IoT Security, Threats and

Challenges

By V.P.Prabhakaran

Introduction of IoTThe Internet of Things (IoT) is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. It is a complete integration of physical objects with computer logical operations.01

Things in IoT

• Things, in the IoT, include vast collections

of devices such as heart monitoring

implants, biochip transponders on farm

animals, automobiles with built-in sensors,

or field operation devices that assist fire-

fighters in search and rescue,” reads the

definition provided by Wikipedia.

02

Associated Challenges

• IoT Security is all about protecting or safeguarding. Nowadays, in almost every objects, we

have a small chip, which usually we used to ignore. Attackers try to compromise those chips

by gaining logical access to devices remotely. All security and technical experts face the

challenge of protecting that chip from attackers because all the devices, like cars, industrial

machines, and home appliances, have the same chip that works with a specific program

which is easy to target.

02

Companies who Operate IoT

• Traditional Big Companies –

Google, Microsoft, and Amazon are

the big companies who are well

versed with latest security and

threats associated with IoT and they

have experts who can protect it from

attacks. The Image below, that I

would like to share, show how

Amazon is using IOT.

02

Companies who Operate IoT (contd…)

• Big Companies – They are not as exposed in terms of threats associated with IoT, like Honeywell

and Ford

• Kickstartup – New joinees who did research and developed a prototype, later on big companies,

like IFTTT (If This Then That) by Linden Tibbets and MuleSoft by Greg Schott, purchase these

packages and used them. Currently, the industry is facing a shortage of IoT security experts and

they still struggle with countermeasures of IoT, according to the report ” ISACA Survey: UK

Security Experts Sceptical of IoT Device Security; 3/4 Say Manufacturers are Not Implementing

Sufficient Security Measures “

02

Common Threats Associated with IoT

• Vulnerable IoT Perimeters: When IoT networks are designed, there is lack of planning of good

security implementation which can allow an intruder to easily gain access to the network. Let’s take

an example of Smart Meter. If a cyber criminal compromised this device, he is able to access a

domestic network and also can monitor the connections between objects in IoT.

• Increase in Data Breaches: Data breaches are one of the biggest threats in IoT devices. Cyber

attackers can try to spy on the communications between devices in IoT network. Devices

accessed through Internet of Things may be used for cyber espionage purposes by an intelligence

agency or by some companies for commercial purposes. The FBI’s chief information security

officer warned the impact of IoT data breaches could be much worse for end users than previous

enterprise data breaches.02

Common Threats Associated with IoT

• Malware and Botnet Attacks: Malicious users designed the code for attempting to attack against

IOT networks. Cyber criminals can exploit vulnerabilities in firmware running on the devices and

run their arbitrary code, turning IoT components to unplanned use. Some of the Malware used in

IOT is Linux worm, Linux.Darlloz. Graphics processing units-based malware and ransomware

attacks are growing rapidly, due to the increase in data, bigger networks, and the Internet of Things

(IoT), according to Intel Security’s five-year retrospective threat report. The analysis found that

ransomware continued to grow rapidly, with the number of new ransomware samples rising 58

percent in Q2. According to Intel Security, the total number of ransomware samples also grew by

127 percent year-on-year, with the company attributing the increase to fast-growing new families,

such as CTB-Locker and CryptoWall. The release of the report marks the five-year anniversary

since Intel Security purchased McAfee for $7.7 billion.02

OWASP Introduces Vulnerabilities in IoT

• The Open Web Application Security Project (OWASP) comes with best practices to improve the

security of IoT. It is natural that the project also analyzed the top 10 security issues related to the

popular paradigm:

02

• Insecure Web Interface Insecure Web Interface is a common vulnerability found in IoT. OWASP

Zap and shodan tools are available and with them we can access these devices. The most famous

example of this to date is the case of the web application on TrendNet cameras that exposed a full

video feed to anyone who accessed it.

OWASP Introduces Vulnerabilities in IoT (contd…)

• Insufficient Authentication/Authorization Most IoT devices are protected with a weak password

and it is easily exploited through a brute force attack. The attack could come from external or

internal users. Some devices in IoT are configured with a base64 password encoding mechanism

and sent between devices in plain text so attacker can use an online website through which they

try to convert base64 code to simple text. Many IoT devices are secured with “Spaceballs quality”

passwords like “1234”, put their password checks in client-side Java code, send credentials

without using HTTPS or other encrypted transports, or require no passwords at all.

02

OWASP Introduces Vulnerabilities in IoT (contd…)

• Insecure Network Services Insecure network services may be vulnerable to buffer overflow

attacks. Some other attacks can also be done, like DOS and DDOS attacks, which leave systems

inaccessible to clients or users. In order to find insecure network services, we use several tools,

like Nmap and other fuzzers. Examples of these types of services abound in IoT documentation

and are regularly lit up by security researchers. In August 2014, a sweep of more than 32,000

devices found “at least 2000 devices with hard-coded Telnet logins.”

02

OWASP Introduces Vulnerabilities in IoT (contd…)

• Lack of Transport Encryption IoT devices have a lack of transport encryption which are exploited

by an attacker who is trying to intercept the information exchanged between IoT devices. This

attack can be done from internal and external users.

• Privacy Concerns An attacker uses a different path, like lack of authentication, lack of strong

transport encryption or other ports and network services through which they gain access to

personal data. One of the biggest vulnerabilities, as per OWASP Standard, is that home users may

not understand computer security, but they do understand physical security (“is my door locked?”)

and privacy (“is that camera watching me?”). Furthermore, their fears are widespread.

02

OWASP Introduces Vulnerabilities in IoT (contd…)

• Insecure Cloud Interface We can identify an insecure cloud interface vulnerability through

reviewing the connections to the cloud interface and analyzing if SSL is secure. We also attempt a

password reset on the portal to find a live user, which can lead to user enumeration. Since most

security professionals already know how to evaluate systems for these types of vulnerabilities, we

won’t spend much time on it in this article, except to remind you that you should get the permission

of any remote cloud service before you attempt to perform any type of penetration test against it.

02

OWASP Introduces Vulnerabilities in IoT (contd…)

• Insecure Mobile Interface

• Insufficient Security Configurability

• Insecure Software/Firmware

• Poor Physical Security

02

OWASP Introduces Vulnerabilities in IoT (contd…)

• Insecure Mobile Interface

• Insufficient Security Configurability

• Insecure Software/Firmware

• Poor Physical Security

02

About Author

• V.P.Prabhakaran is a highly-experienced security

professional , having more then 9 years experience

as Senior Information Security Consultant at

Koenig Solutions.

02

Information Security ConsultantCISSP | CISA | CISM |COBIT 5|TOGAF

Koenig training services are sought by some of the biggest multinationals and Fortune 500 companies.

Some of the brand names associated with Koenig for its world renowned IT training include:

Our Valuable Customers

24

27

•Nearly half the cost as compared to similar training in UK or USA.

•Experienced pool of 350+ certified trainers

•Happiness Guaranteed else Money Back or Class Redo

•Authorized partner for 30+large IT vendors

•Multiple modes of delivery

•Customizable learning packages

•World class training centres with best infrastructure

•Post training support

•Excursion to local tourist attractions

•Best accommodation and support services

•Visa Guidance

Advantages @ Koenig

Let’s Talk

Koenig DelhiKoenig Campus B-39, Plot No. 70,KLJ Complex-1, Shivaji Marg, Moti Nagar, New Delhi-110015 (India)

Koenig BangalorePARAGON PRIMA, 2nd & 3rd Floor, No. 39, 8th Main Koramangala 4th Block Bengaluru-560034, (India)

Koenig Goa3rd Floor, B/T1, Campal Trade Centre, Opp. Kala Academy, Panjim,

Goa-403001 (India)

33

Koenig Shimla7, Prospect Lodge, Behind YMCA, Lower Jakhu, Shimla-171001, Himachal Pradesh (India)

Koenig DehradunPlot #22, IT Park, Sahastradhara Road, Dehradun-248001, Uttarakhand (India)

Koenig DubaiBlock 3, Office G10, Dubai Knowledge Village Dubai, UAEPhone : +9714 3686241Email : info@Koenig-dubai.com

Koenig USA640 W California Avenue, Suite 210, Sunnyvale, CA 94086, USA

Koenig Singapore30 Cecil Street, #19-08 Prudential Tower, Singapore 049712

Koenig Solutions (India)Website: www.koenig-solutions.com Phone : +91 75330 08521 (24x7)Email : info@Koenig-solutions.com

THANK YOU

Follow us:

http://www.Koenig-solutions.com