Internet of Things (IoT) cyber-attacks have been around for a very long time. However, what has accelerated is the scale and evolution of these attacks. At its core, IoT is all about connecting and networking devices. This means that all ‘smart’ devices, ranging from connected refrigerators, to connected vehicles, through to connected IoT medical devices, create a new entry point to the network and pose increasing levels of security and privacy risk.
In addition, we also need to think on a larger scale about how connected IoT devices have evolved across industries - where they are prevalent in every area of day-to-day lives, from manufacturing, to supply networks, and why a ‘security by design’ approach should be applied - that any single component can be compromised and to prevent the whole ecosystem from being abused.
The impact of each attack can vary dramatically, depending on the ecosystem, the device and environment, and the existing levels of protection.
Brute Force
A brute force attack is a hacking technique that uses trial and error to break encryption keys, passwords, and login credentials. It is a straightforward but effective strategy for getting unauthorized access to user accounts, company systems, and networks.
The term "brute force" refers to attacks that utilize excessive force in an effort to obtain user accounts. Despite being a tried-and-true type of hacking, brute force attacks continue to be a favorite among hackers.
Physical Security and Tampering
IoT devices can be accessed from the outside when there’s no control in an open environment. They fall under the category of physical attacks where the attacker can modify the memory or computation and then acquire additional information by interacting with the faulty device in an attempt to break security.
In order to launch large-scale operations, hackers are increasingly turning to physical tampering attacks due to the value of the assets at stake and the abundance of physical devices. Companies that have substantially engaged in the Internet of Things (IoT) should make investing in physical security a priority.
Cloud-related Challenges
IoT creates smart objects through the integration of sensors and objects that communicate directly with one another without the need for human involvement. Organizations can outsource their processes and other IT obligations using cloud computing. Cloud computing enables companies to focus on their core competencies, boosting productivity, better leveraging hardware resources, and lowering storage costs associated with IT infrastructure.
However, as more and more organizations rely on cloud-based technology, it’s critical to ensure that systems are secure and confidential data remains protected.
Botnets
A botnet is a network of systems combined together with the purpose of remotely taking control and distributing malware. Controlled by botnet operators via Command-and-Control-Servers (C&C Server), they are used by criminals on a grand scale for many things: stealing private information, exploiting online-banking data, DDos-attacks, or for spam and phishing emails.
With the rise of the IoT, many objects and devices are in danger of or are already being part of, so-called thingbots – a botnet that incorporates independent connected objects.
Botnets, as well as thingbots consist of many different devices, all connected to each other – from computers, laptops, smartphones and tablets and now to “smart” devices. These bots have two main characteristics in common: they are internet enabled and they are able to transfer data automatically via a network. Anti-spam technology can spot pretty reliably if one machine sends thousands of similar emails, but it’s a lot harder to spot if those emails are being sent from various devices that are part of a botnet. They all have one goal: sending thousands of email requests to a target in hopes that the platform crashes while struggling to cope with the enormous number of requests.
Man-In-The-Middle Concept
The man-in-the-middle concept is where a malicious actor is looking to interrupt and breach communications between two separate systems. It can be a dangerous attack because it is one where the attacker secretly intercepts and transmits messages between two parties when they are under the belief that they are communicating directly with each other. As the attacker has the original communication, they can trick the recipient into thinking they are still getting a legitimate message. Many cases have already been reported within this threat area, cases of hacked vehicles and hacked "smart refrigerators".
These attacks can be extremely dangerous in the IoT, because of the nature of the "things" being hacked. For example, these devices can be anything from industrial tools, machinery, or vehicles to innocuous connected "things" such as smart TV's or garage door openers.
Each device in an IoT ecosystem needs its own unique device identity. It is an essential component of IoT security. ‘Things’ can authenticate when they connect to the internet and ensure secure and encrypted communication with other devices, services, and users if they have a unique, strong device identity.
Data & Identity Theft
While the news is full of scary and unpredictable hackers accessing data and money with all types of impressive hacks, we are often also our own biggest security enemy. Careless safekeeping of internet-connected devices are playing into the hands of malicious thieves and opportunistic cybercriminals.
The main strategy of identity theft is to amass credentials and data – and with a little bit of patience, there is a lot to find. General data available on the internet, combined with social media information, plus data from connected devices give a great all-round idea of your personal identity. The more details can be found about a user, the easier and the more sophisticated a targeted attack aimed at identity theft can be.
Identity theft is a huge issue worldwide and instances have continued to rise sharply. The most common types of identity theft are financial, medical, criminal (when someone uses your identity when arrested), synthetic (creating an identity using someone’s real information), and child identity theft (using a minor’s information to commit bank fraud, for example)
Social Engineering
Social engineering is the act of manipulating people through human interaction, so that they expose confidential information. Social engineering attacks are carried out in one or more steps. A perpetrator initially analyzes the target victim to obtain background information needed to carry out the attack, such as potential points of entry and weak security protocols. The attacker then attempts to acquire the victim's trust and create stimuli for later acts that violate security norms, such as disclosing sensitive information or granting access to key resources.
In addition, the attacker could be trying to access a computer in order to secretly install malicious software that will then give them access to personal information, as well as to give them control over the computer.
Typically, social engineering hacks are done in the form of phishing emails, which seek to have you divulge your information, or redirects to websites like banking or shopping sites that look legitimate, enticing you to enter your details.
Denial of Service
A denial of service (DoS) attack happens when a service that would usually work is unavailable. There can be many reasons for unavailability, but it usually refers to infrastructure that cannot cope due to capacity overload. In a Distributed Denial of Service (DDoS) attack, a large number of systems maliciously attack one target. This is often done through a botnet, where many devices are programmed (often unbeknownst to the owner) to request a service at the same time.
In comparison to hacking attacks like phishing or brute-force attacks, DoS doesn’t usually try to steal information or lead to security loss, but the loss of reputation for the affected company can still cost a lot of time and money. Often customers also decide to switch to a competitor, as they fear security issues or simply can’t afford to have an unavailable service. Often a DoS attack lends itself to activists and blackmailers.
Concerns
Mismanagement of IoT connectivity renders the entire infrastructure vulnerable to cyber attacks.
A major concern in the IoT is the assurance of privacy. Companies will have to evaluate the policies for privacy and data security to up their game and ensure collected data is safeguarded and kept private. A risk mitigation measure is to ensure that any IoT vendor you engage with is in full control of their data transmission and processing to prevent ‘man in the middle’ attacks and to ensure that end-to-end commercial liabilities are in place.