IoT Security: 5 cyber-attacks caused by IoT security vulnerabilities
Date: 25 October 2022
The Internet of Things (IoT) is the networking of objects. It's comparable to a social network or email provider, but IoT links devices rather than people. According to Ericsson, 22 billion devices will be on the Internet of Things by the end of 2022.
Business Insider's experts expect the figure to grow to 30.9 billion by 2025. As IoT devices increase in number so is the attack surface of the cybersecurity vulnerabilities they present.
IoT devices are particularly vulnerable to network attacks such as data thefts, phishing attacks, spoofing and denial of service attacks (DDoS attacks). These can lead to other cyber security threats like ransomware attacks and serious data breaches that can take businesses a lot of money and effort to recover from.
In this blog, we discuss how to protect your IoT devices and networks from cyber-attacks. We also look into some major attacks targeted at IoT devices and how you can start securing IoT devices to prevent such cybersecurity compromises.
Among the devices that can connect to the IoT are voice controllers, smart locks, smoke alarms, lighting systems, fitness trackers, integrated body implants, vehicles, and many other types of gadgets.
Despite the benefits and bright prospects of the Internet of Things, there are some unresolved security issues as well as legal network and device security regulations that need attention. As IoT implies connecting multiple devices and storing lots of data, the system's failure can cause very significant problems to computer networks and sensitive data.
How Does IoT Work?
Gadgets and objects having built-in sensors are connected to an Internet of Things platform, which combines data from many devices and analyzes it.
One of the simplest examples is the sensors used in stores. They can detect how long the customers spend in different parts of the room, to which products they return more often, and what's the most frequent customer route around the store.
This data may be used to identify trends, provide suggestions, and detect potential issues before they arise.
What are some IoT Security Threats?
Despite the multiple opportunities that IoT opens to businesses, there are many factors that create security threats. For instance, with many open code sources, like Magento React, for example, the hackers are well aware of the code peculiarities. Here are some other threatening factors.
Use of Default Passwords: Most businesses deliver gadgets with default passwords and don't even advise you to change them. This often happens with security cameras, home routers, and light control systems, for instance. One of the most significant risks to IoT security is that default passwords are widely known, making it simple for thieves to compromise them.
Unsafe Communication: The messages sent over the network by IoT devices are often not encrypted, which creates IoT security issues. Using standards like Transport Layer Security (TLS) and transport encryption is the best way to guarantee a safe connection. Utilizing several networks to isolate devices also ensures secure and private communication, maintaining the confidentiality of data sent.
Personal Information Leaks: Skilled data thieves may do significant harm even by simply learning internet protocol (IP) addresses from unpatched IoT devices. These addresses can be used to determine a user's precise location and residential address. Many internet security professionals advise using a virtual private network (VPN) to hide your internet protocol address and protect the IoT connection.
Automation and AI: AI technologies are already in use on a global scale. But automation has a drawback: it only takes a single programming error or flawed algorithm to bring down the entire AI network and the infrastructure it was in charge of.
Automation and artificial intelligence are just pieces of code. So if cyber criminals gain access, they can take control of the automation and do anything they choose. Therefore, ensuring that the instruments are protected against such dangers and assaults is crucial.
Hackers have the power to launch assaults and enter thousands or millions of unprotected connected devices, destroying infrastructure, taking down networks, or accessing confidential data. Here are some of the most illustrative cyber attacks demonstrating IoT vulnerabilities:
- The Mirai Botnet
An IoT botnet (a network of computers, each of which runs bots) was used to execute the worst DDoS attack against Internet performance management services provider Dyn back in October 2016. As a result, several websites went offline, including majors like CNN, Netflix, and Twitter.
After becoming infected with Mirai malware, computers continuously search the web for susceptible IoT devices before infecting them with malware by logging in using well-known default usernames and passwords. These gadgets included digital cameras and DVR players, for example.
The Verkada hackVerkada, a cloud-based video surveillance service, was hacked in March 2021. The attackers could access private information belonging to Verkada software clients and access live feeds of over 150,000 cameras mounted in factories, hospitals, schools, prisons, and other sites using legitimate admin account credentials found on the internet.
Over 100 employees were later found to have "super admin" privileges, enabling them access to thousands of customer cameras, revealing the risks associated with over privileged users.
Cold in FinlandIn November 2016, cybercriminals turned off the heating in two buildings in the Finnish city of Lappeenranta. After that, another DDoS assault was launched, forcing the heating controllers to reboot the system repeatedly, preventing the heating from ever turning on. This was a severe attack since Finland experiences severely low temperatures at that time of year.
The Jeep HackIn July 2015, a group of researchers tested the security of the Jeep SUV. They managed to take control of the vehicle via the Sprint cellular network by taking advantage of a firmware update vulnerability. They could then control the vehicle’s speed and even steer it off the road.
StuxnetStuxnet is probably the most well-known IoT attack. Its target was a uranium enrichment plant in Natanz, Iran. During the attack, the Siemens Step7 software running on Windows was compromised, giving the worm access to the industrial program logic controllers. This allowed the worm's developers to control different machines at the industrial sites and get access to vital industrial information.
The first indications of a problem with the nuclear facility's computer system surfaced in 2010. When IAEA inspectors visited the Natanz plant, they saw that a strangely high percentage of uranium enrichment centrifuges were breaking. Multiple malicious files were later found on Iranian computer systems in 2010. It was discovered that the Stuxnet worm was included in these malicious files.
Iran hasn't provided detailed information on the attack's results, but the Stuxnet virus is believed to have damaged 984 uranium-enrichment centrifuges. According to estimates, this resulted in a 30% reduction in enrichment efficiency.
What can you do about IoT Vulnerabilities?
If you’re a business that relies heavily on IoT devices, it is important to evaluate the safety of your information systems and the data being processed by these devices. You need to consider effective security solutions that can protect your business from cyber attacks and ransomware attacks that could occur as a result of IoT security vulnerabilities.
Hiring a cybersecurity expert to advise and guide you is one of the best solutions if you’re concerned about IoT vulnerabilities. A flexible and cost-effective solution like Cyber Management Alliance’s Virtual Cyber Assistant service is ideal if you’re just starting on improving your cybersecurity maturity.
Our Virtual Cyber Assistants can help you protect against IoT vulnerabilities and malicious software in the following ways:
- Assessing your general business cyber health with a Cyber Health Check.
- Helping your create new or review and refresh your existing Cybersecurity Incident Response Plans.
- Help you test if these plans will be effective against a DDoS attack, phishing attack etc. caused by an IoT security loophole with Cyber Attack Tabletop Exercises.
- Get you started on your Ransomware Prevention and Protection journey.
- Assist you to get your business Cyber Essentials certified. You can then have some peace of mind that your IoT devices are at least protected against the most common internet-based attacks.
If the Internet of Things (IoT) gadgets lack adequate security, we can only speculate about how much valuable data hackers may take from them. According to Finances Online, 98% of IoT device traffic is unencrypted. It’s also stated that 83% of desktop devices have no support for threats to IoT devices.
With these figures in mind, it’s easy to assume that the IoT security risks and major attacks above are just the start. So it’s important to take good care of our IoT network security and undertake essential security measures, preferably under expert guidance.
About the Author: Alex Husar
Alex Husar is a chief technology officer at Onilab. Working at the company for almost a decade, Alex has gained proficiency in web development, creating progressive web apps (PWAs), and team management. Alex constantly deepens his knowledge in various technological areas and shares it in his articles. He helps programmers overcome common challenges and stay updated with the latest web development trends.