By: Gabriel Schram
November 6, 2020
The Importance of Cybersecurity in IoT
By: Gabriel Schram
November 6, 2020
The all-encompassing internet of things (IoT) is expanding at a rate that correlates with the influx of newer technologies at our disposal. Interconnectivity between devices is at an all-time high with no peak in sight. Moreover, IoT devices are taking on increasingly vital roles in fields and industries across the spectrum. The prospect of worldwide connectivity in a diversity of modern IoT devices presents an opportunity for progress and poses a variety of threats. There is an important distinction between the growing threat and the objective reality of cyberspace related to IoT. However, IoT vulnerabilities have led to multiple exploits across a field of devices that have repeatedly violated a fundamental cybersecurity benchmark: the CIA triad. To explain the importance of cybersecurity in IoT, one should observe what IoT devices are used for, then closely examine the vulnerabilities within these IoT devices. This process will reveal the levity of keeping IoT secure.
What is IoT used for?
The internet of things includes any device that can connect to the internet and other connected devices; it is common for IoT devices to use sensors and store data based on its usage. IoT devices have made their way into nearly every industry and adapted to be used in extremely critical environments. IoT has expanded to affect and/or include medical devices, transportation, telecommunications, intelligence gathering, and critical national infrastructure. Sensitive uses aside, IoT has seeped into people's everyday lives on a global scale; "smart" devices flood our markets selling the convenience of connectivity. This pattern has led to the growth in data tracking among IoT users. The mass collection of user data has become a market in itself. Mobile devices, in particular such as smartphones and fitness trackers, have the ability to track a plethora of data from its user that can include:
- Location Data
- Web and Application Usage
- Usage Times and Patterns
- Online Spending Habits
- Call logs
- Texts and SMS Messages
- 3rd Party Application Data
Having a secure IoT environment is extremely critical due to the volume of connected devices and our critical infrastructure components that make use of these connected devices.
How is IoT Vulnerable?
IoT devices collect and share data with other devices or networks. A shared connection increases the attack surface for whatever data an IoT device holds or whatever network the IoT device is connected to. Thus IoT devices can be a vector of attack to a larger network. Specific top vulnerabilities in IoT include:
- Weak Passwords/Poor Authentication- The use of easily guessed or brute-forced passwords is still a common vulnerability among IoT devices. The level of authentication for applications or devices should reflect what is being protected. Often, these standards are not met.
- Poor Access Control- To put it simply, poor access control indicates that users cannot access something that they should not. This becomes a problem when malicious actors can gain access to something they should not have access to.
- Insecure Network Connections- Connections that IoT devices have to network services or the broader internet lack secure interfacing.
- Insecure Update Mechanisms- Out out of date software and insecure update delivery leave users more susceptible to man-in-the-middle attacks.
How has IoT Been Exploited?
The importance of cybersecurity in IoT can be seen in past exploits within the field. Vulnerable devices have left users exposed to malicious actors; these devices have been everything from insulin pumps, car entertainment systems, smart-home systems, and many others.
In 2016 a botnet consisting of millions of IP addresses from IoT devices was used to carry out a distributed denial-of-service on several US websites and some in Europe. This botnet was obtained by means of a malware called Mirai. Mirai targeted IP cameras, home routers, printers, baby monitors, and other related IoT devices. Once a machine was infected, it would search for other vulnerable devices that it could connect to and infect.
Certain insulin pumps were recalled in 2019 after the FDA warned the public of their cybersecurity vulnerabilities. The pumps were vulnerable while communicating with other medical devices such as glucose monitors and remote controllers. (Improper Access Control) This could allow hackers to adjust the setting on the pump or control the delivery of insulin.
A pair of security engineers in 2015 demonstrated that they could compromise the Controller Area Network (CAN) and Electronic Control Units (ECU) of a Jeep Cherokee while someone was driving it; this allowed them to adjust the air conditioning, radio, windshield wipers, and disengage the car's transmission. Even more alarming is the engineers' capability to access vehicles across the country as long as they were connected to the Uconnect Sprint cellular network.
In 2019, Def Con hosted a voting machine hacking challenge that discovered several vulnerabilities in a few different voting machines; some known vulnerabilities are years old. Other machines were connected to the internet when it was not necessary. IoT has reached as far as potentially affecting the state of our democracy.
All of these specified incidents occurred because cybersecurity was overlooked or ignored when developing newer interconnected technologies. These concrete examples highlight the correlation between the vast use of IoT, the vulnerabilities that exist within IoT devices, and the outcome of exploited IoT devices.
The Future of IoT & Final Thoughts
All of the described exploits have occurred within the last six years. The pace the internet of things is moving at exceeds the rate of policy change that should reflect the expansion. IoT has to offer convenience, and progress is taking precedence over the potential for danger that comes with it. The vulnerabilities of devices conflict with the confidentiality, integrity, and availability of their users and services. Although some small changes have improved the overall state of IoT within the last few years, it is not enough. Change starts at the lowest level in cyberspace: the end-users. If someone uses IoT devices daily, they should be aware of the risks, protect themselves, and stay updated on trends, developments, and threats in the field.
The future of IoT greatly depends on the daily cyber operations and habits that users carry out over a sustained period. Adding to that, it is significantly easier to implement cybersecurity at the start of something small when compared to the cybersecurity implementation of a larger entity. IoT's rapid expansion course has led to vulnerable devices seeping into nearly every sector of civil society. As demonstrated in the past, IoT devices can be exploited with malicious intentions. As such, cybersecurity is extremely important to the internet of things.
Blaze, M., Hursti, H., Macalpine, M., Hanley, M., Moss, J., Wehr, R., . . . Ferris, C. (2019). Def con voting machine hacking village. (). Retrieved from https://harris.uchicago.edu/files/def_con_27_voting_village_report.pdf CISA. (2019). ICS medical advisory (ICSMA-19-178-01). Retrieved from https://us-cert.cisa.gov/ics/advisories/icsma-19-178-01 Halahan, J., & Weifeng, C. (2017). Wireless security within new model vehicles - research library - ProQuest. Retrieved from https://search-proquest-com.ezproxy.utica.edu/pqrl/docview/1897672117/Record/7EE52988502E4388PQ/3?accountid=28902