IoT and Hacking – Why Code Auditing is a Must?
- April 26, 2016
Computing has taken over the world for almost over a century now. Computer systems have taken over critical tasks that were previously performed manually. But then new ways of exploiting these flaws were also invented by some. The more the computers got involved in performing our day to day tasks, risk associated with computing also grew. Major exploitations in computer systems started to surface in 1980s which were followed by major attacks like Stuxnet.
In 2014, latest trends in technology appeared and one of the new concepts IoT (Internet of things) was introduced. IoT is a concept where most if not all the things that we use in our daily lives like cars, TVs, ACs, watches, fridges, washing machines etc are all ‘smart’ and connected. Instructions to these smart and connected devices can be given from another device like cellular phone which is connected to same network or over the internet. What IoT is doing is basically converting non-computing devices into computing devices. As these new small devices are not our main computing devices, people are not paying much attention towards their security. This leaves the connected devices vulnerable and easy to exploit. Let’s look at some of the main reasons of hacks associated with IoT devices.
IoT products are mass market products. Users can vary from tech experts to a layman. Due to this reason usability and setup process of such products has to very simple. This is a tradeoff that has to be made by vendors, to keep the usability simple otherwise security will be compromised. A simple example of usability verses security is setting up password for a new account. If a user is forced to setup a complex password it may put him off especially a non-technical user. So in order to keep the first impression of product being user friendly often basic security is compromised.
IoT products are small and are coming at a rapid pace since they range from bulbs to ACs to cars. Most of the products are small and therefore security is not considered an important issue. These small products are mostly controlled by web applications or mobile applications. These applications and web interfaces are weak in terms of security due to multiple factors. Some of the common issues found in them are:
- Users don’t get locked out of their accounts after a number of failed login attempts.
- They don’t offer protection against cross-site scripting attacks and SQL injections.
- Attackers simply need to trick a user behind the router and firewall to click a link.
- If the web interface is vulnerable, it will give the attacker access to web management interface.
- These products are mostly connected to home Wi-Fi to work, and these Wi-Fi connections are often weak in terms of security and hence are quite easy to be hacked.
IoT Products and Security
IoT products are small products. The manufacturer’s ultimate goal is to mass produce them and sell them to obtain profits. Security professionals are a rare commodity to come by. Security analysis is a time taking process and it also requires funds to be performed. This can be better understood by the example of a thermostat manufacturer. Let’s say a company is manufacturing thermostats for over 50 years. These thermostats were never connected and user hardly ever interacted with the thermostat. Now the same manufacturer has started producing connected thermostats and user can interact with it using the mobile application over the network which is most likely connected to internet as well. Now the same manufacturer has to look for ways to secure his products. Finding security professionals is also a difficult task.
Millions of software have been made up until now and it won’t be wrong to say that all of them are buggy. Be it an OS or a small application they do have bugs in them. New software versions are released periodically; these new versions bring additional functionality along with bug fixes. Small vendors do not pay attention to the bugs that are left in existing products. There are various reasons for it. One is that most of them work on sell and forget policy. Once they manufacture a batch of product the only goal is to sell that batch and often quality is compromised in the process. Taking the stress of producing new models frequently, old products are forgotten very quickly and updates to old products are seldom provided.
The connected devices are mostly transmitting data from IoT devices to the vendor’s server. This also includes sensitive user data, like fitness and health data and other similar data. These IoT devices are often found guilty of transmitting data to cloud in form of plain text. These devices at times implement faulty SSL due to which sensitive data like login credentials, tokens, and Wi-Fi passwords are exposed. When transmitting sensitive information from devices like smart phones to cloud, end-to-end encryption must be implemented. This is an important step which is not implemented and over looked many a times.
Manufacturers developing IoT products are also under pressure to make them look good. Developing more and more sleek and better looking devices often force manufacturers to produce hardware that is buggy. Some manufacturers neglect hardware bugs. They can allow attackers to hard reboot the devices and their corresponding hotspots. Hackers can get in the middle and fool the mobile app looking to establish a connection. If the connection succeeds, the attacker can grab the username and password of the user’s Wi-Fi network.
In all IoT devices and hacking stories there is a very important link that is often neglected in discussion. User can also be described as the weakest link in security. Users do not bother updating these IoT devices. Why bother updating a device when it is working (apparently) perfectly? Users often don’t bother changing default passwords for administrator consoles. All the efforts of manufacturers and developers can go in vain in a moment if user does not apply updates and patches.
Most IoT vulnerabilities are new to the cyber-security industry. So far, we’ve seen experiments and proofs of concept, but it’s just a matter of time until attackers start mining crypto-currencies via connected refrigerators or until smart TVs are locked by ransom ware. That’s why, going forward, security must be the top priority of every IoT application.