It’s impossible to miss the proliferation of the Internet of Things (IoT) in our world today. Companies issue countless announcements of the newest devices that can be connected to the internet and the brave new world that will follow … if you just buy that latest gadget that is.
Today, you would have difficulty finding a home without cameras, alarm systems, door locks, thermostats, baby monitors, garage doors, sprinklers, and other appliances jumping onto the internet. Of course, with every disruptive new technology, there are downsides to the more apparent benefits. Unfortunately, manufacturers have been slow to include even basic security features with all of these new IoT devices in the world.
Many homeowners believe the devices on their home networks are virtually invisible to the outside world. However, a lot of these devices have been programmed by manufacturers to “phone home” and set up accounts to enable features and access them with a smart phone.
Other people believe in “security through obscurity.” After all, there are SO many devices out there, how would someone notice a few more out there? These people were actually correct … at first. Hackers used to have difficulty finding all of those devices. But that is not the case anymore.
IoT Search Engine
If you want to find something on the internet, you use a search engine. Now, there’s a search engine specifically for IoT devices. Normal search engines work by “crawling” the internet and logging web sites when discovered. IoT search engines do the same thing, but they look for exposed IoT devices. One famous example in the security community is the Shodan IoT search engine. If you haven’t heard of it, you should acquaint yourself, especially if you use IoT devices in your home or business.
With Shodan, users can enter search criteria, or use one of the pre-built searches to find internet-connected items, like webcams. Each IoT device has been carefully cataloged so hackers (and testers) can find them.
IoT devices discovered by the search engine are sorted by various fields, and you can click down to individual devices. The system can make an educated guess of the location of the IoT device based on its IP address. With this information, hackers can attack the device. And it’s not as difficult as it sounds. Manufacturers of these devices publish user guides on the internet, which typically include default passwords. These can be obtained with a simple online search. Unfortunately, many consumers don’t bother to change those default passwords, making access to hackers almost too easy.
This problem is especially important to commercial users of IoT devices to monitor and manage manufacturing, security cameras, and other applications. As bad as it is for a residential user of IoT devices to be hacked, it’s way worse for businesses and organizations. Once hacked, an IoT device can also be used as a pivot point to scan and gain access to other devices and systems in the network.
In addition, even if the devices aren’t used in a direct attack on the organization, they can be re-programmed to do other nefarious actions on behalf of the hacker. For example, a Distributed Denial of Service (DDoS) attack a few years ago was launched with the aid of millions of webcams and other devices. Yes, that’s right – millions.
The attackers reprogrammed these devices to go to a single name server run by DynDNS and simply overrun it with traffic. This, in turn, interrupted access to many other web sites, including Amazon and Twitter. The attack was devastating as the owners of those devices probably never knew they had been compromised and contributed to the attack.
How To Secure Your IoT Services
First, read the descriptions and labeling carefully when purchasing an IoT device. It should provide some indication that it uses encrypted data (AES-256, SSL, etc.).
Don’t purchase poorly-designed products. For example, if a device allows you to use a browser to configure it, does it use HTTPS? Does the device use the latest WPA2 Wi-Fi encryption? If the device communicates to a cloud service, does that service require strong passwords?
Next, when installing and setting up your devices, be sure and change the default passwords to something long and difficult to guess. If you use “p@ssword,” you’re practically begging to have your IoT device hacked.
Make sure you observe the device over time. If it begins to act erratically (such as communicating when you are not using it, or slowing down at odd times), you might want to investigate. It might have been hacked.
Finally, let friends and family know the importance of IoT security and to be careful as well.