The first things that come to mind when discussing “interconnectivity” are PCs, tablets, smartphones and smart houses. IoT goes further and broader than that. The IoT environment allows for anything to be wired up and connected to communicate, thus creating a massive information system with the capacity to improve the quality of life and enable new business models.
Things are looking rather bright from this perspective. But where there are opportunities, matching obstacles lie ahead. With so much data stored in the cloud, one security chain flaw might give hackers access to virtually everything.
Mario Dicu, R&D Development Manager – IoT Security, and Bogdan Glazov, Senior Security Researcher – IoT Security from Keysight Technologies Romania are here to share their knowledge and experience in the field and assure you that there are many strategies and tools to keep your IoT ecosystem safe and secure.
Spoiler alert: you’ll get to hear more about this topic at DefCamp as well, so join us so you don’t miss all the fun!
But how exactly does the IoT ecosystem look like?
IoT comes in many shapes and forms:
The most important industry verticals with currently more than 100 million connected IoT devices are electricity, gas, steam & A/C, water supply & waste management, retail & wholesale, transportation & storage, and government. For example we have seen an increase in IoT usage in smart home appliances, like an Smart Light bulb, this can be tracked as electricity, or other devices like temperature sensors to control the gas central heating system, AC etc.
“Targets, targets everywhere!” – an attacker might think.
Naturally, possibilities are endless. There’s always an industry that is the most vulnerable and a device that poses the greatest risk. Add the human factor and you’ve got yourself the perfect recipe for an exposed interconnected world. Despite repeated warnings from information security specialists to the public about the IoT threat landscape, old habits die hard.
Hint: it’s always the passwords…
Technology, manufacturing, retail, and healthcare industries accounted for 98 percent of IoT malware attack victims. The most vulnerable devices in a network are the entertainment and home automation devices, including virtual assistants.
From our research, the most common vulnerabilities in IoT devices we found are: weak, guessable or hard coded credentials, which can be found in the source code of the app, in the firmware, etc. Another troubling discovery was that most of the users do not change their default credentials once they plug in their devices, for example most users do not change the default password from the admin account on their Wi-Fi routers. Other frequent faults we are seeing are insecure network services and the lack of encryption.
It may sound gloomy, but we know for a fact that the infosec community has always found a way to have the users’ back in the darkest of times. On a quest to secure the IoT environment, the community has constantly developed guides and projects to ensure proper IoT security standards. For example:
IoT security assessment is here to help!
A comprehensive, automated security testing solution has been developed by the Keysight Technologies team for IoT Devices.
Keysight IoT Security Assessment supports the most common technologies we can find in an IoT ecosystem: Wi-Fi, Bluetooth, Web apps, Mobile apps and CAN bus for our Automotive market. Fuzzing is also included in the framework and addresses the following technologies: WiFi, Bluetooth, Bluetooth Low Energy, IPv4/v6 stack. The framework is built using a modular architecture where our customers can also add their own content and be able to execute them. This is very helpful for having a single UI/REST API interface and running the audits. The product is in continuous development and we’re adding new audits on a monthly basis. Continuing the exploration of Bluetooth/Wi-Fi, our plan is to discover new vulnerabilities that can also be integrated in our product and bring more value to our customers. We want to be able to provide a detailed picture of the security assessment for the components of an IoT ecosystem.
IoT Security is not applicable only for large companies or manufacturers. There are a lot of smart homes and other IoT devices enthusiasts that may be really keen on keeping their fitness trackers, smart thermostats or doorbells safe and preventing security breaches. Fortunately, there are some tips and tricks that might help. Another (familiar) hint: it’s the passwords again…
The most important best practice for smart homes and smart home enthusiasts is: make sure to change the default credentials for every device plugged in the home/office network. Other best practices include: the use of strong non-guessable passwords, pins (not easy guessable ones like 1234), use https instead of http, disconnect IoT devices when not needed, keep your software/firmware updated. If possible all the IoT devices should be installed in a separate VLAN and not in the default home network/corporate production network.
More about IoT security, at DefCamp 2022
Although the term IoT actually dates back to the 70s, it has gained increased popularity in the last 10-15 years. IoT has grown as newer gadgets and technologies emerged quickly and became easily available to the general public due to its indisputable benefits in terms of effectiveness, maintenance and communication. To protect the efficiency of such benefits, it comes as no surprise that cybersecurity is becoming more and more important as IoT technology is integrated into everyday systems, lifestyles, and businesses.
And this was a good enough reason for the Keysight Technologies team to be back again at DefCamp this year – and we are thrilled to have them!
For this year, our goal is to raise awareness about the threats IoT devices could potentially bring into our life. We have the skills, and we have a great product, but we want our message to reach beyond the cybersecurity community; reach the end user who is most exposed. For this, we have armed ourselves with examples, use cases, and best practices from the wild. We’re really looking forward to seeing everyone again! We’ve been DefCamp partners for a really long time now, and year after year, we see the community growing, security products getting more and more complex, and hackers getting more skilled. We feel very fortunate to be part of and to grow together with this community and raise the standards together.
The power of the community is strong. Join us on November 10-11 to connect with Mario & Bogdan – and with many others from the Keysight Technologies team!