DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Data
  4. Securing IoT From Attack Vectors Security Innovation

Securing IoT From Attack Vectors Security Innovation

Want to learn more about securing your IoT devices? Click here to learn more about securing your IoT device from attack vectors.

Dinesh Shetty user avatar by
Dinesh Shetty
·
Jul. 09, 18 · Analysis
Like (1)
Save
Tweet
Share
5.56K Views

Join the DZone community and get the full member experience.

Join For Free

What You Should Know —Now

According to a recent Gartner report, it is estimated that 20.4 billion connected “things” will be in use worldwide by 2020. There are already twice as many devices connected to the internet than there are people on our planet.

The concept of IoT and IoT security is no longer new. I am sure, terms like "Hardware Security," "Machine-to-Machine Security," "Connected Device Security," and "Embedded Device Security" ring a bell. While they all have slightly different connotations, these terms all refer to the same concept of an embedded device that is network enabled and part of the growing Internet of things, connected world. IoT forms the basis for some of the most prevalent devices we use in our day-to-day life — smart watches, virtual assistant services, smart home devices, and many more.

There are 2 primary components of any IoT system:

  • Hardware Devices that users use (the "Things"). The main purpose of the device is to provide the user with an interface that they can interact with.
  • Back-End Components that the devices communicate with and perform the lionshare of data aggregation and processes.

There are various attack vectors that can be used to compromise an IoT device:

Firmware Running on The Device

As device manufacturers grapple with time to market pressures, vulnerabilities will not be discovered until after release. Most organizations do not have a proper patch management process in place. If the firmware updates are not cryptographically signed and sent over a secure channel, there is no way of identifying if the firmware was modified before being flashed on to the device. Similar attacks would be valid for an insecurely configured boot loader or if the checks are not performed at every stage of the boot sequence.

Device Hardware

IoT hardware components need to communicate with each other and other devices over standard protocols like I2C or SPI.

Leveraging tools like Bus Pirate (http://dangerousprototypes.com/docs/Bus_Pirate), Shikra (https://int3.cc/products/the-shikra), or Logic Analyzers (https://www.saleae.com/), an attacker with physical access to the device can sniff the data sent over the communication channel and dump the contents of the chips that are storing the data.

In addition to the communication protocol, the physical boards normally have ports like JTAG and UART that are used for debugging purposes. The JTAG port also allows for reading/writing to the firmware post production. If these ports are active in production devices, an attacker can use tools like Jtagulator (https://www.grandideastudio.com/jtagulator/) to extract the existing firmware, reverse engineer its functionality, or to flash a newly modified firmware.

Device Radio and Network Communication

Wi-Fi and Bluetooth configurations present major security challenge when trying to secure IoT devices. The attacks could be based off weak configurations or discovery modes. Lack of Transport Encryption exposes data in transit to tampering by parties that can execute Man-in-the- Middle (MitM) attacks.

For IoT systems, such data, they can include authentication credentials, session identifiers, and private user information. The attacker might also be able to tamper with unencrypted communications in order to alter device behavior, for example, changing the temperature on a networked thermostat.

Radio interface has also become an increasingly common attack surface on many IoTdevices. NFC, RFID, Zigbee, and Z-Wave are some well-known examples. Though relatively newer, an attacker can use a variety of tools to sniff, intercept, and modify these radio protocols.

Mobile, Web, and Other Back-End Interfaces

The back-end interface is often the most exposed and vulnerable component of an IoT solution. Attackers can use the same tools and techniques to attack them as they have been using to attack other web applications. Weak local encryption, hardcoding of passwords, and a lack of secure password policy is far too common and a very lucrative attack vector.

Authentication/Authorization

Strong authentication and authorization are absolute essentials for securing an application domain, especially the Internet of Things. It is a common authorization error to assume that methods on the IoT devices that do not have a calling UI element will not be accessible by that user. Under this false assumption, users may be able to access sensitive information or secure functionality once it is discovered. This can be done by means of tools like Burp Suite (https://portswigger.net/burp) or Mallory (https://github.com/intrepidusgroup/mallory).

The IoT device is only as secure as the hardware and software components that it is made up of. We hope this post will help enterprises secure against the known and the unknown IoT attack vectors out there.

IoT security Data structure

Published at DZone with permission of Dinesh Shetty, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Quickly Build an Audio Editor With UI
  • DevOps Roadmap for 2022
  • PostgreSQL: Bulk Loading Data With Node.js and Sequelize
  • Secrets Management

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: