ECE3501: IOT FUNDAMENTALS

MODULE 3 - IOT SECURITY AND PRIVACY

Security and privacy risks, analyze security

risks, Technologies and methods that
mitigate security,
Privacy standards and regulations, Social
and privacy impacts

1 06.08.2020-G2
It’s not just PCs and smartphones we should worry about anymore, but a wide
range of Internet-connected devices such as thermostats, smart meters, self-driving
cars and even voice assistant devices such as Amazon’s Alexa.

Risk by Internet
(e.g. public)
Risk by IoT Devices

Risk by Cloud
(e.g. open source)

WHAT DO WE DO WHEN THE TECHNOLOGY

2
AROUND US MALFUNCTIONS????
AN MALICIOUS HACKER CAN OBTAIN
FROM AN IOT DEVICE
______________??

Information

3
WHY IS IOT / INTERNET OF THINGS
SECURITY IMPORTANT?
 In 2016, the Mirai botnet launched one of the biggest DDoS
attacks ever recorded. More than 1 terabyte per second
flooded the network of Dyn, a major DNS provider, and
brought down sites such as Reddit and Airnbnb.
 But what made this attack so special was that it was the first
to be carried out with IoT devices. Nearly 150,000
compromised smart cameras, routers and other devices all
enslaved into a single botnet, focused on a single target.
 The Mirai botnet however is much bigger! By some
estimates, it contains millions of enslaved devices. And it
wasn’t even that hard to create in the first place.
4
CONTD..
 Manufacturers use a handful of default password and usernames to
protect an IoT device.
 Had a few hundreds/ thousands of password combinations to protect tens
of millions of smart devices.
 All it took were a few simple lines of code, designed to test each of
those default passwords. A device could be hacked and
enslaved within a few seconds, so long as the user didn’t change
the standard login information.
 But IoT botnets aren’t the only type of threat.

 Researchers have proven more than once that it’s possible to

physically take control of a car by breaking into apps that 
control onboard software. For now, this has only been done in
experimental situations, but as Internet-connected cars gain ground,
it’s only a matter of time until it happens to someone, somewhere.
5
FOR EXAMPLE
 Researchers from the Russian cybersecurity firm
Kaspersky for instance, managed to open up car locks,
simply by hacking into an app.

6
INTERNET OF THINGS
---SECURITY VULNERABILITIES
 Simplicity and ease of use are crucial principles in the
IT and electronics industry. Every software and device
out there is designed to be as easy to use as possible, so
as to not confuse consumers and discourage them from
using the product.
 Unfortunately, this often means that some products cut
corners, and don’t implement security features
consumers might find “too clunky”.

7
INTERNET OF THINGS
---SECURITY VULNERABILITIES
 The process of identifying assets and threats in an
organization is known as “Threat Modeling”

 Insecure default login credentials

 Poor software updates

 The communication isn’t encrypted

 Insecure  user interface

 Poor privacy protection

8
INSECURE DEFAULT LOGIN
CREDENTIALS
 In practice, they might hide the “Change password/
Username” options deep in the UI, out of sight for most
users. No wonder so many people kept their default user
names and passwords.
 If each Internet of Things device had a randomized
username and password, Mirai might not have happened
in the first place. But that is too expensive a process in
competitive industries with razor-thin profit margins.

9
POOR SOFTWARE UPDATES

 What’s more, many Internet of Things creators 

don’t even patch or update the software that came on
their devices. If your device has a software vulnerability
(nearly 100% chance that it does), there’s little you can
do to prevent an attacker from exploiting it without help
from the manufacturer.

10
THE COMMUNICATION ISN’T
ENCRYPTED
 Other IoT devices lack basic encryption to hide the data sent
between the device and the central server. This can potentially
expose the user’s personal information, if a malicious hacker can
snoop in on his personal information.
 Another thing that Internet of Things devices do, is that some of
them ask for more permissions than they need to.
 One time, numerous Amazon Echo users were surprised to see
their device ordering dollhouses after a TV anchor said the
phrase “Alexa ordered me a dollhouse”.
 In that case, the device had permission to do a purchase all by
itself. Each extra permission in an IoT device adds another
vulnerability layer which can be exploited. The fewer
permissions, the more secure your device is.
11
INSECURE  USER INTERFACE

 A device’s user interface is usually the first thing a

malicious hacker will look into for any vulnerabilities. For
instance, he might try to manipulate the “I forgot my
password”, in order to reset it or at least find out your
username or email.
 A properly designed device should also lock out a user
from attempting to login too many times. This stops 
dictionary and brute force attacks that target passwords,
and greatly secures your device credentials.
 In other cases, the password might be sent from the device
to the central server in plain text, meaning it isn’t
encrypted. Pretty bad if someone is listening in on the 12
device and reading all of your data.
POOR PRIVACY PROTECTION

 Internet connected devices are data-hungry beasts, but

some of them have a greater appetite than others. The
less information they have on you, the better, since it
limits how much a cybercriminal can learn about you if
he hacks the device.
 As a rule, try to look into what type of data a device
will store about you. Be critical of those that harvest
data they don’t need, such as coffee machines storing
your location information.

13
THE MAIN TYPES OF ATTACKS
AGAINST IOT DEVICES
 Smart devices can be hacked in a number of ways,
depending on the type of vulnerability the attacker
decides to exploit.

14
ATTACKS AGAINST IOT DEVICES

15
RECOMMENDATIONS TO IMPROVE IOT SECURITY

 The ability of IoT readily adapt with the ever changing

environments and build up trustworthy redundancy is
labeled as “Fault Tolerance”

16
RECOMMENDATIONS TO IMPROVE IOT SECURITY

To avoid software attacks

To improve data
privacy i.e to avoid
Man in the middle,
sniffer

To avoid Denial of Service

17
attacks
To avoid physical attacks
VULNERABILITY EXPLOITATION
 Every software has its vulnerabilities. It’s nearly impossible not to. Even
Google, with all its resources, hasn’t been able to stamp them out from
Chrome.
 Depending on the type of vulnerability, you can use them in multiple ways.

 Buffer overflows. This happens when a device tries to store too much data
into a temporary storage space. This excess data then spills over into other
parts of the memory space, overwriting it. If malware is hidden in that data,
it can end rewriting the code of the device itself.
 Code injection. By exploiting a vulnerability in the software, the attacker is
able to inject code into the device. Most often, this code is malicious in
nature, and it can do a multitude of tasks, such as shutting down or taking
control of the device.
 Cross Site Scripting. These work with IoT devices that interact with a
web-based interface. Basically, the attacker infects the legitimate page with
malware or malicious code, and then the page itself will infect the IoT
18
device.
IOT VULNERABILITY EXPLOIT

19
MALWARE ATTACKS

 The most frequent and well known malware attacks on

PCs target a device’s login credentials. But recently,
other types of malware such as ransomware have made
their way onto IoT devices.
 For one, many base their operating system on Android,
so the malware is mostly interoperable, requiring only
minor modifications.
 Smart TVs and other similar gizmos are most exposed to
this kind of threat, since users might accidentally click
on malicious links or download infected apps.

20
21
PASSWORD ATTACKS

 Password attacks such as dictionary or brute force target

a device’s login information by bombarding it with
countless password and username variations until it finds
the right one.
 Since most people use a simple password these attacks
are fairly successful. Not only that, but according to one
study, nearly 60% of users reuse the same password.
So if an attacker gets access to one device, they get
access to all devices.

22
23
SNIFFING / MAN-IN-THE-MIDDLE
ATTACKS

 In this attack, a malicious hacker intercepts the Internet

traffic that goes into and out of a smart device.
 The preferred target is a Wi-Fi router, since it contains all the
of the traffic data sent of the network, and can then be used to
control each device connected to it, even PCs or
smartphones.

24
25
SPOOFING

 Spoofing works by disguising device A to look like

device B. If device B has access to a wireless network,
then a disguised device A will trick the router into
allowing it on the network. Now that the disguised
device A can communicate with the router, it can inject
malware into. This malware then spreads to all other
devices on the network.

26
27
BOTNET ENSLAVING

 Internet of Things devices are prime candidates for a 

botnet. They are both easier to hack, and harder to
diagnose if they’re compromised.
 Once your device is enslaved, it can be used for a wide
variety of cybercriminal activities, such as DDoS
attacks, sending spam emails, performing click fraud
(basically using the enslaved device to click an ad), and
Bitcoin mining.
 Mirai is the biggest IoT botnet we know about, and it
was built on the backs of default passwords and
usernames.
28
29
REMOTE ACCESS

 Taking control of an IoT device doesn’t sound so menacing at first

glance. After all, it’s not as if a malicious hacker could poison you if
he hacked your coffee maker.
 But things will quickly get serious if the attacker takes control of
your car as you’re driving it. This isn’t even hypothetical situation,
it’s actually been done, albeit by cybersecurity researchers. In that
example, the whitehat hackers were able to 
hack into the car’s braking system and acceleration.
 Some people now use smart locks to secure their homes, but
ultimately they’re just software on hardware. At DEF CON  2016
(the biggest hacker conference in the world), 
researchers tested out 16 smart locks, and proved how many of
them used very simple security features such as plain text
passwords. Others were vulnerable to device spoofing or  30
replay attacks.
31
DATA LEAKAGE

 Smart devices process a lot of personal information, such as:

  medical data

 location data

 usage patterns

 search history

 financial information, etc.

 Whitehat researchers proved it was able to hack into a smart speaker and

analyze data from its sensors to figure out if you are home or not. This would
be extremely useful for a burglar seeking empty homes to steal from.
 In a fairly high profile case, the German government 
banned a children’s doll because it recorded so much information, it was
labeled as a “spying tool”.
 Devices which leak information from inside the privacy of your own
house are dangerous for a wide variety of reasons. Recordings of sensitive
conversations and intimate acts can then be used as blackmail tools against a 32
person or outright publicized to damage a person’s image.
33
 A more worrying scenario is the possibility of hacking IoT devices
used in the healthcare industry. In theory, a cybercriminal could hack
a pacemaker or an insulin pump, and then demand a ransom from the
victim in order to keep the devices working properly.
 But sometimes it’s the central server that leaks information.

 Sometimes, companies are the ones that leak information, and not the
devices. Such was the case of a teddy bear that spilled recordings from 
nearly 2 million kids and parents.
 This kind of information goes into the company’s cloud. If that’s
compromised, chances are each one of its consumers are also hacked.
 One major weakness of Internet of Things devices is that is that many
of them send data over unsecured ports. In other words, you can
actually see the data live, without requiring a password and username.
All it takes to view this data is a paid account at Shodan, and you’re 34
set.
WHY THERE ISN’T A WIDELY AGREED UPON
SOLUTION TO TRAFFIC FILTERING

 Another possible way to limit the damage caused by

Internet of Things devices is to filter out some of the bad
traffic sent over the wider Internet.
 ISPs could theoretically 
identify and filter out any malicious traffic they see on
their network. But the process wouldn’t be foolproof, and
false positives would be a likely possibility.
 Another possibility would be for traffic filtering to be
applied at a user level. Smart and secure traffic filtering
hardware such as Bitdefender Box or Luma Wi-Fi System
are making their way onto the market, with more to come.
Unfortunately, they are expensive and it remains to be seen 35
if users will consider them as worthwhile investments.
HOW TO IMPROVE YOUR INTERNET OF THINGS
SECURITY

36
CHANGE YOUR DEFAULT PASSWORDS AND
USERNAMES

 The Mirai malware is still out there, actively seeking out more
IoT devices to enslave into the botnet. Fortunately, it’s a fairly
simple malware, and can be easily countered by setting up a
strong and secure password and changing your default
username.
 For the best results, we recommend you make the password at
least 10 characters long, and use at least 1 capitalized letter, 1
normalized one, 1 number and 1 special character, such as an *
or a &.
 Here’s a website you can use to 
figure out how strong your passwords are.
 Also, try to have a different password for each device. That
way, if one device gets hacked, then you can rely on the other 37
ones.
AS MUCH AS POSSIBLE, UPDATE TO THE LATEST
SOFTWARE

 The manufacturers of the best IoT devices release frequent

updates to improve functionality and also patch security
vulnerabilities. For this reason, try to make sure your 
device receives these updates whenever they are available.
 Unfortunately, not all manufacturers release updates on a
regular basis. Many don’t even bother to update them at all, and
effectively abandon the customer to his own devices (pun
intended).
 When you’re in the research phase of a purchase, look into the
update cycle of the product. If you can’t find one, and
reviewers are openly lamenting the non-existent software
updates, then chances are that company wants to cut costs. And
frequently, that means cutting costs from customer support as 38
well.
This is the update policy for a software called Open Nebula. Not all developers are this
thorough in their patching policy, but it should give you an idea as to what constitutes
good practice.
On a more similar note, here’s a small sample of Microsoft’s update policy for various
Windows software versions.
39
40
LOGIN LOCK SETTINGS
 Even strong passwords and custom usernames can be
vulnerable to a dictionary or brute force attack. These
will bombard a login page with countless password
combinations, until it hits the right one.
 iPhones for instance, have a setting which locks the PIN
authentication after too many attempts. At the
10th attempt, it completely wipes the device.
 IoT devices with good built-in security should have a
similar option you can use to ensure their login integrity.

41
TWO-FACTOR AUTHENTICATION

 The Internet of Things has lagged behind other services

in implementing two-factor authentication, but recently
Nest announced 
it will roll out two-factor authentication to secure it’s
thermostats and smart cameras.
 For the time being, most devices don’t have two-factor
authentication, but as the industry matures, the feature
will become more and more prevalent.
 In the meantime, be sure to activate it whenever your
devices support it.

42
PHYSICAL WEAKNESSES IN IOT
DEVICES

 Sometimes, all it takes to infect a PC is to introduce a

USB stick in it and let Windows autorun the USB, and
by implication the malware.
 The same principles apply to smart devices. If it has a
USB in it, then all a malicious hacker has to do is to plug
it in, wait a bit, and that’s it.
 If you can, try to place your device in such a way so that
sticking a USB stick in it isn’t a straight forward process.

43
ENCRYPTION

 Most smart devices work by communicating with a

central server, Internet network or smartphone.
Unfortunately, the information isn’t properly encrypted
in most cases. Either the devices are too small to carry a
strong processor, or the manufacturer decided to cut
costs (including security features).
 Whenever available, we strongly recommend you
activate the option to encrypt the data it sends and
receives.

44
CREATE A SECOND NETWORK FOR YOUR IOT
DEVICES

 A good way to secure your smart devices is to create a

separate network for them to communicate in. This
network isn’t connected to the Internet, and so there is
minimal chance for malware to make its way on your
devices.
 This system does come with a set of drawbacks however.
If you want to control your smart devices from your
phone, you’ll need to switch between Wi-Fi’s to control
your IoT network. In this case, you either have to learn
to how automate everything, or use Z Wave switches to
go between networks.
45
SECURE YOUR HOME WI-FI

 Your Wi-Fi router is one of the first attack points for a malicious hacker. To
make sure it is secure, we suggest you do the following:
 Use a strong and secure password.

 Change your username, and make it non-recognizable. Don’t make it easy

for an attacker to identify which Wi-Fi is yours.
 Set up a firewall to protect your Wi-Fi. In most cases, the firewall will be
software based, but some routers come with a hardware one preinstalled.
 Disable guest network access for your wireless network. Here’s a guide to 
disable this for Linksys routers.
 A guest network is a second Wi-Fi created from your router, which limits
access to your “core” network. In theory, it should offer extra security, by
isolating guests on the separate network. However, most Wi-Fi routers set up
an insecure guest network, which can act as a window to your core Wi-Fi.
 Here’s a more in-depth guide on how to protect your wireless network
 from outside intrusion that you might find useful. 46
DISCONNECT THE DEVICE FROM THE INTERNET
WHEN YOU DON’T USE IT

 Devices such as Smart TVs don’t need to be permanently

connected to the Internet. By keeping them off the
Internet, you limit the time interval in which a
cybercriminal could attempt to break its security.

47
READ THE DEVICE MANUAL FOR ANY SECURITY
TIP YOU MIGHT FIND

 Most people only use a device’s manual during

installation and to figure out how to use it. But manuals
often contain a lot of useful tips and tricks that can
improve the performance of a device and make it more
secure. Take your time and go through the manual to see
if there’s anything you might find useful in it.

48
DOWNLOAD SECURITY
APPLICATIONS

 Some smart devices such as TV’s are powerful enough to

run apps. Even simple, free versions of antivirus apps
can significantly boost your security.
 For the best results, we recommend you use the paid
version of an antivirus app, since it will unlock its full
functionality.

49
USE A HARDWARE SOLUTION TO SECURE YOUR
IOT NETWORK FROM OUTSIDE ATTACKS

 A dedicated security solution for your IoT network can

make all the difference between an infected or clean device.
There are quite a few security solutions available, even if
the market isn’t as developed as it is for desktop or mobile.
 Here are some viable software/hardware products you can
use, with a link explaining how they work.
 Bitdefender Box.

 Luma Home WiFi System.

  F-Secure Sense (not yet available, but you can preorder it).

 Norton Core (also not available, but up for preorder).

  Dojo (up for preorder).

50
51
 IoT is one of the biggest technological trends since the
smartphone, and promises to be just as impactful.
Unfortunately, the promise and opportunity they offer
are just as tempting for cybercriminals as they are for
regular customers.
 On the bright side however, the IoT industry knows its
shortcomings, and together with cybersecurity experts
and companies are moving forward to improve on their
track record.

52
IOT SECURITY ISSUES

 Public Perception: If the IoT is ever going to truly take off, this needs to be the first
problem that manufacturers address. The 2015 Icontrol State of the Smart Home study
found that 44% of all Americans were "very concerned" about the possibility of their
information getting stolen from their smart home, and 27% were "somewhat
concerned." With that level of worry, consumers would hesitate to purchase connected
devices.
 Vulnerability to Hacking: Researchers have been able to hack into real, on-the-market
devices with enough time and energy, which means hackers would likely be able to
replicate their efforts. For example, a team of researchers at Microsoft and the
University of Michigan found a plethora of holes in the security of Samsung's
SmartThings smart home platform, and the methods were far from complex.
 Are Companies Ready?: AT&T's Cybersecurity Insights Report surveyed more than
5,000 enterprises around the world and found that 85% of enterprises are in the process
of or intend to deploy IoT devices. Yet a mere 10% of those surveyed feel confident that
they could secure those devices against hackers.
 True Security: Jason Porter, AT&T's VP of security solutions, told Insider Intelligence
that securing IoT devices means more than simply securing the actual devices
themselves. Companies also need to build security into software applications and 53
network connections that link to those devices.
IOT PRIVACY ISSUES

 Too Much Data: The sheer amount of data that IoT devices can generate is
staggering. A Federal Trade Commission report entitled "Internet of Things: Privacy &
Security in a Connected World" found that fewer than 10,000 households can generate
150 million discrete data points every day. This creates more entry points for hackers
and leaves sensitive information vulnerable.
 Unwanted Public Profile: You've undoubtedly agreed to terms of service at some
point, but have you ever actually read through an entire document? The aforementioned
FTC report found that companies could use collected data that consumers willingly
offer to make employment decisions. For example, an insurance company might gather
information from you about your driving habits through a connected car when
calculating your insurance rate. The same could occur for health or life insurance
thanks to fitness trackers.
 Eavesdropping: Manufacturers or hackers could actually use a connected device to
virtually invade a person's home. German researchers accomplished this by intercepting
unencrypted data from a smart meter device to determine what television show
someone was watching at that moment.
 Consumer Confidence: Each of these problems could put a dent in consumers' desire
to purchase connected products, which would prevent the IoT from fulfilling its true 54
potential.
SECURITY RISKS
 IoT devices are connected to your desktop or laptop.
Lack of security increases the risk of your personal
information leaking while the data is collected and
transmitted to the IoT device.
 IoT devices are connected with a consumer network.
This network is also connected with other systems. So if
the IoT device contains any security vulnerabilities, it
can be harmful to the consumer’s network. This
vulnerability can attack other systems and damage them.
 Sometimes unauthorized people might exploit the
security vulnerabilities to create risks to physical safety.
55
PRIVACY RISKS
 In IoT, devices are interconnected with various hardware
and software, so there are obvious chances of sensitive
information leaking through unauthorized manipulation.
 All the devices are transmitting the user’s personal
information such as name, address, date of birth, health
card information, credit card detail and much more
without encryption.

56
CONTD.,

57
CONTD.,

58
IOT SYSTEM FUNCTIONALITIES-
FROM SECURITY PERSPECTIVE

59
CONTD.,

60
SECURITY ARCHITECTURE

61
SECURITY ARCHITECTURE

62
SECURITY ARCHITECTURE

63
SECURITY ARCHITECTURE

64
CHALLENGES IN IOT SECURITIES

65
CONTD.,

66
CONTD.,

67
CONTD.,

68
69