Vladimir Dashchenko, security evangelist at Kaspersky, weighs up IoT cybersecurity, its challenges and if IoT can ever be secure.
The “IoT party” is believed to have started in 1990, when John Romkey, an American computer scientist, connected a toaster oven to the Internet for the first time. Since then, IoT has developed, and devices with built-in Wi-Fi and the ability to connect to 4G/5G networks have become small, powerful, and cheap to manufacture. But in 2016, when the first major cyber incident happened, the IoT party transformed into a terrible hangover.
Why Mirai became a no-return-point for IoT cybersecurity
Back then Mirai malware compromised hundreds of thousands of connected devices, such as smart cameras, routers, smart fridges, and so on. They were pulled into a botnet of almost a million devices [note: a botnet is a network of computers that have been intentionally infected by malware to carry out automated tasks on the internet without the permission or knowledge of the computers’ owners]. One such device could not do any harm, but when an attacker has thousands of these devices, it becomes a substantial threat.
Major services and websites fell victim to the Mirai attack. It knocked out Deutsche Telekom’s infrastructure with a DDoS attack; another DDoS attack against Dyn’s DNS (Domain Name System) servers caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. This directly affected such companies as AirBnb, Amazon, BBC, GitHub, Netflix, Visa, and many others.
The infection vector was straightforward – default or simple credentials or a set of vulnerabilities that allowed remote access to devices. After that, the malware was downloaded and executed on the device, which allowed a remote attacker to operate the device however they wanted. This simple approach, combined with a low level of IoT cybersecurity, allowed attackers to perform an effective attack. After this, cybersecurity companies were not the only ones to realize they needed to be prepared for the next wave of IoT cybersecurity challenges, private businesses and governments understood it too.
IoT is not only a pandemic malware problem: what cybersecurity concerns are relevant now
A tiny little device as a starting point for a full-scale attack
In the film, “Ocean’s Eleven”, Daniel Ocean’s team managed to spoof a video on the casino’s security cameras resulting in a major heist. This is not just a director’s fantasy. Several years ago, we conducted security research on a smart camera designed for home usage or small and medium business as a part of surveillance or a security system. Combining some of the found vulnerabilities in cloud architecture and cameras themselves, we managed to pull the same trick as was seen in the film – change the video stream and show completely different footage from another camera. We could also replace the footage with a pre-recorded video.
This example vividly illustrates what gigantic security risks IoT creates for consumers as well as for businesses of any size if IoT infrastructure is not properly set up and secured. To begin with, a tiny little device can become an entry point for a cyber-attack of any scale. Following the previous example, an attacker could have also made use of different scenarios employing the same camera, but another set of vulnerabilities. For instance, hijack the whole cloud with all this vendor’s operating smart cameras.
Vulnerability patching and auto-updates
Another cybersecurity concern is vulnerability patching. Manufacturers of IoT devices are in such a hurry to bring their products to market that they consider security a secondary issue. During the development process, security threats to the device may not even be considered, while after the launch there may be no security updates. Yet even if all vulnerabilities were reported by independent white-hat security researchers, and then patched by vendors, many IoT devices still don’t have auto-update mechanisms. It poses more risks because average IoT users don’t receive automatic updates and have to keep an eye on new vulnerabilities and patches. Very few people do it, even when it comes to corporate cybersecurity, not to mention personal. Out-of-date devices proved to be one of the major reasons for incidents to happen, according to our experience at Kaspersky. This potentially also keeps a door open for a potential attacker to have a wider attack surface. Software developers and OS developers are trying to solve this issue with auto-updates, various notifications, and so on.
Home office vs smart home: remote work challenges
One more concern to consider is the rise of remote work. The security of the home office is directly interconnected with smart home systems. While IoT devices have helped many users to work from home, often these networks can lack security. When a person uses several IoT devices to control temperature, humidity level, control cameras, and other things in their home, these devices usually create some sort of an ecosystem, which collects, processes, and analyzes a vast array of user data. From the corporate cybersecurity point of view, especially attack modeling and loss prediction, this can be a big problem for an employer – his infrastructure can be compromised via an employee’s smart home. On the other hand, owners of smart homes can become a victim of a cyberattack themselves.
As a part of our ICS CERT activities, Kasperksy has rigorously tested smart home security in controlled ways, including hacking into a smart alarm clock owned by one of our team. By exploiting a specific vulnerability, we were able to access his home router, which like most homes around the world is now a hub for all smart devices; next we were able to create a password-protected PHP script that could execute any of our commands.
After sending our colleague a ‘friendly’ email and SMS politely asking him to update the router’s software from a cloud download, we could control any device inside the house. And while we are honest and responsible, only changing the melody on his alarm clock to some comforting drum and bass to indicate our presence, any real attacker could do more than fool around with an alarm clock and use the router as a gateway to access personal data, bank records, or more.
Our goal was to test the integrity of ‘smart’ devices people use and manage from their home center to the limit, and we’re not just talking about dimming a light bulb or switching on a kettle. In the wrong hands, anything from baby monitors and video-equipped doorbells to vital security elements such as windows, doors, and gates in a home or commercial premise can be accessed, turning a handy helper into something from a horror movie.
There is a bevy of threats. Can IoT ever be secure?
Of course, there are more challenges for IoT. They are closely interconnected with the escalated threat landscape and complex environments: worldwide research shows that in 2022, an average home has access to roughly seventeen connected devices and smart home appliances. Among these challenges, I would list default passwords leading to brute-forcing, IoT malware and ransomware, data privacy concerns, insecure interfaces, and others.
The Internet of Things has turned from a big idea into a reality much faster than we expected. Of course, there is huge value in this: the daily routine becomes much more pleasant and comfortable, we spend less time on repetitive tasks, make more efficient decisions, and create new habits and “life scenarios”. However, we have to adapt to this magical new reality at the speed of light, because it sets a blistering pace of IoT threat landscape development: emerging cyber threats are ready to destroy the ideal world of the Internet of Things at the click of a button. The good news is that we are in a perfect time right now – we do have a real chance to prepare ourselves for the Smart/IoT future without terrible cyber-madness coming from tiny little gadgets.
