Pierluigi Paganini October 13, 2020

The number of sensors and smart devices connected to the internet is exponentially rising, which are the 5 Major Vulnerabilities for IoT devices.

If you take a look at the global market for IoT, you can easily spot the trend. The market surpassed $100 billion in revenue, and it’s revenue for the 2025 projections tell us that it will hit $1.5 trillion. While this means more convenience and improved services, it also creates more opportunities for cybercriminals.

IoT devices are exposed to cybersecurity vulnerabilities. They work without our intervention, making it even harder to identify a threat before it’s too late. However, if you know where the dangers lurk, there is a way to minimize the cybersecurity risks. Here are five significant cybersecurity vulnerabilities with IoT in 2020.

The Threat is Definitely Real

Before we dive into the specific cybersecurity concerns, let us remind you about the attack that took place in October 2016. A hacker managed to identify a weak spot in a security camera model. Unfortunately, at that moment, there were over 300,000 of those cameras connected to the internet. 

The hacker exploited the vulnerability and used these IoT devices to launch a massive attack on social media platforms. Some of the major social media platforms, including Twitter, were down for a couple of hours. This type of malware attack is called a botnet attack. It’s powered by hundreds of bots carrying malware and infecting thousands of IoT devices simultaneously. Apparently, IoT devices are specifically vulnerable to these attacks due to various reasons. Let’s take a look at each one of them.

Categorization of System Vulnerabilities 

For the most part, researchers focus on various types of vulnerabilities. The typical list of potential flaws consists of these entries:

• Unpatched software. A straightforward vulnerability that many people disregard. If you are a regular netizen, you use a dozen of applications. Most of them are being developed continuously. Developers adapt them to solve issues. In some cases, patches and updates address serious vulnerabilities. The threat arises when people refuse to update. 
• Misconfiguration. This concept relates to various alterations of the system. One of the examples relates to the default settings users get when starting to use a new service. Usually, the default settings are not focused on security. Your router is one of the gadgets that should not be kept with its default settings. Instead, you should change your credentials regularly. As a result, you will prevent unauthorized access or communication interception.
• Poor credentials. Simple or reused passwords are still a problem. While the cybersecurity industry has presented options for every netizen, the recommendation to use original and complex passwords continues to be disregarded. Instead, people come up with passwords that are comfortable. What does this mean? Combinations that people can easily remember, and, sadly, which hackers can guess easily. Knowing the nature of credential stuffing attacks, you will need a highly complex password to stay safe. 
• Malware, phishing, and web. Nowadays, malware is an indispensable part of the internet (even if we do not like it). Hackers spread sophisticated variants daily, and researchers do not always have the means to warn us about each one. Phishing is also one of the prominent threats relating to scams and fraudulent offers that arrive in users’ inboxes. 
• Trust relationship. These vulnerabilities trigger a chain reaction. For instance, various systems could be linked with each other to permit access. If one network gets compromised, others might crumble, too. 
• Compromised credentials. This threat refers to the unethical extortion of your credentials. Later, they are used to gain unauthorized access. As an example, we could use communications between systems that are not properly encrypted. Then, a hacker could intercept this exchange and retrieve passwords in plaintext form. 
• Vicious insider. Some actors in your system can take advantage of their privileges and perform malicious actions. 
• Improper encryption. Hackers or other malicious sources can intercept poorly encrypted communications on the web. Due to such vulnerabilities, many devastating scenarios could follow. For instance, crooks can take confidential information or spread false information across departments. 
• Zero-day vulnerabilities and other flaws. Such vulnerabilities are not solved, and they continue to haunt systems. Hackers will attempt to exploit such flaws and see which systems could be compromised. 

Inexperienced users: the greatest vulnerability

IoT is a complicated concept. Most people who use internet-connected devices are far from being tech-savvy experts. Nobody told them that their coffee machine could be hacked into or that their camera could be used to launch a DDoS attack. Cybersecurity experts have spent the last two decades emphasizing the importance of strong passwords and not clicking on malicious links in emails.

The cybersecurity issues related to IoT are a brand-new topic in the niche. It’s going to take some time and effort before end IoT users become aware that their smart devices can be used against them or against someone else. The only way to tackle this challenge is to educate the users about these threats and their potential implications. 

Furthermore, consumers believe that companies and services have the responsibility of keeping their data secure. They go as far as to suggest that enterprises should act beyond the law. What does this mean? Well, users hope that companies will look at their security not as compliance with the rules, but as natural responsibility. However, this attitude might lead to a very serious vulnerability. Users could leave all the responsibility to governments and other institutions. Without seeing themselves as important variables, they probably won’t implement the necessary cybersecurity steps. So, we believe that there needs to be a balance. Both companies and consumers need to work proactively to protect their integrity. 

The Flaws in Manufacturing Process

IoT market exploded because IoT devices offer more convenience, are easy to use, and bring true value. However, there is yet another reason for the exponential growth of this market – IoT devices are affordable. You don’t need to be super rich anymore to turn your entire household into a smart home.

Manufacturers saw this as an opportunity and rushed in to grab their own piece of the IoT market. The results – unsupervised and cheap manufacturing processes and lack or complete absence of compliance. It’s a recipe for manufacturing IoT devices that are too easy to compromise, which is something only governments can solve with strict laws and regulations. So, faulty production could lead to a variety of issues, such as injection flaws. 

All programs and services must filter content before deeming it as suitable. If such processes lack proper authentication steps, they could work as gateways for bigger problems. Another issue with input is the cross-site scripting (XSS). To put in simple terms, it refers to the process of providing a web application with JavaScript tags on input. The purpose of the questionable input might differ. It could be rather benign or perform malicious actions. 

Irregular Updates

Most of the word famous IoT brands continuously work on discovering vulnerabilities on their devices. Once they found backdoors, they released updates and patches to deliver necessary security fixes. It’s up to the end-users to update their IoT devices, and that is a potential problem because people are still reluctant to update their smartphones and computers. Researchers published a list of the most devastating vulnerabilities. They included flaws that are still unpatched and continue to be a menace to users’ security. One of them allowed hackers to run malware through boobytrapped Microsoft Office documents. Another one reflects the critical nature of Drupal, permitting hackers to spread a malware virus dubbed as Kitty. 

There are plenty of IoT devices with an auto-update feature, but there is a security issue with the process. Before the device applies the update, it sends a backup to the servers. Hackers can use this window of opportunity to steal the data.  IoT devices on public Wi-Fi and encrypted networks are especially vulnerable to this type of attack. It can be prevented through the use of an online VPN. It encrypts the connection and masks the IP addresses of all devices on the network.

Shadow IoT Devices

Even if a local network is completely secured and all IoT devices on it have firmware and software updated to the last version, a shadow IoT device can wreak havoc. These devices, also known as rogue IoT devices, can perfectly replicate an IoT device they were built to replace.

With BYOD becoming a major trend across verticals, employees can bring their own infected IoT devices to work. Once connected to the network, a rogue IoT device can download and send or manipulate the data. The potential damage is incomprehensible. 

The number of IoT devices online is increasing day by day. These cybersecurity issues with IoT should concern both individual and business users. Minimizing IoT related security vulnerabilities must be a joint effort if we want to see the results. With the current state of the IoT industry and end-users’ awareness, it’s safe to assume we will see at least a few more IoT-powered large-scale cyberattacks. If we want to change the course of history, we need to be more attentive to the way both consumers and companies treat vulnerabilities. Overall, cybersecurity will never be fully achieved. It is an ongoing process that we all need to contribute.

Author Name: Anas Baig

Author Bio: With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – SECURITI.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]