The Internet of Things (IoT) is a growing industrial sector that is seeing a whole range of devices being made intelligent with the use of internet-enabled technologies such as AI. What started out as simple dataloggers has grown into devices that can make changes to an environment, monitor safety systems, provide security measures, and even cook a round of morning toast.
Bringing internet connectivity to a device drastically improves its capabilities, including the ability to be updated remotely with new firmware, provide access to remote locations, and perform monitoring operations. But one particularly world-changing feature has been the sheer amount of data provided by IoT systems and the resulting AI algorithms that have been generated. To be effective, AI algorithms require large amounts of data to learn from, which can actually be pretty tricky to get a hold of. However, the many billions of IoT devices around the world have allowed artificial intelligence (AI) programs access to large quantities of data from which they can improve themselves. The result has been highly effective speech-recognition systems such as those found on Amazon Alexa and Google Assist.
The Problems Begin
In the beginning, IoT devices gathered simple datasets such as temperature, humidity, and pressure, which made them novel in datalogging applications. The small number of devices on the market coupled with the relative insensitive nature of the data being gathered meant that designers had little interest in the security of their products. Typical practices that were not uncommon included unencrypted communication, default passwords, and off-the-shelf hardware with programming ports.
Designers were looking at their devices individually as opposed to their global nature, and this is where the problems began. On its own, an IoT device such as a temperature logger may seem insignificant and its internet capabilities limited. However, unlike large computational devices such as computers and laptops, IoT devices are designed with scale in mind, meaning that many thousands of the same device can exist with relative ease of production and distribution, as proven by the over 20 billion IoT devices currently estimated to exist globally. The result is many devices on the market that are not only prone to attack (assuming that security measures are lacking) but are all easily attackable, as they will suffer from the same flaws being identical.
But this is not the only problem — the nature of gathered data has since become more sensitive, at it now includes recorded speech, images from cameras, and bank details. As designers transitioned from simple IoT devices into more complex ones, not enough thought was given to the security of the devices or what they could potentially be used for. To make matters worse, even hardware security was virtually non-existent during the transition, which saw potentially sensitive devices being developed on insecure platforms.
How IoT Can Be Exploited
IoT devices can be exploited by attackers in a number of different ways. However, the three most common types of abuse are cryptocurrency mining, DDoS attacks, and network entry.
The growing interest in cryptocurrency has resulted in data centers performing hashing algorithms in an attempt to mine currencies such as Bitcoin. Processing this data can be very energy-intensive, which is why the majority of modern miners are now in data centers. However, while IoT devices on their own are ineffective at mining cryptocurrency, if a large collective is used (such as 10,000), then their combined computing power suddenly has the capability to start generating income. This in itself is not a malicious attack, as user data is not being stolen, nor are the devices being used to attack servers, but it is a nuisance. If lucky, a victim’s device may be dedicating only a portion of the computer power to the task, but an attacker could, in theory, upload their own mining firmware, rendering the device inoperable. The device may also be capable of performing the mining task simultaneously to the original function, but this would result in higher power consumption.
DDoS attacks are very malicious in nature and essentially overload a server with connection requests to the point at which the service provided by the server becomes inoperable. These attacks are hard to perform using a single machine, but when many hundreds of machines are coordinated together, it becomes far more effective. This is one of the biggest problems that IoT devices face, as individual clients of a DDoS attack do not need any real amount of data-processing capabilities; they merely need to be able to send out data over an internet connection. Therefore, the combination of many thousands of vulnerable IoT devices makes for a potentially formidable DDoS force.
Network entry attacks are not reliant on the capabilities of an IoT device but instead exploit their inherent weakness to gain access to a network. A network engineer can deploy incredibly strong security protocols on a network to prevent unauthorized access, but fundamentally, a network is as strong as its weakest link. IoT devices connected to a secure network will need to hold credentials for that network as well as IP address, usernames, and passwords if connecting to a local server. A poorly designed device can leave that network completely exposed, whereby an attacker can obtain this information to connect their own devices to the network or hijack the IoT device and use it as a gateway to the internet.
Example Attacks
Cyberattacks on IoT devices are far from just a theory and happen on a daily basis, and their growth is fueled by poor security implementation. Below are three examples of large-scale/dangerous attacks that demonstrate the current weakness of IoT designs.
Casino Thermometer
As stated previously, hackers can utilize an insecure device to gain network access, which is what happened to an unnamed casino. While the network itself was secure, an aquarium tank had an IoT thermometer to alert staff if the water temperature fluctuated (exotic fish often have strict environmental requirements). However, the thermometer itself was not properly secured and, as a result, was targeted by attackers. Once access to the device was gained, they were able to access the network as a whole, pull high-roller personal details from the database, and then reupload them to the cloud via the thermometer.
Mirai Malware
The Mirai malware is an IoT worm that scans the internet for other IoT devices and attempts to gain entry by using default passwords such as “admin” and “password.” Because many IoT devices on the market use the default credentials and rarely have them changed, the worm was able to replicate itself onto as many as 100,00 devices. Once the worm is installed onto the IoT device, it turns that device into a bot for use in DDoS attacks, which is exactly what happened in 2016 when two web services were attacked. The first to be targeted was a French-based hosting service called OVH, while the second was DynDNS. The resultant attacks had a power greater than 1 Tbps and disrupted both services for several hours.
Hacked Jeep SUV
While not a criminal attack (as it was done as a demonstration), a pair of security experts were able to hack an SUV and take control of the wheel during driving. The attack itself demonstrates how generating even so-called “random” passwords can sometimes be flawed and why security experts often recommend that engineers do not use an in-house solution for such generation of passwords. The multimedia center in the Jeep offers Wi-Fi capabilities as a separate subscription, but the password for this is generated at the factory of production. The password to the Wi-Fi system is auto-generated when the vehicle is first turned on at the factory and uses the time at which the car was produced and the multimedia system installed. From the surface, the number of combinations that this can produce is far more than what could ever be brute-force attacked, but the attackers were able to significantly reduce the number of combinations.
The first step to reducing the number of combinations is to figure out the year in which the vehicle was manufactured (which is reflected on the number plate). Knowing the year reduces the number of combinations to 15 million variations. The second step is to determine the time of day the car was produced, and if correctly determined, then there are only 7 million combinations that can be brute-force attacked in just an hour. The attackers, when gaining entry via Wi-Fi, had access to the CAN bus, which allowed them to interfere with brakes and the steering wheel.
Reactions
These continuing attacks and the lack of industrial change has resulted in negative backlash from governing bodies and the public alike. Regulations, as important as they are, can impede technological progress, as they restrict what designers can and cannot do, and the IoT industry is going to start seeing regulation soon. California is one example of this, whereby it is bringing in regulation to make sure that IoT devices released to the market do not have default usernames and passwords and that the device generates a new password when being used for the first time by the user. The United Kingdom is currently in the process of introducing a code of conduct for IoT devices to ensure that common passwords are used and that all connections are secured using an industry-accepted encryption method.
The public reaction to insecure IoT devices as well as the use of data gathering is generating increased pressure for privacy. While IoT devices can be useful for training AI systems and improving customer experience, there are many who feel uncomfortable with devices that can be attacked and used to gain unauthorized entry to networks, spy on occupants, and steal sensitive information. If data collection becomes more difficult, then AI technologies could take longer to develop, as the data needed to refine AI algorithms would be limited.
Moving Forward
Designers clearly must start to take IoT security seriously, as there are very serious threats to networks and the internet as a whole. Luckily for designers, there is a growing trend by semiconductor producers with hardware security features such as secure boot, which can prevent malicious code from being executed. But security can also be found in external sensors and memory ICs, which is why in many cases, designers can consult with component part suppliers such as Arrow, whose security solutions aim to create a safe IoT ecosystem for designers. Its framework includes identification of secure partners, what protocols to use, how to analyze data, and maintenance of deployed devices.
Conclusion
It is understandable that designers looked at the first IoT devices, which were simple in nature and collected insensitive data, and saw them as benign. However, they didn’t see the bigger picture and the world was not ready for such a large influx of insecure devices. And because engineers did not react fast enough, the responsibility has now fallen onto governing bodies that can not only impede technological advancement but also introduce bureaucracy, which can make compliance complicated and expensive.
Ignoring laws and regulations, engineers are morally obligated to ensure that anything they gather from customers without their knowledge is carefully protected. This is why using industrial partners and experts such as Arrow can dramatically improve products as well as ensure that those products conform to any requirements.
