Smart but not secure?

How secure are IoT devices? Can they be hacked? Avast Threat Labs takes a hard look.

In today’s digital world, we are literally surrounded by IoT (Internet of Things) devices. Manufacturers of toys, furniture, cars, and medical tools add appeal to their products by including “smart” features. (Even bottle manufacturers sell smart, connected water bottles!) Unfortunately, in this rush to get smart devices to market, there’s a critical component that is all too often an afterthought: security.

Why IoT devices lack security

With no regulations around smart-device security, manufacturers are left to create their own proprietary standards for communication. You can imagine the consequences. Consider a toaster manufacturer, now producing “smart toasters.” Beyond enabling your mobile device to fine-tune the browning levels, now the manufacturer also has to consider how to protect those toasters from hackers?! It’s easy to see how basic principles of modern security can be often neglected, causing unprotected products to get shipped out to consumers who are eagerly awaiting their next “connected” device.

How hackable are IoT devices?

Because smart devices lack security, they can be hacked using a wide range of existing methods, from bruteforcing login credentials to the more sophisticated exploiting techniques, which include reverse engineering firmware or operating systems to find zero-day vulnerabilities. Services and exploits used to hack IoT devices are sold on the darknet, easily accessible to cybercriminals. Hackers are always attempting to infiltrate new types of networks and communications used by IoT devices.

How difficult is it to hack an IoT device?

The simplest way to hack a smart device is to bruteforce passwords or use the device’s default login credentials to gain access. Botnets, which can be rented on the darknet, make it easy to infect thousands of devices at once with a “script kiddie” method, a novice technique of adopting someone else’s malware program for one’s own purposes.

And it gets even easier when you consider this unfortunate truth: rather than create unique passwords, many manufacturers save money by using the same default login credentials for every device they produce. Last year, one of the biggest IoT threats was the Mirai botnet, which infected thousands of smart devices by using default login credentials to perform massive DDoS (distributed denial-of-service) attacks. Since Mirai’s source code was published, almost anyone can now run their own IoT botnet or rewrite the code. As a result, many mutations of Mirai have appeared.

While there are other ways to infect an IoT device, because they are much more complex and expensive, they remain less common. Reverse-engineering firmware or an operating system, for example, requires advanced technical knowledge and takes time. Similarly, zero-day exploits that take advantage of vulnerabilities cost thousands of dollars.

What needs to be done to better secure IoT devices?

One possible and effective way to dramatically improve IoT security is to give consumers the option to easily change the login credentials of their smart devices. Better still, manufacturers could require that users create a unique, strong password when setting up a device for the first time. While this can’t be applied to all scenarios, changing default login credentials would dramatically reduce the number of “unsecured” devices, as well as make it harder for script kiddies, wannabe hackers, and simple search bots to gain access to IoT devices. Alternatively, IoT device manufacturers could give each device a unique and random password that only the customer would receive.

Regular software updates to patch vulnerabilities would help secure smart devices from exploits as well. Today, manufacturers often use outdated versions of various libraries and operating systems for which plenty of powerful exploits exist, leaving those devices vulnerable to attack. There are also many devices out on the market that can never have their firmware updated; so if a hacker were to exploit a vulnerability, there would be essentially no other option but to permanently disconnect the device from the network and replace it with a more secure device.

Securing smart devices will not only protect people’s privacy and help prevent DDoS attacks, but it can also prevent much worse. There have been proof-of-concept attacks that show how entire IoT networks can be infected by targeting a single device, such as a light bulb or traffic sensor. These proof-of-concept attacks demonstrate that vulnerable smart devices can be a massive problem causing tremendous damage if controlled by the wrong people. Imagine hackers controlling traffic flow or turning off lights in an entire city. Smart device manufacturers should collaborate with security experts to ensure a security layer is included in their devices. They should also pen-test their products on a regular basis.

And here’s the bottom line: In their race to hit the market with their latest products, manufacturers are leaving a lot on the table when it comes to security. Until we have more protection in place related to smart-device security, we need to ask ourselves before we buy, “Is the price of that shiny, new object really worth its potential—and perhaps insidious—cost?”  

Come see the live drone hack happening at the Avast booth N.658 at MCWA every hour demonstrating the vulnerabilities of IoT devices.

Author: Michal Salát, 7 September 2017


Posted in Uncategorised.