IOT Security
IOT Practical Examples
Smart Screens
Smart Traffic
Smart Lights
Smart Robots
Smart Glasses
Smart Copiers
Security Cams
Smart Printer
Risks To Industries
Jamming of sensors
Industrial espionage
Corruption of data from sensors
Loss of data from sensors
Device hijacking
Alteration of data to cause disruption of services (machinery or production plants)
Alteration of data to cause financial losses
Risks to Smart houses
Devices can be used as botnets to launch distributed denial of service (DDoS) attacks.
Remote access/control of devices
Disclosure of personal or sensitive data.
Disabling or bypassing of security systems
Network intrusion
Privacy issues (cameras, microphones, and so on).
Vulnerabilities in IOT
Weak or predictable hardcoded (admin) password
Vulnerable Network Services Enabled
Insecure Interfaces (API, Backends , etc).
Lack of Security Updates
Use of Insecure or outdated components
lack of privacy protection mechanism
unencrypted data storage and transmission
Poor device management settings
Insecure default settings
lack of physical hardening
IOT Network Technologies
LoRaWAN
Uses Low-power wide area networks (LPWANS)
Zigbee
Sigfox
Bluetooth
Vulnerabilities
Some devices may come with hard-coded encryption keys.
Vulnerable to denial-of-service attacks.
Vulnerable to ACK spoofing attacks.
Vulnerable to replay attacks.
Use personal area networks (PAN)
Vulnerabilities
They are susceptible to availability attacks through signal jamming (this can be
easily achieved due to the band used).
The security is based on the secrecy of this key exchange; therefore, they are
susceptible to attacks that sniff the network during the repairing of the keys.
Some systems do not support the changing of compromised keys, so once a key is
compromised you cannot change the keys to lock the intruder out.
Use to Send Messages
Vulnerabilities
Due to the low bandwidth, some communication may be sent unencrypted. This
presents a risk to the data being transferred.
They are susceptible to availability attacks through signal jamming (this can be
easily achieved due to the band used).
Use Bluetooth Low Energy (BLE)
Vulnerabilites
click to edit
Devices are vulnerable to several attacks when in discoverable mode; therefore, this
should only be used during setup and turned off after that. However, some devices
come with the discoverable option on by default, and do not give you the option to
change it. Such devices (normally very low-cost IoT devices) should be avoided.
Security Consideration for IOT
Always research about an IoT device before purchasing it, as it may have poor
security implementation or an outdated version of the protocol.
Be aware of low-cost devices and sensors, as they may lack encryption or other
security mechanisms (to reduce cost).
Make sure that all implementations are carried out by an expert to avoid
security holes.
Perform a feature analysis to determine which is the best option for you in terms
of speed, bandwidth, and distance
Isolate the IoT network from your corporate network to avoid additional risks to
your main infrastructure.
Improving IoT security
Default passwords
Change all the default passwords of all IoT devices upon installation.
Default users
Default users like Admin are easy to guess for attackers, so changing them will make it
harder for an attacker.
Disable unnecessary features
If an IoT device has options, such as remote connections to the admin panel or vulnerable
services such as Telnet, enabled, then you must disable them.
Insecure systems
Before purchasing any IoT devices, you must check for known vulnerabilities on the web
(for example, at the following URL: https://cve.mitre.org/).
Separate networks
Enabled services and ports
click to edit
IoT devices may come with several services and ports enabled by default. Therefore, you
must define which services should have internet access and which services should be
intranet only.
Data storage
click to edit
Check what kind of data is saved on the device and what type of security is applied to that
data. If the data is not securely encrypted when stored, then either disable the saving of
data or create a process to delete all data continuously.
Secure setup
As mentioned, avoid adding a device to the network with the default settings, as that could
be an easy target for attackers.
Physical setup
Make sure that those devices are not accessible by unauthorized people as an attacker can
press the reset button to enable default login and access the system.
It is always good practice to keep your IoT devices in a private network. This ensures that
the IoT devices are not accessing any sensitive files.