IoT is said to have improved the convenience of many people and developed many industries. However, there are significant security risks behind its convenience. We will clarify the contents of the risk and introduce what measures can be taken.
IoT security risks are just around the corner
Security risks related to IoT are familiar to us. Let’s take a look at a concrete example of the security risks and back-to-back of IoT, which has made life easier and has greatly developed the industry.
IoT is back-to-back convenience and risk
Today is the time when things are connected to the Internet by the IoT. This means that features will be added to various things and their properties will change.
For example, the refrigerator in every assumption. Until now, it has been used as a single-item home appliance that cools and stores food. However, when this is combined with IoT, it becomes a smart home appliance. Refrigerators, which have become smart home appliances, will be connected to the Internet and have a connection with the outside world. What used to be completed only inside the house will become related to the outside of the house.
Similarly, the equipment used in the field of manufacturing is undergoing major changes due to the IoT. What used to be used only in the field has the potential to connect to any location.
The convenience of home appliances and industrial equipment has been greatly improved by the IoT. On the other hand, having an external relationship means that you can be the target of an external attack. In today’s world of IoT, convenience and security risks are always back-to-back.
What are the possible IoT security risks?
So what are the specific risks of the IoT? The risks lurking in the IoT can be divided into the following three patterns.
- The physical accident was caused by control of equipment
If IoT is installed in the control system, the control system may be subject to cyber-attacks. This can lead to loss of control of industrial equipment, robots, and self-driving cars, leading to physical accidents.
- Information theft by hijacking the interface
By hijacking sensors, interactive speakers, and input/output interfaces, there is a risk that important personal information and corporate management information will be stolen.
- Fear of becoming a contributor to malicious attacks by being used as a stepping stone
A springboard attack is used as a relay point for attacks on other sites and systems. It can be a source of mass spam emails or a relay point for unauthorized access. It also helped make it difficult to identify the source of the attack.
Cases of actual IoT attacks
Unfortunately, not only is it “risk”, but attacks targeting IoT devices are actually happening. Let’s look at a concrete example.
Attack by malware “Mirai”
Increasingly, embedded products such as Internet routers that connect to the Internet, network cameras, and digital video recorders are targeted by attacks. A malware called “Mirai” is used as a means of attack. “Mirai” attacks the vulnerabilities of these IoT devices and enables remote control by downloading bots.
There were two factors behind the spread of damage to “Mirai”.
One of them is that “Mirai” is infectious. “Mirai” searches the network from the infected device once, and when it finds a terminal that can be accessed via telnet, it tries to log in, downloads the bot again, and spreads the infection.
“Mirai” has the ability to spread the damage in this way, but the spread of the infection is also due to the user side of the device. That is the second factor. The easiest target is if the device is open-accessible on the Internet and has an even easier ID and password. In some cases, the password set by the manufacturer at the time of shipment was disclosed, and in many cases, it was not changed as it was. When “Mirai” found an accessible device, it brute-forced easy IDs and passwords such as “admin”, “password”, and “123456” to spread the infection.
Subspecies of “Mirai” have been created one after another, and the spread of damage has not diminished. Recognizing the importance of IDs and passwords and keeping security awareness for both manufacturers and users is an important first step in preventing malware attacks.
Take over IoT products and use them as a springboard for external attacks
A springboard attack is one in which IoT products are hijacked and used to attack the outside world. The means of this hijacking are the malware “Mirai” and a security hole called “BlueBorne” that was discovered as a vulnerability in Bluetooth.
A DDoS attack is known as a typical example of a bastion attack. It is an attack that punctures the processing power of the server and stops the service by sending a large number of processing requests from the hijacked device to the target server.
In addition to this, there are cases where unsolicited e-mails are delivered or operations aimed at information leakage are performed. In Japan, the PC remote control incident that occurred in 2012 is famous, and the fact that a crime was announced by remotely controlling another person’s PC impressed many people with the fear of a stepping stone attack.
The real fear of these bastion attacks is that the owners of the bastion equipment are often unaware that they have been basted. The possibility of being a contributor to the attack without your knowledge is just around the corner.
Information leak from webcam
There are sites that can be accessed from the Internet and can see the images projected by an unprotected webcam. A lot of information is leaked from such images.
For many webcams, the ID and password for network connection are left at the factory, so they are easily accessed and the video is played. This includes security cameras in the facility and surveillance cameras in the factory.
If such video leaks are abused, important corporate information may also be leaked.
What should I do for IoT security measures?
So what kind of measures should be taken against these IoT security risks?
In the “Information Security 10 Major Threats 2019” announced by IPA (Information-technology Promotion Agency), the security risks that occurred in 2018 with the greatest social impact are ranked and announced. Among them, the ranking is divided according to the use by individuals and organizations, but in both cases, “inappropriate management of IoT devices” was ranked the 10th place.
Compared to the previous year, the ranking as a threat to personal use has increased, but the ranking for organizational use has decreased. This means that IoT security measures are in progress at the organizational level. From what point are measures being taken at the organizational level?
From the point of re-recognizing the nature of IoT
In order to deal with the security risks of IoT, management and managers must be reminded of the nature of IoT. The following three properties are important.
- Recognize that you are “connected”
It is true that many people are aware of the usefulness of the IoT, but many do not realize or deeply understand the meaning of being connected to the Internet. We must reaffirm that we are connected to the outside world through IoT and that we can access it from the outside.
- Recognizing the importance of IoT systems as information assets
What is connected by the IoT is an information asset in itself by constantly generating and transmitting and receiving information. It is important to recognize that IoT systems are an important information asset for enterprises and that leakage of this information is a loss of assets.
- Recognizing the importance of security
Recognizing that you are connected to the outside world and that important information is being exchanged will naturally make you feel the importance of security. Let’s reaffirm that risks are back-to-back in the operation of IoT, and security is very important as a risk countermeasure.
Specific IoT security measures
So what are the specific measures to deal with these risks?
- Limited network
The most effective way to prevent attacks from the outside is to block communication with the outside, but that goes against the usefulness of IoT. Therefore, it is necessary to have a system configuration that limits the network and communicates only when and where it is needed.
Let’s take an inventory of communication routes and create a mechanism that can visualize the network configuration. In addition, we will take measures such as not leaving the open port of telnet, which is easy to be targeted, and blocking IoT devices that do not need to be connected.
In addition, the introduction of edge computing, which processes on-site, is also effective as a security measure due to network limitations.
- Do not use the default password
Many malware attempts to invade by brute force ID and password attacks. As a countermeasure, avoid using the default ID and password as they are and use the changed one that is difficult to decipher.
Using IDs and passwords that are difficult to break through is the first step in security measures and the best defense.
- Update to the latest firmware
The means of attacking the IoT are constantly evolving and security holes are constantly being sought. To counter this, the firmware of the application that operates the IoT must be kept up to date.
- Avoid indistinct / unnecessary equipment use / connection
Avoid using equipment that is unclear by the manufacturer or has questionable support. Even if the device is not malicious, it can be a source of vulnerable vulnerabilities. Also, turn off the power of devices with IoT functions that you are not using or do not need to communicate with, or cut off the connection to the network.
The importance of security increases with the spread of IoT
With the spread of IoT, the manufacturing industry has achieved innovative development that is said to be the Fourth Industrial Revolution. On the other hand, it is also a fact that security risks are increasing as all devices are connected to the Internet. Awareness and countermeasures for security are also indispensable for the effective use of IoT.