• United States



by David Geer

The Internet of Things: Top five threats to IoT devices

Jan 09, 20146 mins
CybercrimeData and Information SecurityInternet of Things

Though having so many devices interconnected can be convenient, it also comes a bevy of new threats. Where do we need to be cautious?

The Internet of Things (IoT) is a mass of billions of connected devices from cars to wireless wearable products. Cisco’s Internet Business Solutions Group estimated 12.5 billion connected devices in existence globally as of 2010 with that number doubling to 25 billion by 2015.

[What the Internet of Things means for security]

In light of this burgeoning market, CSO identifies five categories of IoT devices at risk in the coming year. CSOs who are aware of the threats and potential damage to their organizations can prepare accordingly.

In-Car WiFi

Once tallied, 2013 connected car revenues should reach $21.7 billion, according to analysts from Visiongain, LTD, with 2014 revenues climbing even further. As of the New Year, Ford and GM will increasingly offer in-car WiFi, turning cars into mobile hotspots and connecting passengers’ smartphones, tablets and other devices to the Internet, according to John Pescatore, Director of Emerging Trends, the SANS Institute.

But, in-car WiFi has the same security vulnerabilities as traditional WiFi hotspots. Without the firewalls present in conjunction with small business WiFi installations, in-car devices and data will be at risk. Once inside the network, an attacker can spoof (pose as) the car, connect to outside data sources such as OnStar servers and collect the owner’s PII such as credit card data, explains Pescatore. That is just one example. Only the imagination can limit the kinds of attacks that become possible when a hacker owns in-car Wi-Fi, passengers’ devices and the car’s identity (via spoofing).

“CISOs and CSOs at organizations with people who travel the country should be worried about these vulnerabilities since hackers can use these attacks to access company information,” says Jerry Irvine, CIO, Prescient Solutions.

mHealth Applications / Mobile Medical Devices

“The market for wearable wireless devices across sports, fitness and mHealth will grow from 42 million devices in 2013 to 171 million in 2018,” says Jonathan Collins, Lead Analyst, ABI Research. As of 2014, hackers will increasingly attack mobile medical devices running Windows, including pacemakers, according to Rodney Joffe, Senior Technologist, Neustar. Traditional manufacturers use proprietary embedded systems that are hard to hack due to their closed source code and restrictions. But, non-traditional device manufacturers often use a form of Windows.

[Smart devices get smarter, but still lack security]

“Windows is very popular for those devices because it is cheap, ubiquitous and well-known among programmers,” explains Joffe. But, unlike Windows on a desktop computer, there is no patching mechanism for Windows on these devices, according to Joffe. The more these devices connect to the Internet through wireless frequencies such as WiFi, the more viruses will spread among them.

CSOs should be concerned about remote access for these devices due to the potential for malicious attacks on employees, health information leaks, and attacks on key executives in order to influence or control the financial stability of the organization, according to Irvine.

Wearable Devices, Google Glass

The global wearable technology market will reach $4.6 billion in value in 2013, according to Visiongain, LTD, and continue to rise in 2014. In that market, devices such as Google Glass are a major attack vector because they automatically connect to the Internet. And, these devices have very few if any security solutions on them.

Hacking Google Glass provides attackers with confidential corporate information and intellectual property. An organization may not know what kinds of data or how much a wearer absorbs using Google Glass as they move through offices and other environments in the enterprise. A hacker could copy that audio and video.

“Every organization should write policies for wearable devices that limit where these things can be used, when they can be used, and what their acceptable use is,” Irvine says.

Retail Inventory Monitoring and Control, M2M

Global wireless M2M revenues will have reached $50.1billion in 2013, according to Visiongain, LTD. As of 2014, inventory management technologies will increasingly include inexpensive 3G cellular data transmitters on packages. These transmitters will connect to the Internet, making these applications vulnerable to Internet-based attacks, according to Pescatore.

[Revolutionary evolution: The Internet of Things and things to come]

“These rudimentary devices enable detection, statistical information gathering, remote management and very little else,” says Irvine. There are few if any security solutions to protect the devices or limit device snooping.

The purpose of the new 3G transmitters is constant, real-time position reporting. But, hacktivists who would normally bombard websites with denial of service attacks could instead intercept these transmissions and tell servers that WalMart, for example, is continually selling out its supply of soccer balls, leading to massive soccer ball shipments bombarding WalMart stores, according to Pescatore. “Or, hacktivists or opportunists could influence the stock price of Kellogg’s for example by over or under shipping Corn Flakes,” Pescatore says.

Enterprises must securely configure these inventory control systems and M2M technologies and segment them onto secure, inaccessible, encrypted frequencies. That does not happen today. “I can go in with a wireless frequency scanner and see communications occurring. Once I detect it, I can see what it the frequency and signal are. And once I see that, I can affect its communications,” Irvine explains.

Drones (unmanned aircraft) for domestic (non-military) use

In February of 2012, the Congress established the FAA Modernization and Reform Act with numerous provisions for unmanned aircraft with the general thrust that the FAA will speed the inclusion of UAVs/drones in the national airspace system in three years’ time (by 2015). “Drones will be prevalent across the country five years from now,” says Erik Cabetas, Managing Partner, Include Security, LLC. CSOs should start to plan for drone security measures now.

“Because drones rely on vulnerable telemetry signals, attackers can leverage them using any of the classic attacks including buffer overruns, format strings, SQL injections and authentication bypasses that exist in drone firmware,” explains Cabetas.

Examples of successful attacks on drones are already on record. In 2009, insurgents in the Middle East intercepted Predator drone signals due to a failure to use secure protocols, according to Cabetas. This enabled the insurgents to spy on what the Predators were spying on (via airborne video). Without secure protocols, similar attacks are possible with domestic UAVs.

[Critical infrastructure risks still high]

And, in a 2012 case, Texas A&M college students, by invitation of Homeland Security spoofed the University drone’s GPS signals, insinuating the errant location data into navigation computers, resulting in the drone’s untimely collision, Cabetas notes.

“But, the scariest thing we’ve seen so far was accomplished by the winner of the 2012 DroneGames, a Drone programming contest. The winner created a virus that took over any Drone that came close to the infected Drone,” says Cabetas. Using a single vulnerability in the homogenous firmware of the drones, an attacker could fill the skies with UAVs ready to follow his every command.

And, in a couple of years, drones will be standard components of physical penetration testing, corporate espionage and hacker attacks, according to Cabetas. “Attackers could take high resolution photos and videos in windows (looking for passwords on sticky notes and other sensitive data). They’ll be able to plant high fidelity microphones for eavesdropping on the outside of sensitive rooms (conference rooms, CEO offices),” Cabetas asserts.

CSOs should investigate appropriate physical security counter measures for attacks by drones they do not own or control while requiring secure protocols for any UAVs they do deploy.