IoT: Internet of Things or Intrusion optimising Technology?
Developing on episode 3 of our podcast, security in terms of the Internet of things(IoT) is probably the vice of modern computer applications. It is the least discussed and hence least prepared for while being the most dangerous. We at BugBase believe that IoT security should be considered from the design phase itself and our BugBounties would play a major role in this regard.
But why you may ask? Here’s a breakdown of why:
What is IoT?
The Internet of Things, or IoT, refers to the billions of physical devices around the world that are now connected to the internet, all collecting and sharing data. Increasingly, IoT devices are using AI and machine learning to bring intelligence and autonomy to systems and processes, such as autonomous driving, industrial smart manufacturing, medical equipment, and home automation. Many of these devices are small, power- and cost-constrained microcontroller-based systems
Connecting up all these different objects and adding sensors to them adds a level of digital intelligence to devices that would be otherwise dumb, enabling them to communicate real-time data without involving a human being. The Internet of Things is making the fabric of the world around us smarter and more responsive, merging the digital and physical universes.
History of IoT
Kevin Ashton coined the phrase ‘Internet of Things’ in 1999, although it took at least another decade for the technology to catch up with its full potential. However, apart from some early projects — including an internet-connected vending machine — progress was slow simply because the technology wasn’t ready. However, increased use of RFID tags and the adoption of IPv6 helped scale up its usage.
Hacking into IoT for Noobs
The issue with IoT is, in its essence every component of the entire system architecture is hackable.
Security is one of the biggest issues with the IoT. These sensors are collecting in many cases extremely sensitive data — what you say and do in your own home, for example. Keeping that security is vital to consumer trust. But so far, the IoT’s security track record has been extremely poor. IoT devices give little thought to the basics of security, like encrypting data in transit and at rest.
When the cost of making smart objects becomes negligible, these problems will only become more widespread and intractable. Flaws in software — even old and well-used code — are discovered on a regular basis, but many IoT devices lack the capability to be patched, which means they are permanently at risk. Hackers are now actively targeting IoT devices such as routers and webcams because their inherent lack of security makes them easy to compromise and roll up into giant botnets.
Hacking IoT: What it really is
Hacking IoT can be broadly classified into surface-level(Software) and component attacks which employ starkly different methods of penetration.
Surface level penetration involves manipulating or modifying the memory management or how the device recognises the individual pins via its firmware to either carry out extensive phishing attacks or just fry the device itself. Components such as JTag(Which essentially provides debugging tools) can be manipulated to repack or modify the firmware to suit a malicious intent.
For example, on a simpler embedded device (for example, a “smart” lock/smart safe), leveraging on JTAG can be fairly straightforward:
- Dump the bare metal firmware via JTAG,
- Reverse engineer it to determine the details of its operation (such as the function which performs validation on the entered PIN code).
- Either use the JTAG interface to re-write the firmware in flash or flip some bits in memory (in this example, to trick the PIN code check logic into accepting an invalid PIN code).
Firmware can contain sensitive information, such as encryption keys, API keys, and other
hardcoded secrets. Rogue code can either be used to infiltrate and gain control of the code execution, target sections of the OS or modify and sabotage the firmware and hence the functioning of the device itself.
However, surface-level attacks are just the trailer to forms of component-specific attacks aimed at destroying the functionality or components of the device. Communication protocols heavily rely on electronic switching mechanisms and short bursts of directed electromagnetic(e-m) pulses to disrupt their functionality. It also generates electromagnetic (EM) fields surrounding them, which have the potential to leak data.
This threat in my opinion has far-reaching consequences with potential applications with terrorists, criminals and non-state actors to disrupt critical infrastructures such as telecommunications, power networks, financial systems, medical care, broadcast media, industrial plants, traffic control systems, food and water supply, critical manufacturing, mass transit, and others.
Some of the common facts about component-specific attacks:
- Products like ESD guns, speed guns and LiDAR’s which you can walk into any supermarket and buy, could potentially be used as ray guns for em disruption mechanisms
- The vast range of sizes that these emitters make them virtually impossible to detect
- In most IEMI attacks, the purpose is to deliver sharp high-voltage pulses that can
- momentarily disable digital devices
From the above analysis, the conclusion is obvious. all of the major components of IoT systems can be exploited in dangerous ways. Thus the only way one can ensure a fool-proof method of resistance is to secure every node in a server independently invariably boosting the stability of the server itself.
Conclusion
We at BugBase believe that regardless of the scale or the type of environment an IoT system is built into, security should be considered from the design phase to better integrate it in every aspect of the system — it should not be a mere accessory and thus BugBounty platforms like ours play a major role with this regard
BugBase is India’s first consolidated platform for companies to host crowdsourced bug bounty programs that can be reached out to by ethical hackers and develop a security enthusiasts community all over the country.
Our website: https://bugbase.in/