers to use IoT vulnerabilities in order to achieve their financial crime goals.
#4. Machine phishing can disrupt operations
One of the constants of the hackers vs. defenders game is that hackers will constantly try to find new angles for exploiting vulnerabilities. The key to their success lies in people not being familiar with that type of attack yet. In the case of IoT related business attacks, this new angle is definitely machine phishing.
By targeting smart objects and machines with classic phishing attempts, the hackers can convince the machines to act differently than they should. For example, some devices might report a full battery when they are actually reaching the end of their life and so on. These challenges and false data provided by hacked IoT machines can lead managers to harmful decisions.
#5. Brute-forcing and credential stuffing are particularly easy in IoT
As mentioned above, it’s enough for a hacker to breach one smart object to gain access to your entire network. But if the rest of the endpoints in your network can be secured through protective software and through strong passwords, smart objects lack both.
More often than not, smart objects come with default passwords set by the manufacturer, like ‘admin’ or ‘1234’. It’s ridiculously easy for hackers to break into these considering the weak, mass-issued credentials they come with.
#6. Malware and ransomware are now targeting smart objects
Classic ransomware relied on encryption to lock users out, which means that it wasn’t easy to export its use to target smart objects. But since there’s so many smart objects and they are so poorly secured, hackers have started developing combined strains of malware and ransomware specially designed for IoT.
These devices could then be used to both limit the smart object’s functionality and steal data, or to bore more holes into the entire network.
#7. Smart objects can be hacked for cryptocurrency mining
Because smart objects are less secure and thus make easier targets, hackers turned to getting smart objects to mine cryptocurrency for them. This not only slows performance but the security breach usually goes hand in hand with future diversified attacks, financial fraud and so on.
At first, they targeted just smartphones because they are more performant and thus able to mine faster, but soon no smart object was exempt. Not all cryptocurrencies can be mined by smart objects, but some, like Monero, are easily adaptable to them.
#8. Smart objects collect and process data which is then shared insecurely
Besides hacking into the data which smart objects were designed to collect (like in the case of health gadgets we discussed above), hackers have more disturbing goals. They can modify a smart object to start collecting a type of data it wasn’t designed to collect.
The user is obviously unaware of it and lies exposed in their most vulnerable moments. Just think of smart objects being used as secret cameras inside private homes. The data obtained through these means can then be used for blackmail and so on.
#9. Home invasions take the breach of privacy further
If a computer breach is definitely an upsetting incident, past breaches seemed way less personal than the IoT threatscape is turning out to be. By hacking into IoT devices, hackers now have the ability of collecting data on you in the most private setting possible: your home.
Add to that the fact that many times, home security systems are part of the Internet of Things landscape as well. If a malicious actor wants to de-active your home defenses in order to break in, this is now easy enough. You might argue that it’s just as easy as it was before security systems were invented, but it’s not quite so. At least people back then were putting more effort into more traditional defensive means. Whereas today, home security systems can lull users into a false sense of safety, which makes such attacks even more vicious afterwards.
In a particularly upsetting event, a hacker took over the baby monitor device which was left in a room with the infant. The parents discovered the intrusion and were chilled to hear various threats coming from the device, as well. This incident should be a wake-up call to everyone in the IoT industry and to users as well; it’s like we’re entering a whole new era of intrusion, in the worst way possible.
#10. Remote vehicle access is a particularly dangerous scenario
Self-driving automobiles are particularly vulnerable to hacker attacks, but any modern car can be taken over by a malicious hacker. Smart cars can be remotely accessed and are often less secure than your computer or your laptop. Even if we’re not talking about a driverless car and the driver is very much inside the vehicle, there’s little he or she can do to stop the hackers from threatening their life and the lives of those around them.
Tests conducted by ethical hackers proved that you can remotely stop a car’s engine or change its direction and speed, regardless of how the driver inside is trying to stop you. For now, this seems a limit which hackers are not willing to cross, but who knows for how long? State-sponsored attacks could target high profile officials in another country with this and all manners of unpleasantness can follow.
How Can You Mitigate the Risks of Smart Objects?
Don’t make purchasing decisions lightly when it comes to shiny new smart gadgets. Don’t sacrifice your security for the sake of convenience. Controlling your home thermostat from your mobile phone sounds very cool, indeed, but ask yourself: do you really need it?
Of course, we don’t mean to take an anti-technology stance or to discourage your away from IoT. All we are saying is that every addition of a new smart object to your home or work networks should be done only after proper research. Here are just a few ideas on how to do it.
See if there have been security incidents related to the smart object you’re considering. See if the company who is producing it is reputable. See if you can easily modify your credentials or control any of its security settings. See if the seller has a service and support line for reporting future issues or handling them. See that the risks of the gadget are truly lesser than its benefits.
If your next tech crush scores highly on all these counts, it’s good to go. Then and only then, feel free to enjoy the wonders which the Internet of Things can bring.