Internet of Things (IoT) device connects to internet automatically for sending or receiving data or to control some operations. The trend to use IoT is increasing very rapidly to enhance efficiency or convenience by business and home users, which is also increasing risk of cyber threats and gives opportunities to cyber criminals to enter into protected network or, still sensitive information or observer human lifestyle. Before using this new technology, it is significantly required to understand its vulnerabilities, risks and safeguards also user awareness on this is highly important to control the cyber-attacks.
Let us understand few examples of IoT devices. IoT device can be
- Automatic device which controls your electrical systems
- Automatic security systems like fire alarms , wifi cameras used for surveillance systems in offices or cameras used for home monitoring
- Medical equipment like wifi enabled heart monitors or insulin dispensers
- Process controls systems
- Smart watches or human wearable devices
- Automated lighting or air conditioning systems
- Smart refrigerators, TVs, Printers , scanners , physical access control systems
- Cell phone controls systems like music systems , microwaves , Air conditioners
- Utility monitoring systems like energy , water , food supply and Fuel systems
- Aviation monitoring systems
IoT device connects to internet automatically without requiring human intervention for exchange of data with service providers, businesses, manufactures and other connected devices.
Lack of patching capabilities of IoT devices and user awareness gives ample opportunities for attackers to take control of these devices or use them to launce larger attack on secure networks, send spam e-mails, steal sensitive data or modify operation of safety systems. Following are important risks to be considered in case of IoT usage
- Vulnerabity of Universal Plug and Play (UPnP) protocol.
UPnP protocol permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP works without authentication to connect the device and it is designed to self-configure when attached to network and this makes it vulnerable where attacker can change device configuration and gain control.
- Use of default vendor password by users which normally users do not change.
These default passwords are available on internet and attacker uses them to get access to IoT devices.
- Denial of service attack on these devices and making them in operable.
- Compromising IoT device to harm the user
- Compromising the integrity of business operational processes
Unsecured or unhardened IoT device will become gateway to secured network and attacker can get wide access to critical systems.
- Isolate IoT devices from secured network
- Disable UPnP on routers
- Choose appropriate IoT device based on its purpose
- Purchase IoT devices from well-known manufactures with their track record on security
- Keep the IoT devices patched up to date
- Change default passwords and have strong passwords
- Use current best practices while connecting IoT devices to wireless network and accessing it remotely
- User awareness on IoT devices and related threats
Finally use of IoT devices should be done with due care and understanding of above mentioned risks. IoT devices increase efficiency and convenience but they also bring these risks, so the usage should be balanced.
Authored by Satish Kulkarni