IOT Devices and Security
IOT Devices... What are they?
IOT is “Internet Of Things”, which, in simple terms means, a network of things or objects or smart devices which are all capable of communicating among themselves. These devices work hard day-night to collect and
maintain data, transmit it over internet to secured databases, are intelligent enough to calculate what’s happening around and to respond accordingly to keep your life quick, easy, simple and sorted. The data
from these devices is also analyzed for providing better solutions for easier life, to prompt customer of any specific pattern observed and hence simplify rules accordingly, to intimate if anything needs attention
and also to provide more customer-centric options to simplify the usage of such devices and get better results of them.
A very common example is of a smart thermostat which is capable of gathering ambient temperature data and turn on the Air Conditioner, if its too hot outside. Now, here’s how you are boss of this smart thermostat. You can define what is “too hot” for you by setting desired temperature and the thermostat will respond accordingly to environmental changes.
Similarly, we have another set of such smart devices known as smart cameras, that, not just monitor the movements outside your house but also send you notifications when someone suspicious is spotted outside your home or if someone is trespassing at odd hours. These smart cameras work 24/7 to make sure you stay safe and connected to your house no matter wherever you are!
In nutshell, the IOT devices are those devices that are intelligent enough to communicate with each other over internet to make your life easier and more comfortable. The best thing about these devices are that you needn’t be present physically to control or operate them.
I am sure we all know about thieves in the real world, those people who attack us or get into our physical space like our home or office or shop etc, to steal our money or other valuables. Similarly, we also have
Cyber thieves , who attack us digitally or try to get into our system or digital space or hack (take access of) it to steal our valuables (data, money, information etc) digitally over the internet with an intent
to harm us or to benefit themselves. Such attacks are also called Cyber attacks and the people doing so with wrong intentions are called by various names like attackers, intruders, hackers, etc.
So, to keep our digital valuables safe and secure, we need to have some security system in place. The most common security mechanism is the one which almost everyone is aware of today, The Passwords. I am sure almost everyone in this world is using some or the other social account and that is password protected. Passwords are nothing but a way to protect anyone from getting access to our account or data. Now you know why it is always told to not share your passwords with anyone and also to have strong passwords? Sharing passwords with people is like making a whole yourself in your security system. Passwords are one of the simplest and most common ways to protect data. Similarly, we have OTPs (One Time Passwords), which provide us an extra level of security and enable us to keep our data safe and secure. Since now we understand what security is and why is it required, let’s dive a little deeper to understand some common cyber attacks.
Never feel you are safe on internet. Anyone who is connected to internet is equally vulnerable to cyber attacks. To be safe, we just need to be aware of the ways in which we can be attacked and their corresponding
Now when we understand what Cyber attack really is and who are the attackers, let’s understand a few ways in which we can be targeted by these attackers. Following are 5 most common types of attacks in which we can be attacked at any time over internet:
Since passwords are the most common form of digital security, attacking a password is also very common. In this type of attack, the attacker tries every way out to crack your password to get full access of it. This may include :
1. Trying to reach to you directly/indirectly to know the password
2. Constantly monitoring your network to steal password from transmitting data (eavesdropping)
3. Using of special softwares by the attackers to crack down the encrypted password
4. Changing of passwords once cracked. Watch out for it if suddenly your password becomes invalid.
Some ways to prevent this attack & be safe are:
1. Never write passwords anywhere, be it physical or digital.
2. Never share your passwords with anyone.
3. Always change any default passwords.
4. Always set lengthy and strong passwords that are difficult to be cracked.
5. Try using combination of upper case letters, lower case letters, numbers and special characters.
6. Open password protected accounts only on secured and trusted devices.
7. In worst case, if ever you have to open it on an insecure system, for any unavoidable reason, then change the password immediately once your work is done.
8. Always use “https” urls for websites requiring passwords to be entered to make sure the site is secured for eavesdropping.
This attack is very much similar to Fishing in general. Like in fishing people put fish’s food to the hook, the fish gets fooled by seeing the food and gets caught in the hook, similarly, here the attacker fools us by appearing like a genuine sender and tries to fetch information from us, the target (person who is being attacked), mostly by means of emails. For the target, in first look, the sender may appear to be a genuine friend, family member, boss or colleague but actually they are NOT. We are being attacked to fetch out some important or sensitive information from us.
2. Preventive measures
Be very CAUTIOUS for these types of attacks as at times you might not even know whom are you talking to until you observe details carefully. This attack is also very common in today’s world. Keep following things in mind while reading or replying to an email or a message, especially when it comes to sharing some information over email with someone.
1. Is the sender’s email address completely correct?
2. Is the sender asking for some confidential data or creating a sense of urgency when asking for some confidential data? In such cases, never reply with information directly over the email. Reach out to the sender first by means of call or meet them personally and confirm if they have really asked for that information.
3. Always observe the emails carefully and do not respond if something looks fishy.
In this kind of attack, the attacker makes a system busy by continuously sending multiple fake requests such that when a genuine request reaches the system, the system is not able to respond to it due to unavailability of resources. In other words, the system’s resources are exhausted by attacker so that the genuine requests are rejected by the system as it is not able to serve them due to lack of resources. In such cases, the system appears to be not available for a genuine user trying to make a request to the system. For Example, a website can handle 100 requests per minute but the attacker uses a script to send 500 requests per minute to the site to create a flood of requests and to always keep the site busy. Now, since the site is capable of handling only 100 requests per minute, the other 400 and also if any genuine requests come in between, the site denies the service to all of these as its already working at its full capacity and handling the maximum number of requests it can.
2. Preventive measures
As a layman, there’s nothing much that we can do to prevent a DOS attack.The preventive measures for this attack needs to be taken by the serving organizations like the company creating the website or providing access to any server etc. Ususally to detect this kind of attack, it is seen :
1. If there are more number of requests then the system can handle?
2. If this increase in request is continuous or frequent?
3. If the requests are continuously coming from same IP addresses?
To prevent this kind of attack, firewalls, VPN and other security measures are adopted by companies and the network traffic is also monitored continuously to know if multiple requests are frequently coming from same addresses. If yes, then the addresses are blocked for some amount of time or permanently, as the case may be.
4. Man In The Middle Attack 1. About the attack
As the name suggests, in this attack, the attacker places himself in middle of the sender and the receiver of information and accesses the entire communication from both sides and edits it as per his/her wish. This person acts like sender for the receiver end and as a receiver for the sender side. Both sender and receiver always think that they are talking to each other, not knowing the fact that someone in middle is reading their communication and also changing the data as per his/her wish. This way the attacker gets all the information of both sender and receiver.
2. Preventive measures
Encrypting data, to be sent over the network, using the best encryption techniques, is the best way to prevent oneself from this attack. However, other good preventive measures can be using of VPNs, having strong and secured wifi networks and not sharing your secured wifi router passwords with anyone.
5. DNS Spoofing 1. About the attack
Domain Name Server (DNS) keeps track of the devices/systems connected to internet along with their details like url, name, ip address etc. Basically a DNS contains address information about a system in that network where that system can be reached in case if any requests come for it. In DNS spoofing attack, the attacker tend to change the details in the DNS server to redirect traffic from a genuine website to the forged one.
For example, say you want to open gmail.com, the attacker will make changes in the DNS such that the DNS will now return incorrect address and map gmail.com requests to the fake gmail site instead of the original gmail server. This is done in order to get all your sensitive data. Unknowingly, we enter the id and password on that fake site and voila… the attacker, now, has your credentials which they can use, or rather misuse, and fetch all your other sensitive information as well.
2. Preventive measures
To make sure we are safe and secure, always check for the lock symbol at the starting of the address bar and also check if the URL starts with “https” which indicates the site is safe and secure. A site with no lock symbol or with http URL may be an infected one, so, why take chance? Some preventive measures for this attack needs to be taken by the organizations hosting the DNS by adding extra security to their Domain Name Servers such that it becomes hard to attack a server and even if someone manages to get into it, its caught at the earliest.
4. IOT devices and Security… The LINK!
I hope now we have a good understanding of what IOT devices are and of some of the ways in which they can be attacked. As I said earlier, all devices connected to internet are equally exposed to attacks, which
include the IOT devices as well, as they are also connected to the internet.
For example, if you are trying to live stream or play music from your IOT device and there’s a DoS attack on that device, then that device might never respond to you, as its busy serving the forge requests. Another example could be, if you store your device’s password in the device and while talking to the backend, if your device shares that password in an un-encrypted form, then, the password can be easily by a Man-in-the-Middle (attacking your device) and once he gets the password, the entire device, it’s security, your data security and even your security (as the case may be) is at risk.
Yet another case could be that if there’s a DNS spoofing attack on the device or the backend to which its connected, then you may end up entering all your private and confidential data to the forged server.
IOT devices are already smart devices and we are working round the clock to make them secure as well. To save all our IOT devices from such attacks and to keep them and our data safe, we all need to make sure that proper preventive measures are followed to keep attackers at bay. Some care is also required from user’s end to make sure they do not fall for attacks and they also keep their information safe and secure.