Internet of Things (IoT) – Global attacks from a lightbulb?

What is Internet of Things (IoT)?

OK let’s start by saying marketing departments worldwide will tell you all sorts of meanings for IoT, but in essence think of it as any device you may have traditionally used but it is now connected to a network, usually the internet. This gives the device potential features such as being operated via an App on your smart phone, or accessed via a web browser over the internet.

A few examples of devices which are available as an “IoT”:

  • Central Heating / Air conditioning
  • Lightbulbs
  • Kettles
  • Washing Machines
  • TVs and other home entertainment devices
  • CCTV (IP Cameras) / Burglar Alarms
  • Children’s Toys (even Teddies)

That list is by no ways exhaustive and with the IoT buzz happening right now we are going to be seeing a boom of devices over the coming years.

What sort of attacks are possible?

The idea behind IoT is excellent, and further integrates our world to together over the internet, but it does so at a cost, security.

Although some manufacturers are taking security seriously many don’t, mainly due to lack of skills or tight budgets and timeframes. I am going to give an overview of some of the attacks possible.

Address Resolution Protocol (ARP) Spoofing Attacks

ARP is a protocol that allows networked devices to find other network devices to “talk” to. Normally a device conducts an ARP request for the IP of the default gateway (normally your router) and the default gateway says "I am the default gateway transmit me the data".

An attacker who has compromised a device on your network can conduct a Man-in-the-Middle (MitM) attack by spoofing the ARP address of the default gateway so the device sends all network traffic to the attacker’s machine. The attacker then manipulates or views the data and sends it on to the real device, in my example the default gateway.

The attack is dangerous because if the IoT device transmits insecure network traffic, such as username and passwords the attacker can capture these for later use.

Unencrypted communications

As in my ARP example above insecure traffic can be sniffed and captured. An IoT that transmits information to a cloud service on the internet via an insecure connection such as HTTP or FTP means that anyone sniffing that traffic can see the data. Do you really want the live video of your baby being watched by anyone?

Unauthenticated connections (man in the middle, altering data etc)

Something that is unauthenticated cannot prove it is who they claim to be. Even if the IoT device is sending encrypted data out of your network to a web server online, if the connection to the web server is not authenticated then an attacker may have redirected the traffic to her server. This may or may not be useful if the data is encrypted, but at the very least may cause denial of service to the IoT.

Many security professionals believe that you need both authentication and secrecy together. Protocols such as SSL/TLS offer this.

Manufactures and their cloud providers

Your IoT may well be “phoning home” to their cloud service for updates or file transfers, this is common with hosted IP Cameras for example. The security of these services not only now relies on the IoT device itself, but also the cloud provider who the IoT is talking to. Compromising the cloud provider may well compromise all connected IoT devices and their connected networks.

So how we mitigate these issues?

It's difficult if not impossible to protect against bad cloud providers setups, or poor firmware coding with the IoT devices themselves, but protecting your network from them is a little easier.

The simplest solution is network segregation. You want to keep your trusted devices, such as your computer maybe your phone, or a separate network to the IoT devices such as your kettle and boiler.

A good networking architecture solution would be as so:

This works as the two main networks are physically separated from one another, so devices within each network cannot “talk” to devices in another. This therefore does potentially have some issues if the “trusted” devices need to communicate directly with the IoT. Although commonly the IoT is accessed over the internet via the IoT’s cloud network and therefore still work. For devices that do not work like this then suitable firewall and routing configurations would need to be put in place.

So is the next World War 3 going to involve your lightbulbs?

Possibly, after looking at the attack vectors that we know of today many options are available for your lightbulb to become a bot within a nation states bot net. Next time you are watching TV and the lightbulb flickers, maybe it’s taking down a government server somewhere in the world.