IoT : Internet of Things or the Insecurity of Things ?

. 4 min read

We at Attify work a lot on the security of IoT based devices and often do pentesting engagements to identify security issues in the vendor devices and the associated mobile applications.

With a total number of 4.9 Billion connected devices and an expected market size of over $19 trillion by 2020, IoT or the Internet of Things, is the discussion of the hour. From Bluetooth to RFID to Beacon, there is now a specific name for this next big thing, and it’s called the Internet of Things.

Simply put, the Internet of Things is a kind of network in which everything ranging from your toasters, cars and healthcare devices to energy grids will be connected through it. Information can also be exchanged as these devices can “talk” to each other. Just to provide readers with a familiarity of its exponential growth, IDC expects a total of 212 billion IoT devices by the end of 2020.

With so many huge companies actively participating in this revolution in order to be the leader of the upcoming IoT era, one would think that it would have excellent security. The truth is that no one to date has given the security of these devices and their exchange of information much thought.

Below is the google trend analysis to show how IoT security compares against IoT.

IoT Security Attify

Apart from consumers, enterprises are also investing heavily in getting their organisation IoT ready with different types of IoT devices handling various operations in the office. Very often, enterprises do not give any thought or attention to the security of these devices, and the nature of data that is put to risk by them. Often, there are also privacy issues with the amount of data these devices collect.

Thanks to the popular recent hacks of Fitbit and the Samsung Smart TV, the media is slowly starting to become aware of the importance of the security of IoT devices. Many organisations are starting to think about the possible IoT security concerns.

Having said all this, the Internet of Things is still in its Infancy period. Even though the popularity of all these devices has mushroomed, the level of security smartness is still in its early stage and hasn’t seen significant growth since its inception. There already exists a huge number of IoT devices, with many more being developed every single day. The ideal solution would be to create real smart devices, which are much more robust and capable of making real-time intelligent security decisions, thus preventing a security breach from occurring.

IoT is definitely an added luxury to our lifestyle, and helps us to perform tasks effectively and in some cases even do certain things which were not possible a few years ago. Based on its extremely fast adoption by consumers and enterprises, and given the previous trends of web and mobile security, it will definitely be a prime target for attackers.

When we speak of IoT security, it could be divided into three components:

  1. **Hardware Based Security: **Techniques exist that hackers can use to open up the device, connect it to other devices and then dump the firmware. During this extraction process, manufacturer’s secrets could be revealed. We cover this topic in some of our trainings.
  2. **Web Dashboard/Mobile Apps: **Often times, the web dashboards associated with the IoT device have web application security flaws. It is highly essential that the organisation check against security issues in the Web application which interact with the IoT device.The same problem exists for mobile applications as well. Most of the IoT devices will have a mobile app with which the device can communicate and look for certain commands that trigger actions on the device. Vulnerabilities in the mobile apps could lead to the compromise of security for the entire device network.
  3. **Communication****between the components: ** Considering this openness in the ecosystem where most of the IoT devices are built on top of readily available components such as Zigbee, it is required that all the components communicate over a secure channel. Techniques exist to sniff/intercept traffic flowing through channels such as Wireless, NFC, Bluetooth, RFID etc. It is highly essential that all the data going out from any of the devices be securely encrypted, so as to prevent considerable damage from eavesdropping.

Identifying security flaws in each of these three components requires a special skillset in order for the penetration testers to deal with such a diverse range of technologies. We at Attify, in our previous pen-testing engagements, have found developers making some very common and basic mistakes while designing and developing these architectures. These errors can lead to a compromise of the entire device, giving the attacker complete access to the system.

The current day IoT devices are inherently insecure and lack the practice of standard secure coding. In addition, developers are looking to build something better and out of the box. This has resulted in them creating new rules along the way, which often lead to numerous security issues.

Most of the IoT devices interact with very sensitive consumer or enterprise data. If this data falls into the wrong hands, it not only could, but will wreak havoc such as we’ve seen in the past with large retail security breaches. IoT device/service providers should raise the standard of their information security policies and provide better ways of protecting themselves from these vulnerabilities.

Attify specializes in security for IoT devices and mobile application security auditing. Apart from the security auditing and pen-testing of devices and applications, we also conduct training programs to educate developers and security engineers. We have put much thought into the future of IoT devices and we believe that our company can offer the high level of security necessary to keep your data safe from hackers and give consumers peace of mind.

Attify Team

IoT Security and Penetration Testing

Get IoT Security Training

IoT Pentesting Exploitation Training


analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking ghidra GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave