According to Forbes, about 75 Billion IoT devices are supposed to be connected to each other by the year 2025. But, is the current IoT sector competent enough to tackle the vulnerabilities that these numerous IoT devices expose us to?
Over the last few years, with the emergence and increased penetration of IoT technology in our lives, we have also seen an abundant number of large-scale security breaches, compromising user privacy and in certain cases, even LIVES.
Why is it that these technologies that are designed with an emphasis on user satisfaction are often the cause of distress as well?
IoT devices are majorly developed with the goal of maximising user convenience. And the massive rise in the adoption of IoT devices clearly indicates the growing demand for it. This heightened demand has created a surge for the invention of more such devices, leaving companies that develop these products with a time crunch. With them being focussed on meeting these demands at a much rapid pace, they’re leaving behind loopholes in the form of weak passwords, default configuration, and unidentified backdoors. As a result, an increasing number of IoT devices are getting to the market without being checked for security issues.
The IoT sector is expected to grow to an astounding 20.4 billion devices by 2020, and businesses are expected to spend $134 billion annually by 2022 just on cybersecurity for IoT devices, according to Juniper Research.
This sounds like great news, doesn’t it? But, what about those 8.4 million IoT devices that are already out there today? How does one identify the vulnerabilities and prevent these devices from getting compromised?
Let’s look at some of the most frightful IoT Attacks and Vulnerabilities in the recent past that are proof enough to the kind of risks we are exposed to.
One of the many significant IoT attacks that happened in 2016, Mirai botnet took down giants such as - Netflix, Github, Shopify, Twitter, SoundCloud, and some more. The Mirai botnet attacked primarily - older routers and IP Cameras and then used them to flood DNS provider Dyn with a DDoS attack.
Systems infected with Mirai search the web for vulnerable IoT devices and infect them with malware by using known usernames and passwords to login.
This one works on a similar principle to that of Mirai except that it simply kills the device. Similar to Mirai botnet, it launches a DDoS attack and relies on users sticking to their default usernames and passwords. The Brickerbot targets Internet connected devices that run a Linux tool package called BusyBox and have a telnet-based interface publicly exposed.
In December 2007, the Satori Botnet, successfully ambushed 28,000 IP addresses in just 12 hours, bringing down numerous home routers and several high-profile websites akin to its successor - the Mirai Botnet.
However, Satori displayed an unusual threat that Mirai and its other variants did not display. While Mirai and its variants exploited IoT devices that had weak or default credentials, Satori exploited firmware bugs which are often left unpatched.
Once the malware finds a vulnerability in an IoT device, it checks for default passwords and then gains complete access to the device and further checks for devices that may be connected to it. This is how the malware keeps extending its network. Once this network becomes large enough, it can bring down large chunks of the internet.
The Satori Botnet targets routers by exploiting these two vulnerabilities:
CVE-2017–17215: A vulnerability specific to Huawei Home Gateway routers, port 37215 being the target port for exploitation by attackers. This vulnerability was eventually patched in November 2017.
CVE-2014-8361: A command injection vulnerability in Realtek SDK miniigd Universal Plug and Play (UPnP) SOAP interface; the target being port 52869. This vulnerability too was patched in May 2015.
Akin to the Mirai Botnet, Satori’s source code too was released publically but, the Satori developers are actively working on creating multiple versions of it.
The DLink DIR 850L wireless AC1200 dual-band gigabit cloud suffered from a number of various security issues ranging from command injection to storing of hardcoded encryption keys on the device.
These vulnerabilities when exploited gives attacker complete access to the DLink device enabling the attacker to take over the entire internet of the victim including launching additional attacks. At the time of discovery, an estimated 94,155 DLink routers were exposed to the public internet.
This bug was identified by a security researcher named Pierre Kim who disclosed the vulnerabilities on his blog after DLink failed to patch the security issues.
Vulnerable Medical Devices
While IoT has revolutionized the way Healthcare is organised, it has simultaneously lead to some life-threatening scenarios.
Medical devices that use wireless communications are often exposed to vulnerabilities that could lead to life threatening consequences. Over the last decade, we have seen a surge in the number of attacks on devices such as heart implants and IEDs.
Let’s look at a few instances of the medical devices that got compromised in the recent past.
Animas One Touch Ping Insulin Pump
The One Touch Insulin Pump is a popular medical device used for self-administering insulin. The One Touch Ping Insulin System functions in a ‘two-parts system’ wherein these two parts communicate with each other in the 900mhz band using a proprietary management protocol, to deliver insulin.
Recent reports have revealed a major glitch in the One Touch Ping Insulin Pump.
R7-2016-07.1 - The Insulin Pump uses cleartext communications instead of encrypted communications, in its proprietary management protocol and this lack of encryption is what enables an attacker to exploit the device and trigger unauthorized insulin injections and a hypoglycemic reaction in a patient.
R7-2016-07.2 - To prevent the pump from taking commands from other remotes, the setup involves a pairing process during which the remote and the pump exchange serial numbers and some header information. This pairing process is done via a 5 packet exchange and these packets are identical each time the remote and the insulin pump are paired. Due to lack of encryption during the pairing process, attackers can easily access the remote/pump key and then, spoof either of the two.
R7-2016-07.3 - The communication between the pump and remote is also highly prone to interception because of little to no defence against replay attacks. Attackers can easily capture remote transmissions and replay them later to use it to their advantage, which can cause major harm to the patients concerned.
Another major flaw is that, there is no way to know if the devices concerned have received the packets or not as the protocol that is used by the remote meter and pump for communication, does not have the elements that can guarantee the delivery. This further allows an attacker to perform a spoofed remote attack from any location, via a powered remote for sending commands to the pump, thereby eliminating the need for hearing the acknowledgement packets.
Abbott Pacemakers & Defibrillators
Back in 2016, Medscape along with Muddy Waters, publically released remotely exploitable vulnerabilities in St. Jude (acquired by Abbott Laboratories) pacemakers and defibrillators. While St. Jude denied the vulnerabilities, in October 2016, Medsec again released 4 videos demonstrating the exploitation carried out on Abbott pacemakers and defibrillators.
The case of Abbott pacemakers and defibrillators is extremely crucial with regard to security in Healthcare IoT. Researchers involved in the exploitation of vulnerabilities found flaws that could have been fatal, if not resolved at the right time. It was detected that the devices could be forced to malfunction by reprogramming and then, be used to administer electric shocks to patients at distances of 10 feet and prematurely drain the battery of the device.
After multiple evidences of the flaws in Abbott Laboratories’ devices being released, the FDA issued an alert and Homeland Security’s ICS-CERT issued an advisory with regard to the public disclosure of the security issues found in Abbott’s devices. Eventually, St. Jude resorted to take measures to improve patient safety by releasing a patch for the vulnerabilities it had previously denied.
The Jeep Hack
In 2015, Charlie Miller and Chris Valasek demonstrated Wired that they were able to successfully control a Jeep SUV by exploiting software vulnerabilities ultimately leading them access to CAN bus.
The Jeep hack was possible by exploiting a number of vulnerabilities including exposed ports, firmware update and verification among others which ultimately enabled them to control the vehicle’s speed, directions, brakes and many more controls of the vehicle.
The situation becomes worse here as more and more semi-automated and fully automatic cars come into the market. It seems even more appalling when one thinks of the possible repercussions of a cyber criminal finding his/her way to the more critical functions of a car.
One of the earliest examples of a cyber attack on critical infrastructure by bringing down one-fifth of a country’s nuclear centrifuges is - the Stuxnet virus. The country in question here is Iran and according to credible sources, Stuxnet had an impact so huge that it lead to heavy delays in the country’s nuclear programme.
The worm exploited a vulnerability in the way Microsoft Windows processed shortcut links (LNK) and is believed by many to be one of the first to have brought havoc to physical assets of high importance by using digital technology, on such a large scale. It is still ironic how even after such a setback, most governments across the globe aren’t prepared for a similar attack.
This major security breach by the internet company Cloudflare hit close to 3400 websites, in the February of 2017. This malware that affected Cloudflare clients, resulted in user passwords and other sensitive data getting leaked to over thousands of websites over a period of six months.
The only good part about this whole scenario was that Cloudflare was able to take the entire situation under control and put an end to the bug within 7 hours after finding it. Although the Cloudflare team worked religiously to scrape off any leaked data off search engines, there still lies the possibility of sensitive data being exposed to vulnerabilities as the data could have been lying bare since almost as early as September 22, 2016.
According to the documents, the CIA developed malware to hack various smart devices like the Samsung Smart TV. The documents also reveal various Android, iOS, and Windows vulnerabilities, advanced tools for location tracking via Wifi signals, and numerous hacking methods such as - malware, trojans, viruses, weaponized 0 - Day Exploits, and other tools used by the CIA for spying.
According to claims laid forth by Wikileaks, the information revealed is legitimate. And is these claims are to be believed, it undoubtedly raises some major questions about the operational abilities of the CIA.
November 2016, Finland
Another major IoT attack that took place in 2016 was when cybercriminals shut down the heating system in two buildings in Lappeenranta, Finland. This attack highlights one of the most dangerous possibilities associated with IoT vulnerabilities. Finland, during Novembers, is exceedingly cold and such an attack at a larger scale could have lead to harsher and more chilling circumstances.
The attackers targeted the central heating and hot water systems in both the buildings in Lappeenranta. The systems got stuck on an endless loop of reboots, in order to fight the ongoing attack. Thankfully, the situation which could have easily worsened was handled well by Valtia, the company that was responsible for managing the buildings. Their quick response in relocating the inhabitants and fixing the issue helped dodge what could have been a disaster. According to security experts, it was Mirai botnet that lead to this condition.
So how can these IoT devices or the IoT ecosystem be more secure?
It is quite clear now that the smart devices that we so often rely upon may seem convenient enough but, they are far from being secure. But, that doesn’t imply complete shunning of all IoT devices. Taking cue from the above examples, it can be concluded that potential risks, if not eliminated, can at least be minimized if both - the user and the device developer take appropriate action.
Here are a few points that can help guard your security framework:
Always remember to change the default username and password of your IoT devices
Penetration Testing is pivotal to ensuring the security of your Internet of Things connected devices and systems. Attify provides tailored Penetration Testing services for organisations all over the world and helps them achieve total security against potential cyber attacks. To know how secure your security framework is, get pentested today. Reach out to us here.
Keep an eye out for any suspicious network changes
Developers must ensure that they include an updated kernel/firmware and allow regular updates and new vulnerabilities come to the fore.
Devices without strong encryption are an open door to security attacks.
Often, employees are uncertain about their response to attacks such as phishing mails. In order to avoid this, it is absolutely essential that you provide frequent trainings to your employees to help prepare them better for such scenarios. Making them aware of imminent threats is the key to preventing internal attacks. Want to schedule a Private IoT Security Training Session at your organisation? Taught by the best-in-class industry experts, Attify’s training curriculum is focused on creating a real-world experience that helps employees not just be aware but, proactive in preventing attacks by identifying threats instantaneously.
Attify provides tailored Penetration Testing Services and Complete Security Assessments of your IoT Devices through a unique offering of Attacker Simulated Exploitation for IoT solutions.
Also, get started with our Hands-On Offensive IoT Exploitation Training, conducted by the best in class experts. Learn Firmware Reverse Engineering, Embedded Device Hacking, Binary Exploitation, Radio - BLE, ZigBee exploitation and more.