ECE3501: IOT FUNDAMENTALS

MODULE 3 - IOT SECURITY AND

PRIVACY

Security and privacy risks, analyze security

risks, Technologies and methods that
mitigate security,
Privacy standards and regulations, Social
and privacy impacts

1 06.08.2020-G2
It’s not just PCs and smartphones we should worry about anymore, but
a wide range of Internet-connected devices such as thermostats, smart
meters, self-driving cars and even voice assistant devices such as
Amazon’s Alexa.

Risk by Internet
(e.g. public)
Risk by IoT Devices

Risk by Cloud
(e.g. open source)

WHAT DO WE DO WHEN THE TECHNOLOGY

AROUND US MALFUNCTIONS???? 2
AN MALICIOUS HACKER CAN OBTAIN
FROM AN IOT DEVICE ______________??

Information

3
WHY IS IOT / INTERNET OF THINGS
SECURITY IMPORTANT?

 In 2016, the Mirai botnet launched one of the

biggest DDoS attacks ever recorded. More than 1
terabyte per second flooded the network of Dyn, a
major DNS provider, and brought down sites such as
Reddit and Airnbnb.
 But what made this attack so special was that it
was the first to be carried out with IoT
devices. Nearly 150,000 compromised smart
cameras, routers and other devices all enslaved into
a single botnet, focused on a single target.
 The Mirai botnet however is much bigger! By some
estimates, it contains millions of enslaved devices.
And it wasn’t even that hard to create in the first 4
place.
CONTD..
 Manufacturers use a handful of default password and
usernames to protect an IoT device.
 Had a few hundreds/ thousands of password combinations
to protect tens of millions of smart devices.
 All it took were a few simple lines of code, designed to
test each of those default passwords. A device could
be hacked and enslaved within a few seconds, so
long as the user didn’t change the standard login
information.
 But IoT botnets aren’t the only type of threat.
 Researchers have proven more than once that it’s
possible to physically take control of a car by breaking
into apps that control onboard software. For now,
this has only been done in experimental situations,
but as Internet-connected cars gain ground, it’s only a
matter of time until it happens to someone,
somewhere. 5
FOR EXAMPLE
 Researchers from the Russian cybersecurity firm
Kaspersky for instance, managed to open up car
locks, simply by hacking into an app.

6
INTERNET OF THINGS
---SECURITY VULNERABILITIES
 Simplicity and ease of use are crucial
principles in the IT and electronics industry.
Every software and device out there is designed
to be as easy to use as possible, so as to not
confuse consumers and discourage them from
using the product.
 Unfortunately, this often means that some
products cut corners, and don’t implement
security features consumers might find “too
clunky”.

7
INTERNET OF THINGS
---SECURITY VULNERABILITIES
 The process of identifying assets and threats in
an organization is known as “Threat
Modeling”

 Insecure default login credentials

 Poor software updates

 The communication isn’t encrypted

 Insecure user interface

 Poor privacy protection

8
INSECURE DEFAULT LOGIN
CREDENTIALS

 In practice, they might hide the “Change

password/ Username” options deep in the UI, out
of sight for most users. No wonder so many
people kept their default user names and
passwords.
 If each Internet of Things device had a
randomized username and password, Mirai
might not have happened in the first place. But
that is too expensive a process in competitive
industries with razor-thin profit margins.

9
POOR SOFTWARE UPDATES

 What’s more, many Internet of Things

creators don’t even patch or update the
software that came on their devices. If your
device has a software vulnerability (nearly 100%
chance that it does), there’s little you can do to
prevent an attacker from exploiting it without
help from the manufacturer.

10
THE COMMUNICATION ISN’T ENCRYPTED
 Other IoT devices lack basic encryption to hide the
data sent between the device and the central server.
This can potentially expose the user’s personal
information, if a malicious hacker can snoop in on his
personal information.
 Another thing that Internet of Things devices do, is that
some of them ask for more permissions than they need
to.
 One time, numerous Amazon Echo users were surprised
to see their device ordering dollhouses after a TV
anchor said the phrase “Alexa ordered me a dollhouse”.
 In that case, the device had permission to do a purchase
all by itself. Each extra permission in an IoT device
adds another vulnerability layer which can be 11
exploited. The fewer permissions, the more secure your
device is.
INSECURE USER INTERFACE

 A device’s user interface is usually the first thing a

malicious hacker will look into for any vulnerabilities.
For instance, he might try to manipulate the “I forgot
my password”, in order to reset it or at least find out
your username or email.
 A properly designed device should also lock out a user
from attempting to login too many times. This
stops dictionary and brute force attacks that
target passwords, and greatly secures your device
credentials.
 In other cases, the password might be sent from the
device to the central server in plain text, meaning it
isn’t encrypted. Pretty bad if someone is listening in
on the device and reading all of your data. 12
POOR PRIVACY PROTECTION

 Internet connected devices are data-hungry

beasts, but some of them have a greater appetite
than others. The less information they have
on you, the better, since it limits how much a
cybercriminal can learn about you if he hacks the
device.
 As a rule, try to look into what type of data a
device will store about you. Be critical of
those that harvest data they don’t need, such as
coffee machines storing your location
information.
13
THE MAIN TYPES OF ATTACKS AGAINST
IOT DEVICES
 Smart devices can be hacked in a number of
ways, depending on the type of vulnerability the
attacker decides to exploit.

14
ATTACKS AGAINST IOT DEVICES

15
RECOMMENDATIONS TO IMPROVE IOT SECURITY

 The ability of IoT readily adapt with the ever

changing environments and build up
trustworthy redundancy is labeled as “Fault
Tolerance”

16
RECOMMENDATIONS TO IMPROVE IOT SECURITY

To avoid software
To improve data
attacks
privacy i.e to
avoid Man in the
middle, sniffer

To avoid Denial of
17
Service attacks
To avoid physical attacks
VULNERABILITY EXPLOITATION
 Every software has its vulnerabilities. It’s nearly impossible
not to. Even Google, with all its resources, hasn’t been able to
stamp them out from Chrome.
 Depending on the type of vulnerability, you can use them in
multiple ways.
 Buffer overflows. This happens when a device tries to store
too much data into a temporary storage space. This excess
data then spills over into other parts of the memory space,
overwriting it. If malware is hidden in that data, it can end
rewriting the code of the device itself.
 Code injection. By exploiting a vulnerability in the
software, the attacker is able to inject code into the device.
Most often, this code is malicious in nature, and it can do a
multitude of tasks, such as shutting down or taking control of
the device.
 Cross Site Scripting. These work with IoT devices that
interact with a web-based interface. Basically, the attacker
infects the legitimate page with malware or malicious code, 18
and then the page itself will infect the IoT device.
IOT VULNERABILITY EXPLOIT

19
MALWARE ATTACKS

 The most frequent and well known malware

attacks on PCs target a device’s login credentials.
But recently, other types of malware such
as ransomware have made their way onto IoT
devices.
 For one, many base their operating system on
Android, so the malware is mostly interoperable,
requiring only minor modifications.
 Smart TVs and other similar gizmos are most
exposed to this kind of threat, since users might
accidentally click on malicious links or download
infected apps. 20
21
PASSWORD ATTACKS

 Password attacks such as dictionary or brute

force target a device’s login information by
bombarding it with countless password and
username variations until it finds the right one.
 Since most people use a simple password these
attacks are fairly successful. Not only that, but
according to one study, nearly 60% of users
reuse the same password. So if an attacker
gets access to one device, they get access to all
devices.

22
23
SNIFFING / MAN-IN-THE-MIDDLE
ATTACKS

 In this attack, a malicious hacker intercepts the

Internet traffic that goes into and out of a smart
device.
 The preferred target is a Wi-Fi router, since it
contains all the of the traffic data sent of the
network, and can then be used to control each device
connected to it, even PCs or smartphones.

24
25
SPOOFING

 Spoofing works by disguising device A to look like

device B. If device B has access to a wireless
network, then a disguised device A will trick the
router into allowing it on the network. Now that
the disguised device A can communicate with the
router, it can inject malware into. This malware
then spreads to all other devices on the network.

26
27
BOTNET ENSLAVING

 Internet of Things devices are prime candidates

for a botnet. They are both easier to hack, and
harder to diagnose if they’re compromised.
 Once your device is enslaved, it can be used for a
wide variety of cybercriminal activities, such as
DDoS attacks, sending spam emails, performing
click fraud (basically using the enslaved device to
click an ad), and Bitcoin mining.
 Mirai is the biggest IoT botnet we know about,
and it was built on the backs of default
passwords and usernames.
28
29
REMOTE ACCESS

 Taking control of an IoT device doesn’t sound so menacing

at first glance. After all, it’s not as if a malicious hacker
could poison you if he hacked your coffee maker.
 But things will quickly get serious if the attacker takes
control of your car as you’re driving it. This isn’t even
hypothetical situation, it’s actually been done, albeit by
cybersecurity researchers. In that example, the whitehat
hackers were able to hack into the car’s braking
system and acceleration.
 Some people now use smart locks to secure their homes,
but ultimately they’re just software on hardware. At DEF
CON 2016 (the biggest hacker conference in the
world), researchers tested out 16 smart locks, and
proved how many of them used very simple security
features such as plain text passwords. Others were
vulnerable to device spoofing or replay attacks. 30
31
DATA LEAKAGE

 Smart devices process a lot of personal information, such as:

 medical data
 location data
 usage patterns
 search history
 financial information, etc.
 Whitehat researchers proved it was able to hack into a smart
speaker and analyze data from its sensors to figure out if you are
home or not. This would be extremely useful for a burglar seeking
empty homes to steal from.
 In a fairly high profile case, the German government banned a
children’s doll because it recorded so much information, it was
labeled as a “spying tool”.
 Devices which leak information from inside the privacy of
your own house are dangerous for a wide variety of reasons.
Recordings of sensitive conversations and intimate acts can then be
used as blackmail tools against a person or outright publicized to
damage a person’s image.
32
33
 A more worrying scenario is the possibility of hacking IoT
devices used in the healthcare industry. In theory, a
cybercriminal could hack a pacemaker or an insulin pump,
and then demand a ransom from the victim in order to keep
the devices working properly.
 But sometimes it’s the central server that leaks
information.
 Sometimes, companies are the ones that leak information, and
not the devices. Such was the case of a teddy bear that spilled
recordings from nearly 2 million kids and parents.
 This kind of information goes into the company’s cloud. If
that’s compromised, chances are each one of its consumers are
also hacked.
 One major weakness of Internet of Things devices is that is
that many of them send data over unsecured ports. In other
words, you can actually see the data live, without requiring a
password and username. All it takes to view this data is a paid
account at Shodan, and you’re set. 34
WHY THERE ISN’T A WIDELY AGREED UPON
SOLUTION TO TRAFFIC FILTERING

 Another possible way to limit the damage caused by

Internet of Things devices is to filter out some of the
bad traffic sent over the wider Internet.
 ISPs could theoretically identify and filter out any
malicious traffic they see on their network. But the
process wouldn’t be foolproof, and false positives
would be a likely possibility.
 Another possibility would be for traffic filtering to be
applied at a user level. Smart and secure traffic
filtering hardware such as Bitdefender Box or Luma
Wi-Fi System are making their way onto the market,
with more to come. Unfortunately, they are expensive
and it remains to be seen if users will consider them
as worthwhile investments. 35
HOW TO IMPROVE YOUR INTERNET OF
THINGS SECURITY

36
CHANGE YOUR DEFAULT PASSWORDS AND
USERNAMES

 The Mirai malware is still out there, actively seeking

out more IoT devices to enslave into the botnet.
Fortunately, it’s a fairly simple malware, and can be
easily countered by setting up a strong and secure
password and changing your default username.
 For the best results, we recommend you make the
password at least 10 characters long, and use at least
1 capitalized letter, 1 normalized one, 1 number and 1
special character, such as an * or a &.
 Here’s a website you can use to figure out how
strong your passwords are.
 Also, try to have a different password for each
device. That way, if one device gets hacked, then you
can rely on the other ones. 37
AS MUCH AS POSSIBLE, UPDATE TO THE
LATEST SOFTWARE

 The manufacturers of the best IoT devices release

frequent updates to improve functionality and also
patch security vulnerabilities. For this reason, try to
make sure your device receives these
updates whenever they are available.
 Unfortunately, not all manufacturers release updates
on a regular basis. Many don’t even bother to update
them at all, and effectively abandon the customer to
his own devices (pun intended).
 When you’re in the research phase of a
purchase, look into the update cycle of the
product. If you can’t find one, and reviewers are
openly lamenting the non-existent software updates,
then chances are that company wants to cut costs.
And frequently, that means cutting costs from
customer support as well. 38
This is the update policy for a software called Open Nebula. Not all
developers are this thorough in their patching policy, but it should give you
an idea as to what constitutes good practice.
On a more similar note, here’s a small sample of Microsoft’s update
policy for various Windows software versions.
39
40
LOGIN LOCK SETTINGS
 Even strong passwords and custom usernames
can be vulnerable to a dictionary or brute force
attack. These will bombard a login page with
countless password combinations, until it hits the
right one.
 iPhones for instance, have a setting which locks
the PIN authentication after too many attempts.
At the 10th attempt, it completely wipes the
device.
 IoT devices with good built-in security should
have a similar option you can use to ensure their
login integrity. 41
TWO-FACTOR AUTHENTICATION

 The Internet of Things has lagged behind other

services in implementing two-factor
authentication, but recently Nest announced it
will roll out two-factor authentication to
secure it’s thermostats and smart cameras.
 For the time being, most devices don’t have two-
factor authentication, but as the industry
matures, the feature will become more and more
prevalent.
 In the meantime, be sure to activate it whenever
your devices support it.
42
PHYSICAL WEAKNESSES IN IOT DEVICES

 Sometimes, all it takes to infect a PC is to

introduce a USB stick in it and let Windows
autorun the USB, and by implication the
malware.
 The same principles apply to smart devices. If it
has a USB in it, then all a malicious hacker has
to do is to plug it in, wait a bit, and that’s it.
 If you can, try to place your device in such a way
so that sticking a USB stick in it isn’t a straight
forward process.

43
ENCRYPTION

 Most smart devices work by communicating with

a central server, Internet network or
smartphone. Unfortunately, the information isn’t
properly encrypted in most cases. Either the
devices are too small to carry a strong processor,
or the manufacturer decided to cut costs
(including security features).
 Whenever available, we strongly recommend you
activate the option to encrypt the data it sends
and receives.

44
CREATE A SECOND NETWORK FOR YOUR IOT
DEVICES

 A good way to secure your smart devices is to

create a separate network for them to
communicate in. This network isn’t connected to
the Internet, and so there is minimal chance for
malware to make its way on your devices.
 This system does come with a set of drawbacks
however. If you want to control your smart
devices from your phone, you’ll need to switch
between Wi-Fi’s to control your IoT network. In
this case, you either have to learn to how
automate everything, or use Z Wave switches to
go between networks. 45
SECURE YOUR HOME WI-FI

 Your Wi-Fi router is one of the first attack points for a malicious
hacker. To make sure it is secure, we suggest you do the following:
 Use a strong and secure password.
 Change your username, and make it non-recognizable. Don’t make it
easy for an attacker to identify which Wi-Fi is yours.
 Set up a firewall to protect your Wi-Fi. In most cases, the firewall will
be software based, but some routers come with a hardware one
preinstalled.
 Disable guest network access for your wireless network. Here’s a
guide to disable this for Linksys routers.
 A guest network is a second Wi-Fi created from your router, which
limits access to your “core” network. In theory, it should offer extra
security, by isolating guests on the separate network. However, most
Wi-Fi routers set up an insecure guest network, which can act as a
window to your core Wi-Fi.
 Here’s a more in-depth guide on how to protect your wireless
network from outside intrusion that you might find useful.

46
DISCONNECT THE DEVICE FROM THE
INTERNET WHEN YOU DON’T USE IT

 Devices such as Smart TVs don’t need to be

permanently connected to the Internet. By
keeping them off the Internet, you limit the time
interval in which a cybercriminal could attempt
to break its security.

47
READ THE DEVICE MANUAL FOR ANY
SECURITY TIP YOU MIGHT FIND

 Most people only use a device’s manual during

installation and to figure out how to use it. But
manuals often contain a lot of useful tips and
tricks that can improve the performance of a
device and make it more secure. Take your time
and go through the manual to see if there’s
anything you might find useful in it.

48
DOWNLOAD SECURITY APPLICATIONS

 Some smart devices such as TV’s are powerful

enough to run apps. Even simple, free versions of
antivirus apps can significantly boost your
security.
 For the best results, we recommend you use the
paid version of an antivirus app, since it will
unlock its full functionality.

49
USE A HARDWARE SOLUTION TO SECURE
YOUR IOT NETWORK FROM OUTSIDE
ATTACKS

 A dedicated security solution for your IoT network

can make all the difference between an infected or
clean device. There are quite a few security solutions
available, even if the market isn’t as developed as it is
for desktop or mobile.
 Here are some viable software/hardware products you
can use, with a link explaining how they work.
 Bitdefender Box.
 Luma Home WiFi System.
 F-Secure Sense (not yet available, but you can
preorder it).
 Norton Core (also not available, but up for
preorder).
50
 Dojo (up for preorder).
51
 IoT is one of the biggest technological trends
since the smartphone, and promises to be just as
impactful. Unfortunately, the promise and
opportunity they offer are just as tempting for
cybercriminals as they are for regular customers.
 On the bright side however, the IoT industry
knows its shortcomings, and together with
cybersecurity experts and companies are moving
forward to improve on their track record.

52
IOT SECURITY ISSUES

 Public Perception: If the IoT is ever going to truly take off, this needs to be
the first problem that manufacturers address. The 2015 Icontrol State of the
Smart Home study found that 44% of all Americans were "very concerned"
about the possibility of their information getting stolen from their smart home,
and 27% were "somewhat concerned." With that level of worry, consumers
would hesitate to purchase connected devices.
 Vulnerability to Hacking: Researchers have been able to hack into real, on-
the-market devices with enough time and energy, which means hackers would
likely be able to replicate their efforts. For example, a team of researchers at
Microsoft and the University of Michigan found a plethora of holes in the
security of Samsung's SmartThings smart home platform, and the methods
were far from complex.
 Are Companies Ready?: AT&T's Cybersecurity Insights Report surveyed
more than 5,000 enterprises around the world and found that 85% of
enterprises are in the process of or intend to deploy IoT devices. Yet a mere
10% of those surveyed feel confident that they could secure those devices
against hackers.
 True Security: Jason Porter, AT&T's VP of security solutions, told Insider
Intelligence that securing IoT devices means more than simply securing the
actual devices themselves. Companies also need to build security into software
applications and network connections that link to those devices.

53
IOT PRIVACY ISSUES

 Too Much Data: The sheer amount of data that IoT devices can generate is
staggering. A Federal Trade Commission report entitled "Internet of Things:
Privacy & Security in a Connected World" found that fewer than 10,000
households can generate 150 million discrete data points every day. This
creates more entry points for hackers and leaves sensitive information
vulnerable.
 Unwanted Public Profile: You've undoubtedly agreed to terms of service at
some point, but have you ever actually read through an entire document? The
aforementioned FTC report found that companies could use collected data that
consumers willingly offer to make employment decisions. For example, an
insurance company might gather information from you about your driving
habits through a connected car when calculating your insurance rate. The same
could occur for health or life insurance thanks to fitness trackers.
 Eavesdropping: Manufacturers or hackers could actually use a connected
device to virtually invade a person's home. German researchers accomplished
this by intercepting unencrypted data from a smart meter device to determine
what television show someone was watching at that moment.
 Consumer Confidence: Each of these problems could put a dent in
consumers' desire to purchase connected products, which would prevent the IoT
from fulfilling its true potential.

54
SECURITY RISKS
 IoT devices are connected to your desktop or
laptop. Lack of security increases the risk of your
personal information leaking while the data is
collected and transmitted to the IoT device.
 IoT devices are connected with a consumer
network. This network is also connected with
other systems. So if the IoT device contains any
security vulnerabilities, it can be harmful to the
consumer’s network. This vulnerability can
attack other systems and damage them.
 Sometimes unauthorized people might exploit the
security vulnerabilities to create risks to physical
safety. 55
PRIVACY RISKS
 In IoT, devices are interconnected with various
hardware and software, so there are obvious
chances of sensitive information leaking through
unauthorized manipulation.
 All the devices are transmitting the user’s
personal information such as name, address, date
of birth, health card information, credit card
detail and much more without encryption.

56
CONTD.,

57
CONTD.,

58
IOT SYSTEM FUNCTIONALITIES- FROM
SECURITY PERSPECTIVE

59
CONTD.,

60
SECURITY ARCHITECTURE

61
SECURITY ARCHITECTURE

62
SECURITY ARCHITECTURE

63
SECURITY ARCHITECTURE

64
CHALLENGES IN IOT SECURITIES

65
CONTD.,

66
CONTD.,

67
CONTD.,

68
69