Does IoT Need Security?


The number of IoT (Internet of Things) connecting to the Internet is growing rapidly. IT advisory company Gartner had projected a 30% increase in the number of IoT devices used worldwide from 2015 to 2016. That’s around 6.4 billion. Gartner predicts that the number will exceed 20.8 billion by 2020, just in time for the Tokyo Olympics.

Source: Gartner Press Release “Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015” November 10, 2015 http://www.gartner.com/newsroom/id/3165317

So what exactly does everything being connected to the Internet mean?
Think of it this way: normal appliances like refrigerators become IoT devices once they gain the capability of communicating with other devices and connecting to the Internet. In a sense, IoT devices are no longer mere appliances but rather functioning computers. These newfound capabilities add value to these devices and make life much easier for IoT users. Smart refrigerators, for example, help their owners gauge whether or not they’re low on supplies.

Current IoT security concerns

As convenient as IoT devices are, though, their ability to connect opens them up to many dangers. When computing devices like these are connected to the Internet, they are exposed to malware or attackers that may want to control them remotely. Various IoT device risks are already on the rise.

Case 1: IoT device as a stepping stone for illicit activity

As was shown with hard disk recorders in 2004 and smart TVs and fridges in 2014, various cases of IoT devices being used as stepping stones by attackers have been reported when networked household appliances fitted with HTTP proxy functionality and email features were remotely operated while directly accessible from the Internet.The misuse is caused by a failure to configure password authentication or by devices being operated under their default settings. As well as resulting in illicit activity, device misuse also exposes users to damage when the device temporarily stops working due to the load imposed on it when it is taken over.

Case 2: Privacy concerns raised by hacked webcams

Footage from a camera connected to the Internet with inappropriate settings such as the usage of default credentials, authentication not being configured, or vulnerabilities not being patched, etc.) can be intercepted by third parties.

Since 2014, unauthorized sites that stream footage from network cameras have attracted a lot of attention. However, particularly malicious cases include threats based on images stolen used for sextortion and blackmail. Another example came in the form of a hacker screaming obscenities at a sleeping baby after hacking a baby monitor.

Case 3: The danger of cars being controlled remotely

Several remote control tests on commercially available connected cars have already been conducted in the past. The most widely reported test was one conducted in 2015. The test showed how a connected car driving through a city was made to stop after its accelerator was disabled. This was done after its air-conditioning, radio, wipers, etc. were remotely controlled via the Internet. In another test, it was reported that the PIN code authentication required for remote control was breached by a brute-force attack.

Case 4: Infection of IoT devices by malware

When things become computers, it seems that they are often fitted with existing operating systems (OS), such as Linux and Android. And if an existing OS is used, the device also inherits the risk of the threat of existing malware.

Examples of damages to IoT devices include the infection of Android-based smart TV boxes caused by backdoors and ransomware. In the future, we expect that not only will this sort of damage caused by existing malware continue. We also anticipate malware that specifically targets IoT devices to appear.

In 2016, Android-based smart TV boxes were attacked by known malware. In one case, a backdoor was employed, and in another, ransomware was used. We expect to see more malware targeting specific IoT devices in the future.

Case 5: The compromise of home routers

The household router plays an important role in safely connecting home IoT devices to the Internet. Cybercriminals have already tried various attacks on the household router.DNS changers have already caused widespread damage. A DNS changer is a malicious program that looks for routers on the same network and changes their DNS settings. It does so by breaking through password authentication or exploiting their vulnerabilities. Once a router’s DNS settings have been changed, users of all devices that are connected to the Internet via a router whose DNS settings have been changed face the risk of being misdirected to malicious sites when accessing legitimate sites.

We know that actual cases involving DNS changers include users being misdirected to malicious sites that end up infecting their PCs with malware such as fake security software and clickers. Other risks include misdirection to phishing sites, changing the ads displayed on legitimate sites, preventing users from obtaining information by blocking their access to legitimate sites, and intercepting communications using man-in-the-middle attacks.

Security measures that IoT users should be aware of

In all these cases, attacks are mainly caused by three factors. They are the breaking of authentication and exploitation of vulnerabilities, as seen in cases 1, 2, 3 and 5, and malware attacks against users as shown in case 4.

Removing factors that cause attacks is in itself a challenge in security. In other words, in terms of security measures for IoT devices, it is important to be wary of these three factors and to think of ways to eliminate them.

If you want to use an IoT device at home, you must first consider whether or not it needs to be directly connected to the Internet. If not, you should prevent direct access of the device from the Internet by using a router or some other solution. Furthermore, as well as always enabling password-based authentication for connections to devices, you need to avoid using the default password or passwords that are easy to guess. If you have the option of automating device updates, you should enable that as much as possible and strive to always use the latest version.

The more popular and common IoT devices become, the greater the possibility of scenarios involving social engineering against users. For example, in the same way that they attack PC users, attackers will probably try to trick IoT device users into installing malware by pretending that they are useful tools, security measures, or update programs.

In order to prevent security breaches in IoT devices, developers need to produce more secure systems and formulate stricter standards. Users also need to be aware of security issues.

The current level of awareness about security of IoT devices is indicated by the fact that there are many devices that are directly connected to the Internet without any authentication set up. This can be seen in the unauthorized sites streaming footage from network cameras mentioned earlier in Case 2. It also seems that users have not fully appreciated the need to update these devices, including routers.

Maybe users are completely unaware of the possibility of malware running on IoT devices. They also need to recognize the sort of security risks in IoT devices and routers that we have described, as well as the need for security measures against them.The fact that everything is connected to the Internet means that everything has become a computer. Having the same security awareness that you currently have about your PCs is the first step to protecting your IoT devices.

Katsuyuki Okamoto
Katsuyuki Okamoto

Trend Micro Inc. Security Evangelist

Katsuyuki joined the Trend Lab Japan Virus Team in 1999 and did extensive product technical support work for many years. He now mainly deals with general network threats as a senior anti-threat analyst in Regional TrendLabs, a domestic specialized research institute established in 2007. As a security evangelist, he constantly strives to raise awareness of security issues and technology.

Recommended Video

Cybersecurity Risks in Complex IoT Environments

Company Information

Security Blog