In today's digital world, we are literally surrounded by "smart" devices, or Internet of Things (IoT) devices. Making devices smart is a trend to be applauded, but there is one very important thing that is frequently an afterthought: security.
Manufacturers of common things, like toys, furniture, cars and medical devices are "enhancing" their products by adding "smart" features to make them more attractive; even water bottle manufacturers are starting to produce connected bottles. Why does it seem so hard to make them secure -- and why does it even matter?
Why IoT devices are so unsecure
IoT device manufacturers are pressured to produce smart devices and deliver them to market quickly and at an affordable price. This causes them to often neglect security. For example, a toaster manufacturer who may now be producing smart toasters never had to think about securing toasters from hackers before, which is another reason why security is sometimes weak or incomplete.
Moreover, there are no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority. Smart devices that don't include the basic principles of modern security are therefore shipped out to the world.
How hackable are IoT devices?
Since smart devices lack security, they can be hacked using a wide range of existing methods, from pretty easy ones -- like brute forcing login credentials -- to more sophisticated methods such as using various exploit techniques, or reverse-engineering firmware or operating systems and looking for zero-day vulnerabilities. Services and exploits that can be used to hack IoT devices are sold on the darknet, giving more and more people the power to take control of them.
Hackers are also constantly trying to infiltrate new types of networks and forms of communication used by IoT devices, in order to hack them.
How difficult is it to hack an IoT device?
The simplest way to hack a smart device is to brute-force passwords or try to gain access to a device by using the device's default login credentials. Botnets, which can be rented on the darknet, make this script kiddie-method easy to use to infect thousands of devices at once. Many manufacturers use the same default login credentials for all the devices they produce to save on costs, rather than creating a unique password for each device.
One of the biggest IoT threats of last year was the Mirai botnet, which infected thousands of smart devices, by using default login credentials, to perform massive DDoS attacks. Since Mirai's source code was published, pretty much anyone can run their own IoT botnet or rewrite the code and therefore, many mutations of Mirai have appeared.
Other ways to infect an IoT device are much more complex, expensive to purchase and therefore not as common. Reverse-engineering firmware or an operating system, for example, requires advanced technical knowledge and takes time. Zero-day exploits that take advantage of vulnerabilities cost thousands of dollars.
A recipe for better IoT security
A possible and effective way to dramatically improve IoT security is to give consumers the possibility to easily change the login credentials of their smart devices. To encourage consumers to change their IoT devices' login credentials, manufacturers can, for example, make creating a unique and strong password a mandatory requirement when setting up a device for the first time.
This, of course, cannot be applied to all scenarios, but simply changing default login credentials would greatly reduce the number of "unsecured" devices and make it harder for script kiddies, "wannabe" hackers, and simple search bots to gain access to IoT devices. Alternatively, IoT device manufacturers could give each device a unique and random password and send this along with the devices to their customers.
Issuing software updates to patch vulnerabilities, on the other hand, would help secure smart devices from exploits. Manufacturers currently often use outdated versions of various libraries and operating systems for which plenty of powerful exploits exist, leaving devices vulnerable to attack. There are many devices where it is impossible to update the device's firmware, so if a hacker were to exploit a vulnerability, there would essentially be no other option left than to disconnect the device from the network, permanently, and to replace it with a more secure device.
Securing smart devices will not only protect people's privacy and help prevent DDoS attacks, but can also prevent much worse things from happening. There have been proof-of-concept attacks that show how entire IoT networks can be infected by targeting a single device, such as a light bulb or traffic sensor.
These proof-of-concept attacks demonstrate what a massive problem vulnerable smart devices can be and the damage that can be caused if they are controlled by the wrong people. Imagine hackers controlling traffic flow or turning off lights in an entire city. Smart device manufacturers should collaborate with security experts to ensure a security layer is included in their devices and pen-test their products on a regular basis.
— Michal Salát is the threat intelligence director at Avast, driving research projects to discover security vulnerabilities in computer, mobile and IoT platforms.