Join IoT Central | Join our LinkedIn Group | Post on IoT Central


Pen Testing IoT Devices: How to Manage & Secure Smart Devices?

Posted by Cyril James on May 28, 2021 at 6:29 in Security
Pen Testing IoT Devices: How to Manage & Secure Smart Devices?

Look around you, and you’ll find at least 4 objects in your house with the word ‘smart’. Your TV, your phone, maybe even your fridge. All of our appliances are increasingly being connected to the internet.

This interconnection of ‘smart’ objects is referred to as the Internet of Things (IoT). In less than a decade, we’ve pushed communication technology to its limits.

Now you can talk to your microwave from your phone. With over 20 billion devices part of the IoT phenomenon, our lives are more connected than ever before. But, there's a flip side to this technological revolution.

There are a lot of IoT security risks that arise from the vulnerabilities of the devices. Over 200 million individual IoT attacks were tracked in 2020 alone.

Hackers can take advantage of vulnerabilities to steal your data, or to use your devices to conduct attacks. This blog will take you through the procedures you can adopt to secure your life from cybercriminals.

Overview of IoT

Internet Protocol Version 4 (IPv4) is the protocol that is the process through which our devices connect with the internet.

When the internet is accessed, a unique identity protocol is generated Recently, however, IPv4 has been running out of physical addresses. To fix this, IPv6 was introduced that has the capacity for trillions of trillions of physical addresses. It also offers improvements to connectivity, performance, and security. 

IoT has already been used extensively to provide ease to human life, with some of the many applications being innocuous.

  • Home Automation - Phones are now being used to connect with most homes to your electric circuits, your TV, AC Fridge, and more. This has simplified lives while improving productivity and efficiency. Many of these devices also optimise themselves, for instance, an AC that adjusts temperature itself based on the environment.
  • Smart Cities - By far the most awaited feature of IoT. Smart Cities promise to revolutionize the way you live. Not only will they reduce costs, but they would also improve efficiency. Road signals would be able to manage traffic congestions, and parking sensors would inform you of empty spots.
  • Drones - Drones are increasingly being used to simplify our lives. Right from being used by Amazon as delivery agents, to being used by government bodies for firefighting activities, drones are revolutionizing the tech space.
  • Medical Applications - Smartwatches monitor a person’s health and can call them an ambulance when at risk. Ambulances that can connect to the road signals and clear a path. 
  • Smart Phones - Your phone will most likely be the key to controlling the IoT. Already many appliances connect to your phone, and many more may soon follow. VR and AR have made great leaps forward, allowing people to do much more than simply call people with their phones.

Threats of IoT


IoT suffers from similar vulnerabilities that hackers attempt to use to their advantage. They use these devices to either steal personal data or to connect them to a botnet. According to Symantec, IoT attacks have increased a 1000% since 2016, with routers and security cameras being the most attacked.

  • Botnet - A botnet is essentially a large collection of IoT that hackers can be used to make large coordinated attacks on other services. Botnets are easy to create, with IoT being a favored target due to their weaker security.
  • Shadow IoT - Losing control of your devices can be terrifying. Researchers have already proved it possible to stall the engines of smart cars too. Many industries use SCADA systems, a massive computer overseer. Were this to be compromised, it could lead to catastrophe, including nuclear meltdowns in the worst case. 
  • Data Theft - The most common threat. Data can be extracted not only from the compromised device but all on the network. This can be catastrophic for your business. Losing the data of millions of users can erode their trust in your services. 

Applying Penetration Testing to circumvent IoT Attacks


Thankfully, there are ways in which firms protect themselves from IoT Security risks. Using penetration testing (pen testing), a simulated attack on your device, you can identify vulnerabilities and fix them before an actual attack hit. Pen testing will search for a range of vulnerabilities, ranging from but not limited to,

  1. Weak passwords: passwords that can be guessed or opened through trial and error.
  2. Hardcoded passwords: Public passwords that cannot be changed, such as firmware backdoors and client software.  
  3. Network services: This helps the devices on the network to communicate and share information. 
  4. Ecosystem Interfaces: Authentication, encryption issues, and input/output filtering problems arising from the device’s connections. These could be the internet, the backend API, the cloud, or other devices.
  5. Updates: The ability to receive and apply updates to firmware, security, and provide warnings for security changes. 
  6. Components: Insecure or outdated components such as software, libraries, customization, third-party apps, etc.  
  7. Privacy: Data that can be leaked due to a device on the network not being configured with the proper controls.
  8. Data Security: Data encryption and access control during storage, transit, and processing to prevent hijacks between connections. 
  9. Default Settings: Insecure default settings that might still be on the device.
  10. Physical Hardening: Physical hardening measures to prevent hackers from scoping devices or taking local control of devices. 

Your business must be secure and Pen testing is a great way of identifying these vulnerabilities, which you can then rectify.

Here's how firms can go about it. 

  • Identify Devices on The Network - The first step to protecting yourself is to identify which devices are actually on the network. As the network gets bigger, it can be harder to keep track of the devices. Don’t hesitate to pull back, take stock, and remove devices you don’t think need to be on the network.
  • Implement Strong Passwords - Without saying, this is the single most important tip. Always ensure your password is not something related to your personal information, such as your full name. Vary your password with numbers and symbols. And don’t use the same password everywhere!
  • Download The Latest Security Updates - As attacks increase, so does the defines. Many manufacturers release new updates that patch IoT vulnerabilities. Staying up to date can prevent older attacks from getting through.
  • Install Firewalls - Firewalls will prevent unauthorized access through the network. Intrusion detection systems/intrusion prevention systems (IDS/IPS) should be run to monitor and analyse network traffic. Firewalls also have the added benefit of warning you of unauthorized access. This can be the first sign of a breach in security.

IoT has a lot of potential for making human life convenient and efficient. However, it is advisable to take your time with implementing new technologies, make sure you have all the risks covered.

Rigorous testing should be your motto before introducing anything new to your business. Security should be your main priority. 

Views: 693
Tags: iot device security, penetration testting, security testing of iot devices
Posted by Cyril James

Cyril has a solid foundation in the Information Technology and Communication industry with over 13 years of experience. His expertise lies in Information Security, specialising in network, web and mobile applications, and cloud penetration testing across various industry domains like banking, insurance, energy, telecom, IT products and services, and others. He is well-versed in penetration testing methodologies including OWASP, OSSTMM and PTES. He has solid understanding of technical concepts of cloud computing, machine learning, and various programming languages. Cyril is a visionary and strategy-builder, has good communication skills, and is great with managing teams. He has founded and currently leads Secure Triad, a penetration testing services business.

Sponsor

Workshops

Webinars