IoT Cybersecurity: Common Hacks and Effective Countermeasures

September 10, 2020 - 9 minutes read

The Internet of Things (IoT) is vast and constantly evolving. To secure such a complex system of devices, software, cloud platforms, and private customer information, businesses around the world spent $1.5 billion on IoT security in 2019 alone. This may sound like a lot, but for companies that have skipped out on securing and strengthening their security continuously, the risk for major reputation and revenue loss grows every day.

Not only does a security breach affect an organization, but it damages customers’ trust and personal security. When a hack occurs, any built-up client relationships can be shattered immediately, and companies can be left with little means to continue conducting business as usual. When hiring IoT vendors, ensure they are experienced and can demonstrate security concepts and implementations.

Here’s how to avoid the most common IoT hacks.

Why IoT Systems Are Easy Hacking Targets

In 2019, IoT attacks rose by 900%. Hackers are constantly attacking and specifically targeting IoT devices. To understand why, let’s examine how IoT applications and ecosystems are set up.

Several companies are utilizing IoT devices that were shipped without any security measures in place. When the company received the device, they didn’t bother securing it either. As a result, up to 90% of an IoT ecosystem could encompass devices that have little to no security measures installed. On the other hand, if a company did check for security on their devices, without issuing continual security patches, the device is back to being unsecured and vulnerable to attacks. IoT devices, in general, don’t have firewalls or virus scanners, unlike computers.

Many factories producing IoT devices aren’t experienced in information security; they don’t realize that IoT devices should be shipped with the most up-to-date safeguards and that devices should be made with the understanding that their security will be updated at some point. These companies usually come from the industry vertical, and they don’t have the expertise in IT security that server and computer manufacturers do.

When a company orders several copies of the same device from the same manufacturer, they’re subjecting themselves to a mass attack. Because the devices all have the same security mechanisms, they’re all compromised as soon as one is hacked successfully.

IoT devices can be placed out of sight and reach in a real-world application. Thus, when the device is attacked and infiltrated, the hacker can remain hidden for days or even weeks. After all, the device is still online and working normally, so it looks normal to employees during routine check-ins. By then, however, it’s too late for a company to backtrack and make fixes. The damage is done.

The Most Common Culprits and Motives of IoT Attacks

There is a multitude of IoT attackers, and they all have their own reasons, motives, and justifications for attacking IoT systems. For example, amateur hackers and script kiddies are looking for fame among their peers. This group of attackers usually attempt to attack high-profile companies or try to attack hundreds of devices in one go.

Governments and intelligence branches can attack IoT systems in the name of citizen safety. This group usually tries to secure important, confidential, and private information.

Political interest groups attack companies that they feel are morally corrupt or ethically unjust. On the other hand, there are services like webstresser.org, which was a pay-for-hire DDoS (distributed denial of service) attack platform. Webstresser allowed any person or company to submit a request to take down a website or person online, as long as the requester can pay for the request.

Lastly, there are criminal businesses; these companies make money for themselves by attacking vulnerable targets. Their goal is to successfully infiltrate hundreds of IoT-connected devices. These companies usually register as a normal business, but they are hacking devices to mine for Bitcoin or for blackmail and ransom.

A History of Infamous IoT Attacks

One of the best-known IoT attacks is the Mirai botnet malware. It originated in 2016, and it scans the public Internet for IoT devices. Once it finds one, it tries to establish a remote telnet connection by using username/password combinations from a list of common factory default combinations. When it succeeds infecting the device, it continues its search for another IoT-connected device to infect. All of the devices infected by Mirai become part of the Mirai botnet, which is controlled by the attacker and their control center. The devices can then all be DDoS’d in tandem, taking down victims’ servers for hours. In October 2016, the botnet took down sites of companies based in San Francisco, like Reddit, Airbnb, Twitter, and Netflix while targeting London-based DNS provider DYN.

Stuxnet is a malware found in 2010. It infiltrates Microsoft Windows machines and exploits zero-day exploit or outdated operating system versions. At first, the worm spread with USB flash drives. It targets the Siemens Step7 software that controls the Siemens PLC (programmable logic controller). Using the Siemens software, it installs itself on the IoT device and takes control. This malware once infiltrated Iranian facilities and severely impacted the Iranian atomic program.

The Silex and Brickerbot are two different malware, but they operate on similar attack patterns. Similar to Mirai, the two scan the public Internet for IoT devices, attempting to log into the IoT device with a number of weak username/password combinations. After successfully infecting the device, the malware writes over all the data and deletes the network configuration. This makes the IoT device unusable until someone can physically retrieve and reset the device. Even then, the attack can happen again until the device is continuously updated with the most secure protocols.

Countermeasures You Can Use to Protect Your IoT System

To avoid Mirai, Silex, and Brickerbot types of attacks, ensure each device has a random username/password combination. Another way to secure your devices is to remotely access them through IPSec or Intra-Cloud Connect, to avoid the device showing up on the public Internet.

Because the Stuxnet attack seeks IoT devices connected to the same network, there are a few methods to prevent a Stuxnet-type attack. Use a dedicated network infrastructure instead of Wi-Fi or shared LAN networks. Another option is to use mobile communication to separate the communication of machines from each other.

One way to completely block attacks is to use a cellular firewall which only allows certain IP addresses to connect to it. The firewall isn’t located on the device: it’s on the connection itself, which makes it outside of a hacker’s domain.

Security First, IoT Second

Securing an IoT system can take weeks or months. To reduce that timeframe, continuously secure and update your devices, starting from the moment when they are received and activated. Overlooking IoT security can drive business away for good, but prioritizing it can set your company up for long-term success.

What has your experience been with IoT security? And what measures do you take to protect yourself? As always, let us know your thoughts in the comments below!

Tags: , , , , , , , , , , , , , , , , , , ,