How to stay secure as an IoT Device user – An actionable guide

Share and earn Cybytes
Facebook Twitter LinkedIn Email

If you are an IoT device user, chances are that your device is riddled with numerous security issues. This post teaches you on how to stay secure if you are an end consumer with the love of Internet of Things devices, and how you can use them without compromising on the IoT security.

Internet of Things or so-called “Smart Devices” is the talk of the tech town currently. Every single month, 100s of new devices are being released with none or improper security protections in place.

Why IoT Security is non-existent?

The primary reason for the insecurity for these IoT devices is the lack of awareness, meaning the developers and smart device manufacturers don’t know how to make devices secure from vulnerabilities. Also, adding to it, the fact that the manufacturers often lack the bigger picture which is required to understand the security issues in an IoT device.

Another common misconception which we have seen through our interactions with the IoT developers and manufacturers is that most of the people still think of IoT security being only about the security of devices. However, if you actually understand IoT, you would realize that it is a combination of various different components which comprise an IoT ecosystem.

These IoT Components are:

Hardware: the Smart Device or GatewayWeb apps, Mobile apps, Cloud assetsFirmwareRadio communication.

So when you perform IoT security, ensure that you look at the entire ecosystem rather just a single smart device. Let’s dig a bit deeper into each of the above components: 

Hardware: Numerous vulnerabilities including exposed serial port, ability to dump firmware, bypassing hardware protections and more.Web Apps, Mobile apps, Cloud assets: All possible vulnerabilities which you could imagine – Authorization and Authentication flaws, Insecure endpoints, Insecure network communication, logic flaws and more.Firmware Security issues: Hardcoded sensitive information, ability to modify the firmware, no signature or integrity check etc.Radio communication: Capturing authentication and pairing mechanism to obtain keys, plaintext communication, replay attacks, MITM attacks, Jamming and more.

The above are just a few examples of the vulnerabilities and security issues you will find in the Internet of Things devices. It is the little pieces being secure and with secured interaction between them, which comprises the 360 degrees Internet of Things Security. With this blog post, my aim is to give you an overall perspective of how you could start building more secure IoT devices and have a discussion with your team and revisit the insecure devices that you have built in the past. This will also serve as a guide for the end-users or consumers who actually use these devices.

What to do for IoT Security as a consumer

Now, let’s pause for a moment and think of how we as a consumer would decide from a security perspective if we are evaluating various IoT solutions which we want to buy. As a consumer, we think of IoT devices from a mere functionality perspective and say – Okay, this is a smart thermometer or this a smart bottle and will serve this purpose in my day to day life.

We fail to understand the criticality of the fact that whether our data is going to be secure with this device or not, and asking the question that can I actually trust this device with sensitive and confidential information such as personal medical information or family vacation habits, is the question that we need to ask ourselves.

True, the understanding is limited but how you can apply the knowledge to understand the security of devices you are going to buy is critical. In case you have a bit of technical understanding, you can check out some of the other technical posts we have written on the topic of IoT Security:

Firmware Analysis of IoT DevicesEmulating and Exploiting firmware binariesHacking IoT HardwareExploiting IoT Enabled Smart Bulb Securityand more.

Let’s now have a look at some actionable tactics and pointers which you can start using immediately in order to have a secure smart environment around you. Below are the 5 points which will ensure that your smart device is not easily vulnerable to malicious hacker attacks:

Strong Password: Most of the IoT device users don’t change the default credentials which the device is shipped with. Based on our analysis of numerous smart devices, an astonishing 75% of them are shipped with same credentials for its entire product line, making it extremely easy for attackers to crack. If you remember the most popular and widespread IoT botnet ever, Mirai, it relies on the vulnerability that millions of IoT devices were using default credentials which were extremely easy to brute force and crack. This also highlights the importance of the fact that you should always change the password of any IoT device that you purchase and use.Updating the firmware: Updates are the key to ensuring that your device is loaded with the most recent security patches and is secured from the known threats. With every update, manufacturers patch identified and reported security bugs and take a step forward to harden the security of the product If you are still using an old firmware version, you are risking the security and privacy of yourself and handing it over to the malicious hackers who are constantly looking for vulnerable targets. In some of the cases, even though updating firmware would be a bit tricky, taking that extra effort in order to update the firmware would prevent your device from being compromised in the future.Separate VLANs / Removing from the network: In case if you are using an IoT device on your trusted home or corporate network, always ensure that you have the IoT devices on a separate VLAN compared to the other laptops and personal devices. This will add a layer of protection from typical network-based attacks.Stay Updated with the recent news and happenings in IoT security: Since IoT is evolving at such a fast pace, it is highly important that you stay updated with all the recent news and public vulnerabilities being disclosed or shared in the news about IoT devices.Do your homework before buying “another” IoT product: I can understand the excitement and the adrenaline rush that comes with getting a new IoT gadget at your home or workplace, using it, showing it off to your colleagues and so on, which is perfectly fine. Even I am a tech enthusiast and love to buy all the various kind of IoT devices in the market. Just a word of caution here – do your research before you buy a new IoT device. Most of the devices which are launching these days in the market are not vetted for security and don’t even have a security team which could help them ensure the security of their user’s data. This is even more important if you are going to trust the device with personal and sensitive information. Look at the kind of PII they are asking you (and not asking for but still collecting).

Overall, Smart IoT Devices are one of the biggest advancement in technology and is pushing the entire humankind forward. At the same time, it is important that we don’t let these technical advancements and new IoT devices create an insecure future where our privacy is non-existent.

If you want to learn more about IoT Security and how to hack/defend these devices, you can join one of our upcoming training here or get the learning kit to learn IoT Security all by yourself.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Attify – IoT & Mobile Security
Founded in 2013, Attify has been a global leader in IoT, mobile, big data and infrastructure security. Attify's team includes security professionals with expertise ranging in various fields including Reverse Engineering, Embedded Device security, Radio reversing, Web application pentesting and infrastructure security. Attify is also the creator of popular training courses such as "Offensive Internet of Things (IoT) Exploitation", "Advanced Android and iOS Hands-on Exploitation" and more. Attify members have also written books and papers such as "Learning Pentesting for Android Devices", "A Short Guide on ARM Exploitation" and many more. We have also presented our research at numerous conferences such as BlackHat (USA, Asia, EU, AbuDhabi) Defcon, OWASP AppSec USA, AppSec APAC, Nullcon, Toorcon, ClubHack, phDays, Syscan and more.
Promoted Content
Bypass Jailbreak Detection with Frida in iOS applications
In this blog post, we will have a look at Frida, which is one of the really interesting tools for mobile application security analysis. This is also something we cover in-depth in our Advanced Android and iOS Exploitation training for which you can register here – Training Link Even if you have never used Frida, this post will serve as a guide for you to get started into the world of Frida for Mobile application security analysis and exploitation. Here’s what we are going to cover in this blog post: 1. Introduction to Frida 2. Setting it up on iOS 3. Connecting to an iOS process using Frida 4. Dumping class and method information 5. Runtime manipulation of iOS apps using Frida 6. Conclusion

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?