Pierluigi Paganini
October 13, 2020
If you take a look at the global market for IoT, you can easily spot the trend. The market surpassed $100 billion in revenue, and it’s revenue for the 2025 projections tell us that it will hit $1.5 trillion. While this means more convenience and improved services, it also creates more opportunities for cybercriminals.
IoT devices are exposed to cybersecurity vulnerabilities. They work without our intervention, making it even harder to identify a threat before it’s too late. However, if you know where the dangers lurk, there is a way to minimize the cybersecurity risks. Here are five significant cybersecurity vulnerabilities with IoT in 2020.
Before we dive into the specific cybersecurity concerns, let us remind you about the attack that took place in October 2016. A hacker managed to identify a weak spot in a security camera model. Unfortunately, at that moment, there were over 300,000 of those cameras connected to the internet.
The hacker exploited the vulnerability and used these IoT devices to launch a massive attack on social media platforms. Some of the major social media platforms, including Twitter, were down for a couple of hours. This type of malware attack is called a botnet attack. It’s powered by hundreds of bots carrying malware and infecting thousands of IoT devices simultaneously. Apparently, IoT devices are specifically vulnerable to these attacks due to various reasons. Let’s take a look at each one of them.
For the most part, researchers focus on various types of vulnerabilities. The typical list of potential flaws consists of these entries:
IoT is a complicated concept. Most people who use internet-connected devices are far from being tech-savvy experts. Nobody told them that their coffee machine could be hacked into or that their camera could be used to launch a DDoS attack. Cybersecurity experts have spent the last two decades emphasizing the importance of strong passwords and not clicking on malicious links in emails.
The cybersecurity issues related to IoT are a brand-new topic in the niche. It’s going to take some time and effort before end IoT users become aware that their smart devices can be used against them or against someone else. The only way to tackle this challenge is to educate the users about these threats and their potential implications.
Furthermore, consumers believe that companies and services have the responsibility of keeping their data secure. They go as far as to suggest that enterprises should act beyond the law. What does this mean? Well, users hope that companies will look at their security not as compliance with the rules, but as natural responsibility. However, this attitude might lead to a very serious vulnerability. Users could leave all the responsibility to governments and other institutions. Without seeing themselves as important variables, they probably won’t implement the necessary cybersecurity steps. So, we believe that there needs to be a balance. Both companies and consumers need to work proactively to protect their integrity.
IoT market exploded because IoT devices offer more convenience, are easy to use, and bring true value. However, there is yet another reason for the exponential growth of this market – IoT devices are affordable. You don’t need to be super rich anymore to turn your entire household into a smart home.
Manufacturers saw this as an opportunity and rushed in to grab their own piece of the IoT market. The results – unsupervised and cheap manufacturing processes and lack or complete absence of compliance. It’s a recipe for manufacturing IoT devices that are too easy to compromise, which is something only governments can solve with strict laws and regulations. So, faulty production could lead to a variety of issues, such as injection flaws.
All programs and services must filter content before deeming it as suitable. If such processes lack proper authentication steps, they could work as gateways for bigger problems. Another issue with input is the cross-site scripting (XSS). To put in simple terms, it refers to the process of providing a web application with JavaScript tags on input. The purpose of the questionable input might differ. It could be rather benign or perform malicious actions.
Most of the word famous IoT brands continuously work on discovering vulnerabilities on their devices. Once they found backdoors, they released updates and patches to deliver necessary security fixes. It’s up to the end-users to update their IoT devices, and that is a potential problem because people are still reluctant to update their smartphones and computers. Researchers published a list of the most devastating vulnerabilities. They included flaws that are still unpatched and continue to be a menace to users’ security. One of them allowed hackers to run malware through boobytrapped Microsoft Office documents. Another one reflects the critical nature of Drupal, permitting hackers to spread a malware virus dubbed as Kitty.
There are plenty of IoT devices with an auto-update feature, but there is a security issue with the process. Before the device applies the update, it sends a backup to the servers. Hackers can use this window of opportunity to steal the data. IoT devices on public Wi-Fi and encrypted networks are especially vulnerable to this type of attack. It can be prevented through the use of an online VPN. It encrypts the connection and masks the IP addresses of all devices on the network.
Even if a local network is completely secured and all IoT devices on it have firmware and software updated to the last version, a shadow IoT device can wreak havoc. These devices, also known as rogue IoT devices, can perfectly replicate an IoT device they were built to replace.
With BYOD becoming a major trend across verticals, employees can bring their own infected IoT devices to work. Once connected to the network, a rogue IoT device can download and send or manipulate the data. The potential damage is incomprehensible.
The number of IoT devices online is increasing day by day. These cybersecurity issues with IoT should concern both individual and business users. Minimizing IoT related security vulnerabilities must be a joint effort if we want to see the results. With the current state of the IoT industry and end-users’ awareness, it’s safe to assume we will see at least a few more IoT-powered large-scale cyberattacks. If we want to change the course of history, we need to be more attentive to the way both consumers and companies treat vulnerabilities. Overall, cybersecurity will never be fully achieved. It is an ongoing process that we all need to contribute.
Author Name: Anas Baig
Author Bio: With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – SECURITI.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, IoT)
[adrotate banner=”5″]
[adrotate banner=”13″]
Cyber Crime / November 15, 2024
