Blake Larner and Joshua MacDonald delve into the Internet of Things, what makes IoT devices so vulnerable and why consumers should care about IoT security. This blog is a companion piece to a recent Kivu Coffee Break video, which you can watch here.
What is IoT?
Let’s start with the basics. IoT, or Internet of Things, is an incredibly broad term. At a basic level, IoT is essentially any object with the capability to connect online or communicate information wirelessly. Popular brand examples of IoT devices include iPhones, FitBit smart watches, Ring doorbells, Nest climate control systems and even certain models of fish tanks. From simple sensors to wearables and large appliances, IoT can cover it all.
What type of data is being collected?
Depending on the type of IoT device and its purpose, different types of data can be collected, including user statistics and location history.
If the device is medical in nature hackers may be able to see configuration information and potentially alter it. For example, an insulin pump could be adjusted remotely which could then affect the patient’s blood sugar levels.
Wearable smart devices such as a Fitbit, depending on the model, track step count and heart rate. A particularly dedicated attacker could use statistics generated by smart devices to form a timeline of user activity. Predictions could then be used to determine when you might arrive at certain places or simply not be home.
More precise location data can be gained from devices such as Apple Watch, which communicates with the iPhone, which in turn can store important locations in the privacy settings. Other popular wearable smart devices such as Wear OS by Google are also capable of tracking location history.
Why does a breach matter?
You may think that medical information or step count are of little interest to hackers. However, personally identifiable information, or PPI, is valuable to attackers as it can be sold on the dark web. An attacker might not be able to do much knowing your historical heart rate, but using step count and location history allows someone to learn your habits.
There are other ways attackers can benefit from unsecured IoT devices. Devices such as the Nest Thermostat, for example, could be exposed directly to the internet and become access points for an attacker. Once the connection to the device is established, they can then gain entry to a home network and move laterally to other devices, including those with more valuable information than your preferred living room temperature on them.
Baby monitors are another popular IoT device that may have internet connectivity. In particularly lurid cases hackers have been known to access baby monitors and speak to the baby or threaten the parents. Even some vehicles now contain internet connectivity and have the potential to be exploited by attackers.
Examples of Real Life IoT hacks
A July 21, 2017 article in The Washington Post details a scenario in which hackers accessed a casino’s internet-connected fish tank which allowed them to move laterally across the network and eventually exfiltrate 10 GB of data. A more recent January 31, 2020 WTOP news article recounts a case in which a hacker gained access to a Ring camera account and spoke to an 8-year girl pretending to be Santa Claus. And a February 11, 2020 article on Hackernoon tells of a hacker leaking emails and passwords of 1,999,999 Fitbit users, which would have given anyone access to personal information stored on user accounts, as well as allowed them to extrapolate log-ins for other accounts (this is exactly why re-using passwords is a bad idea).
How are threat actors locating these device?
Because IoT devices are generally connected to other devices, there are a number of ways to locate these. One popular tool is Shodan.io. Shodan is essentially a search engine for internet-connected devices that scours the internet and parses the banners returned by them. Using this information Shodan can then provide details such as open ports, running services, and even known vulnerabilities that could lead to a potential compromise.
Shodan itself is not illegal. In fact, anyone can access Shodan and browse for devices with open ports. In some cases, an individual can directly connect to devices such as webcams or routers and then, using the default password if it has not been changed by the owner, gain access to that device.
Another popular method of locating IoT devices is so-called wardriving. Wardriving is the act of using a laptop or smartphone to search for networks, usually while on the move (hence the “driving”). Wardriving tools such as WiGLE will take user collected data of nearby hotspots (GPS, SSID, MAC Address, Encryption Type) and upload it to the WiGLE map. Using this map, potential threat actors can conduct high level recon of a target to gain details of what may be available at a location as well as specific hardware details and network addresses.
How to secure your IoT devices
There is no way to be 100% safe with any device. However, steps that can be taken to improve security posture are as follows:
- Keep all your smart devices up to date with software or firmware updates from the manufacturer
- Make sure your home router has a built-in firewall
- Ensure that none of your home devices are directly exposed to the internet
- Set unique passwords for the consoles that access these smart devices so that attackers have a harder time accessing them