Before I move on to security proper, let’s sort out what the the internet of things actually means.
There are several definitions at this point, but I think definitions can limit the potential of the IoT technology so memorising them all is a waste of time. But let’s analyse one of the common definitions:
The internet of things is a network of devices embedded with connectivity features and controlled via the internet, which enables them to exchange data with each other.
In the author’s opinion, if a device can only function within a local network, then it’s not an IoT device. I can prove this wrong. Even if it’s not connected to the open internet, it can still be in a group of smart things, such as a portable Bluetooth speaker that allows you to save music to the device’s memory. There are lots of misconceptions like that online. Think broader.
However, thinking globally is too broad a scope for a single article, so let’s set some restrictions. Let’s consider smart things as objects around us equipped with hi-tech stuffing (small microcontroller boards) that have additional features which can be leveraged by regular users to perform routine tasks at home, at work or outdoors.
Let’s get back to security. Considering this domain covers numerous protocols, programming languages and hardware components, what kind of knowledge do you need to assess IoT protection?
The right answer is: there is no answer. You’ll spend a month looking into a certain technology, then all of a sudden the manufacturers start using something new. The only reasonable approach is to study the ins and outs of smart devices, including:
Expertise in the above technologies, even superficially, is a great starting point for mastering IoT security – but knowledge alone may not be enough. Fully-fledged security analysis needs additional equipment and gear that includes:
Watch the video below – a DEF CON 25 presentation by Elvis Collado called Reversing and Exploiting Embedded Devices – for more information on the necessary gear.
Now we have the right equipment to hand, let’s see what the main testing stages are.
The first stage comes down to searching for device information without interacting with it physically. You can obtain this data from publicly available sources most of the time.
Also, devices often have FCC (Federal Communications Commission) ID that allows you to easily find documentation about it and the list of supported frequencies. For a start, try to find the details about some smart device you often use.
Next, you need to figure out what things may interact with the device and which communication channels they may use. It can be a mobile app communicating over a local wireless network, a remote control device with infrared port, an online-accessible cloud, sensors functioning via a radio channel (such as Zigbee), and the like.
The next thing on your to-do list is to determine what threats you need to check every device for. For example, you can check communication over a local network for protection against man-in-the-middle attacks. You might also want to check whether or not a control web interface uses a default password.
Meanwhile, let’s not forget that we should separately analyse the device itself as a physical entity – due to hardware security for the most part. This will allow us to see whether it’s possible to interact with the embedded board directly, all the way to extracting the microcontroller and accessing the console.
Simply put, the IoT security scheme boils down to the following:
Let’s now create a roadmap for a specific device.
Suppose we purchased a Chinese IP camera X. We’ll start the analysis with scrutinising the packaging. The manufacturer promises the following:
Having examined the documentation, we find out that the camera works within local network only but, most likely, allows firmware updates over the internet.
First, we should check connections over local and external networks for the possibility of a man-in-the-middle attack. For both mobile and stationary devices, we need to analyse the communication protocol first and only then move on with the protection scheme.
The next thing is to check the web interface for encrypted connection (https) and common web application exploits from the OWASP Top 10 list.
As I have mentioned above, we will analyse the camera itself separately. In most cases, the task boils down to extracting the firmware, which enables us to update the scheme with new details and proceed to white-box testing.
As a quick disclaimer, it’s worth mentioning that testing devices without approval from the vendor isn’t always welcome. At the same time, it’s noteworthy that this practice became legal in the US after the adoption of the Digital Millennium Copyright Act (DMCA).
The basic security steps for IoT devices include:
I have setup a router modem in my home and I manually do all the settings in it to make sure security of my devices. It also helps me monitor which device is connecting to what. I have PureVPN service installed because they have IDS/IPS technology installed on server levels that blocks any malware from connecting to command & center (C&C) servers.
You might be hacked, someone you know, someone you are close to, maybe your spouse has all your devices bugged, or that workmate that seems to be one step ahead of you might be using that spyware trojan on you. its possible you don’t even know this because there a spyware that would just sync with your phone even though you might be losing battery, files, speed and data on your device. Be sure today by contacting the username by mail..They also provide counter measures