The Internet of Things (IoT) trend is a major talking point these days.
The opportunities offered by the sheer volume of connected data points, providing never-before-seen insights and groundbreaking solutions, are changing the world as we know it.
But, as it continues to enter into nearly every aspect of consumer and business life, are we overlooking the risks?
According to computer scientists from the US and Brazil, about half of IoT apps are potentially exploitable through protocol analysis because between 40% and 60% of the apps use local communication or local broadcast communication, there’s a potential attack path.
How can IoT devices such as Utilitywise’s new energy counter be protected within businesses
Five computer scientists – Davino Mauro Junior, Luis Melo, Harvey Lu, Marcelo d’Amorim, and Atul Prakash put the research together. They analysed smartphone apps for 96 IoT devices as part of their research.
According to their paper, 31% of the apps used no encryption whatsoever; 19% used hardcoded keys that are easy to discover.
This paper proposes an indirect and simpler way of assessing the security of IoT devices by analysing their companion apps and the interaction with the device’s firmware.
The paper says: “Our intuition is that if this interaction between the companion app and device firmware is not implemented with good security principles, the device’s firmware is potentially insecure and vulnerable to attacks. In our experience, most IoT devices on the market today are released with companion apps for both Android and iOS so that users could control these devices directly from their smartphone, thus permitting such analysis.
The findings which were published in a paper distributed last week by ArXiv, the e-print specialists.
4 modern challenges for the Internet of Things
Dunstan Power, Director at ByteSnap Design, said: “It is true that IoT security has had a poor record. Five years ago there was very little regard paid to the security aspects of many IoT devices, which were manufactured to a low cost and not seen as vulnerable.
“The thinking was “what does it matter if someone can turn my lights on and off?” missing the fact that the IoT device could be used as a vector into the system as a whole.
“Penetration testers have raised the profile greatly, though all publicised attacks are not equal, with at one end of the scale attacks that can be done remotely and can allow a critical system to be hacked, through to very convoluted attacks that require a high degree of local access and at the end of it only allow a light to be turned on or off. Quite often the hype around these is a bit hysterical and doesn’t really look at the real probability and outcome of attack classes.”
Securing networks in the IoT revolution