Product Security Glossary

IoT Attacks

What are IoT Attacks? 

IoT attacks happen when bad actors try to compromise the security of an Internet of Things (IoT) device or network.  When devices are compromised, attackers can steal or manipulate sensitive data, join IoT devices to a botnet, or take control of a system. 

Why are IoT Attacks Bad? 

There are billions of IoT devices in the world, which all collect loads of data in real-time.  These data, if intercepted, could supply an attacker with information about the environment in which the devices operate, about the user’s interaction with the devices, and even information about the user.  Login credentials, health data, location data, and other sensitive personal data can be used for nefarious purposes by bad actors, and all of it could be obtained through IoT attacks. 

IoT attacks can help facilitate physical types of crime.  Recently, some IoT-connected surveillance cameras came with a software bug that allowed attackers to replace the cameras’ legitimate video footage with their own.  This allowed the attackers to delete any footage of themselves or their gang members committing burglary, murder, assault, or whatever else. 

In addition to privacy concerns, IoT attacks also come with safety concerns.  When attackers compromise industrial controllers that are connected to the IoT, they could cause severe damage or destruction to either manufacturing equipment or personnel.  Several years ago, a pair of security researchers demonstrated to a very scared journalist that they could find his IoT-connected car while he was driving, and take complete control of it. 

If this weren’t bad enough, attackers can also penetrate an entire corporate LAN through poorly-configured IoT devices.  One of the more common techniques is to break into an IoT-connected printer, and use it as the pivot point. 

What are the Attack Vectors for IoT Attacks? 

There are three main attack vectors for IoT attacks. 

The first one is the devices themselves.  Devices with either a flawed or outdated design can present rich targets for attackers.  In the past, device security was often an afterthought, so proper security didn’t get designed into the product.  Newer devices with a proper security design can still have security bugs in their firmware, which requires that they be updated whenever these bugs are found. 

Communications channels present another vector for IoT attacks.  Devices communicate with each other, with a local base station, or even with a cloud-based service over various IoT communications protocols.  These protocols must be secured to prevent compromise of either the device or the network. 

Applications and software present the third vector for IoT attacks.  For example, if a device has a web-based front-end, flaws in the web application could allow an attacker to steal the user’s credentials, and break into the device. 

Can We Prevent IoT Attacks? 

To prevent IoT attacks, several things must happen.   

First, device manufacturers need to include security as part of the entire design process, not just as something to be added on to the finished product. Devices must have proper access controls on critical configuration files, limit to minimum potential attack surfaces, and use up to date software components with no known vulnerabilities. Also, device manufacturers should stay on alert and quickly patch new vulnerabilities that are discovered before they are weaponized. 

Users need to ensure that the devices are properly configured, and that all data that the devices gather are properly secured and accounted for. 

Organizations that use IoT devices need to assume that their devices can be compromised and develop mitigation strategies to contain the damage.  Incident response teams should also be on hand in case of any security breaches. Organization should use tamper-proof enclosures for devices that can’t be kept in a restricted area. Organizations should also purchase only from device manufacturers the implement security by design, and if in doubt, test devices as part of purchasing process.  

IoT attacks can be bad, but the threat can be mitigated with proper device design and security procedures.