Dr Biju Issac, Associate Professor and NEBRC Advisory Group member,
Northumbria University, UK
Source: Team ARIN. Connected Devices Accelerate the Need for IPv6 in the Internet of Things (Accessed May 2021)
We are seeing an increasing number of Internet of Things (IoT) devices being deployed in computer networks around the world. Indeed, it is estimated that there could be over 30 billion IoT devices by 2025, with companies investing up to 10 trillion GBP in IoT by 2025 (Global IoT and non-IoT connections 2010-2025, Statista, 2021).
Any peripheral device with an IP address, such as IP cameras, network printers, smart TVs, IP sensors, Internet toasters, smart bulbs, Amazon echo devices etc. can be classified under the IoT family. These devices are all built to deliver some specific services, for example the measurement of temperature or humidity, video surveillance, lighting, entertainment etc, and as such it is difficult to harden the security on IoT devices without significant cost implications.
A paper on 'Understanding the Mirai Botnet' by Antonakakis et al. in USENIX 2017 conference stated: "Starting in September 2016, a spree of massive, distributed denial-of-service (DDoS) attacks temporarily crippled companies like Krebs on Security, OVH, and Dyn. The initial attack on Krebs exceeded 600 Gbps in volume among the largest on record. Remarkably, this overwhelming traffic was sourced from hundreds of thousands of some of the Internet’s least powerful hosts — Internet of Things (IoT) devices — under the control of a new botnet named Mirai".
This event was a turning point in IoT device history.
So, what happens when we add such insecure IoT devices into a computer network?
Put simply: it creates security loopholes. Shadow IoT devices are IoT devices such as mobile phones, tablets, fitness trackers or smart home gadgets that are being used in an organisation without its IT department’s knowledge. These shadow devices present a weak entry point into an organisation’s network.
There are many challenges to IoT security. IoT devices can be using outdated operating systems with publicly known vulnerabilities, which the attackers can take advantage of. They can be infected with malware as it lacks security software, and can be used in cyber-attacks - or to collect sensitive data from these devices. Since the software in them is hard to update or patch, it opens up these devices to targeted cyber-attack. These devices also have problems with passwords, as they might use default passwords or hard-coded passwords, which can be cracked through brute force attack. The physical installation of the IoT devices can expose them to hackers, as they are deployed in public or remote places in some cases. Some of them would be using insecure protocols like telnet to remote login, which communicate login details as plain text, allowing transmissions to be eavesdropped.
There are different forms of attacks against IoT devices. For example, in many organisations a network printer is assigned greater permission than other devices and would not be blocked by a firewall. In this instance, hackers could use the network printer as a point of entry gaining access to corporate network. We can think of IoT devices as internet-connected computers and if they are infected by botnets, they can be used to launch denial of service attacks, spread malware or ransomware in a corporate network. If the IoT devices are processing sensitive data and are connected to cloud services, that would make them a hot target for hackers, which can lead to data breaches. Crypto mining with IoT bots is a type of attack with infected botnets aimed at IoT devices, not to create damage, but to mine cryptocurrency. So what are the countermeasures against IoT-based attacks?
It is important to do a vulnerability assessment of all the IoT devices (local and remote) plugged into an enterprise network and to create an IoT cyber incident response plan. It will be good to compartmentalize the IoT devices to reduce attack surfaces. An effective network design of home network or corporate network where IoT devices are placed behind firewalls for added protection is important. If these ‘smart’ devices are processing sensitive data, possibly a two-factor authentication provision should be part of the IoT design. An intelligent network intrusion detection system would also be ideal to fight IoT-based intrusions in a network.
For further information contact the team at the NEBRC.