HardwareIoTApril 11, 2023Introduction to IoT Security

What is IoT?

The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances, and other objects embedded with sensors, software, and connectivity. It allows them to exchange data and interact over the Internet. Therefore, the basic idea of IoT is to connect all these devices to the Internet, enabling them to share data, communicate, and perform automated tasks without human intervention. This technology is rapidly growing and transforming various industries, including manufacturing, healthcare, transportation, and smart cities.

Framework of IOT devices

IoT device protocols vary depending on the application, communication needs, and network infrastructure. Some of the commonly used protocols are:

  • Wi-Fi: People widely use Wi-Fi as a wireless protocol to transfer data at high speeds and simultaneously support multiple devices. It is a popular choice for smart homes, security systems, and other applications that require high bandwidth.
  • Bluetooth: It connects IoT devices to their smartphones, tablets, and other devices because it is a low-power, short-range wireless protocol.
  • Zigbee: Zigbee is a low-power wireless protocol. It uses mesh networking to support large-scale IoT deployments. Home automation, smart lighting, and industrial control applications commonly use it.
  • Z-Wave: Smart home devices such as door locks, thermostats, and lighting systems commonly use Z-Wave. It is a wireless protocol that connects IoT devices in a home automation network using low-power radio waves.
  • LoRaWAN: LoRaWAN protocol suits various applications, including agriculture, transportation, and smart cities. It is designed to provide long-range connectivity for IoT devices while consuming low power.
  • MQTT: IoT devices commonly use the messaging protocol MQTT to transmit small amounts of data over unreliable networks. Especially in industrial and machine-to-machine (M2M) applications

How IoT works?

The overview of how IOT works is quite simple and reliable. For example, you have installed an IOT device to predict today’s weather. The first thing that this IOT does is.

  • Sensors integrated into the IOT collect environmental data, such as humidity, atmospheric pressure, temperature, wind speed, etc.
  • The device then sends the collected data to the cloud or gatewayIt uses various protocols such as Bluetooth, Zigbee, LoRaWAN etc.
  • After that, the cloud takes the data for processing and analysis. Collectively studying it with data collected from previous scenarios using Machine Learning.
  • The IoT device receives an action from the cloud after the analysis. It includes displaying the predicted outcome or today’s weather to the user. The cloud instructs the device to execute the action.
  • The IoT device sends feedback to the cloud or gateway, such as the execution of an action or data status. For example, it may indicate whether the user viewed a notification about the predicted weather through the IoT application.

Security issues that can arise with IOT

The Internet of Things (IoT) has introduced a new set of security challenges due to IoT devices’ interconnected and heterogeneous nature. Some of the security issues that can arise with IoT include:

  • Weak authentication and authorization: Many IoT devices have weak or default passwords, making them vulnerable to brute-force attacks. In addition, many devices do not implement strong authentication and authorization mechanisms, which can lead to unauthorized access.
  • Vulnerable firmware and software: Attackers can exploit outdated or unpatched software and firmware used by many IoT devices to access the device or the network it’s connected to.
  • Lack of encryption: IoT devices often lack encryption, exposing data in transit or at rest to unauthorized access or interception.
  • Privacy concerns: Attackers can obtain sensitive data, such as personal or health data, through IoT devices that collect and transmit this information.
  • Distributed denial-of-service (DDoS) attacks: Attackers can compromise IoT devices and use them as part of a botnet to launch DDoS attacks, which can cause significant disruption to networks and systems.
  • Interoperability issues: IoT devices often use different communication protocols and standards, making it difficult to secure and manage the devices in a unified manner.

Why does security matter in IOT?

  • Data privacy: IoT devices collect and transmit a vast amount of personal and sensitive data, including personal information, financial data, and health information. This data must be protected to prevent unauthorized access or misuse.
  • Cyberattacks: IoT devices are vulnerable to cyberattacks, following the security compromise of the devices and the networks they are connected to. Attackers can use compromised IoT devices to attack other devices or networks.
  • Physical security: IoT devices can control critical infrastructure such as transportation systems, power grids, and water treatment plants. A security breach can lead to significant damage to the physical infrastructure.
  • Compliance: Many industries are subject to strict regulatory requirements for data protection, such as HIPAA for healthcare and GDPR for data privacy. IoT devices must comply with these regulations to avoid legal consequences.
  • Reputation: Security breaches can damage the reputation of businesses and individuals. It’s essential to ensure that IoT devices are secure to protect the reputation of the manufacturers and users.

Real-Life Vulnerabilities 

Western Digital My Cloud Pro Series PR4100 (Zero Day)

This zero-day vulnerability was discovered by Pedro Ribeiro and Radek Domanski in Pwn2Own Tokyo 2020 competition in November 2020. The vulnerability affected Western Digital My Cloud Pro Series PR4100 (PR4100) for firmware versions up to 2.40.157.

This vulnerability allowed unauthenticated attackers to access the API hosted on the remote-hosted web server on the device. Using the API allowed attackers to patch the firmware with their maliciously crafted firmware files into the device. The device does not check for the integrity of the firmware file and loads the file to memory during BOOT time. This allowed attackers to create backdoor software to access the device’s internal system whenever possible.

2014 Jeep Cherokee

In 2015, hackers Charlie Miller and Chris Valasek demonstrated at DEF CON 23 how they remotely took control of a 2014 Jeep Cherokee car by accessing its network using Wi-Fi. They cracked the easily-guessable 8-character Wi-Fi password and scanned the network with masscan, discovering that the Uconnect system used the vulnerable D-Bus protocol. As a result, this allowed them to execute commands to the V850 chipset that controlled critical systems like brakes and steering. Such attacks could be catastrophic, especially if autonomous vehicles are targeted.

Closing Thoughts

Thus, from this blog, we have learned that IoT is a new emerging technology in the market or plans to be fully implemented in large-scale areas or communities such as smart cities. Not to mention, IoT comes with some major security setbacks, such as data privacy, integrity, and software vulnerabilities that can greatly affect the fields which implement it, such as industrial, power plants, and even household. The most overlooked part about IoT devices is the least frequent firmware updates and easily accessible devices through the Internet, allowing attackers to easily exploit devices with known vulnerabilities even to a large-scale system such as industrial devices.

This blog has given a brief introduction to IoT Security. In the upcoming blogs, we will dive deeper into this space. Stay tuned for more on this.

By partnering with Redfox Security, you’ll get the best security and technical skills to execute a practical and thorough penetration test. Our offensive security experts have years of experience assisting organizations in protecting their digital assets through Penetration Testing Services. To schedule a call with one of our technical specialists, call 1-800-917-0850 now.

Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. We proudly deliver robust security solutions with data-driven, research-based, and manual testing methodologies.

“Join us on our journey of growth and development by signing up for our comprehensive courses.”

Vivashu Rai

by Vivashu Rai

Security Consultant | Redfox Security