Internet of Things is as enticing to hackers, as it is to consumers like you and me!
Let’s look under the hood of IoT from a security perspective, in order to see how we can reduce the risk of cyber threat.
IoT is the network of physical devices which are embedded with electronics, software, sensors, and network connectivity, and it enables these devices to collect and exchange data. IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for closer integration between the physical world and computer-based systems, resulting in improved efficiency, accuracy and economic benefits; when IoT is augmented with sensors and actuators, the technology becomes an instance of the more general class of cyber-physical systems, which also encompasses technologies such as smart grids, smart homes, intelligent transportation and smart cities. Each thing is uniquely identifiable through its embedded computing system but is able to inter-operate within the existing Internet infrastructure.
As the Popularity of IoT devices increase, so does their vulnerabilities to attacks.
The above picture sums up the situation pretty well.
As per a study conducted by HP - 90% of devices collected at least one piece of personal information via the device/cloud/mobile application and 60% of devices that provide user interfaces were vulnerable to a range of issues such as persistent XSS, un-encrypted connections & weak credentials.
Let’s look at an example
If we consider a Home automation system which is controlled by a Mobile App built on Android or IOS platform using angular.js (which is mostly the case for most of the devices), each of them has more than 10-15 different vulnerabilities.
If you do a Threat Modeling Diagram of a Simple Home Automation system - a total of 22 vulnerabilities popped up !!
To make our lives easy - Open Web Application Security Project (OWASP) has classified these vulnerabilities into the following Top 10 categories.
- Insecure Web Interface
- Insufficient Authentication/Authorization
- Insecure Network Services
- Lack of Transport Encryption
- Privacy Concerns
- Insecure Cloud Interface
- Insecure Mobile Interface
- Insufficient Security Configurability
- Insecure Software/Firmware
- Poor Physical Security
(Source: OWASP 2016 Top10 for IoT)
If you look closely into this – You will notice that most of the vulnerabilities are very basic yet can give the bad guys an opportunity to own an entire database of PSI (Personal Sensitive information) and BSI (Business Sensitive information).
Going back to our example of home automation system - Most of them use Amazon or Azure Cloud web services for communication from Mobile to their servers. If you are intercepting the traffic between Mobile device app and device via web-services, it is very easy to get access to a lot of valuable data. You can try to get information from AWS token, JWT token, or any other tokens, most of them will give information in the form of Base 64 encoding which can be easily decoded using online resources like JWT.IO (https://jwt.io/) which will give you the decoded information in micro-seconds!
Also note that when it comes to IoT, Business logic vulnerabilities are more prevalent than technical ones because most of the IoT devices communicate using an identification number like device-id or username due to which it becomes very easy to gather a lot of information by just running a script containing numbers (sequential/random) to gather PSI or BSI related to the device. Most of the devices will also have CSRF or Session related vulnerabilities unless you address that in the configuration.
Coming to the Network part of IoT devices, needless to say IoT devices run with very low power and the communication between the IoT devices can happen over a wide variety of communication protocols like Zigbee, Bluetooth, Z wave, Wi-Fi, NFC, Neul Or BLE.
As with the rise of new protocols coming to light, the attack surface has also increased. As these communication mediums also possess risk to IoT devices. There is more to IoT devices than you can think. You can pass various sorts of commands to these devices for them to crash or cause a DOS (Denial of Service attack)
IoT devices have made our lives a lot richer in terms of consumer experience .However in terms of Privacy evasion it is going to be the next big thing given the number of vulnerabilities that keeps popping up. It is estimated that by 2019 a total of 15 million devices would be in use by users, consumers, industry and needless to say by hackers as well.
But don't panic. If you take care of the basics as covered above - you should be good. For most part of it !
Bonus: My personally recommended list of tools :-)
- Hardware Security module (HSM) - a security based hardware device which generates, stores and protects cryptographic keys.
- Bus pirate - an open source sniffer which supports various hardware protocols like I2C, SPI, JTAG, 1-Wire, etc
- Good FET - Open source tool for interfacing, hacking chips and target devices.
- There are various commercial sniffers available (eg. Beagle) which supports dissecting lower level protocols.
- Logic Analyzer - concurrent capturing, visualizing and decoding large quantities of digital data.
- Protocol Analyzer - Real time non intrusive device for monitoring, capturing and decoding of wired communication.
- Spectrum Analyzer - Visualizing RF or radio spectrum.
- Burp- For intercepting traffic between Mobile and device.
- Codenomicon /Achilles- For fuzzing protocols.
- IDA Pro/Fortify/Klocwork-Reverse Engineering and Firmware analysis