What are the security issues of IoT? Explaining actual examples of cyber attacks on issues/devices

"We are considering introducing IoT, but we have concerns about security."
"I want to know about IoT security issues and countermeasures."

Some people may have the same problems as above. IoT has security issues, and cyberattacks targeting IoT are increasing. There have been cases of information leaks and being used as a springboard for DDoS attacks (a type of cyber attack carried out to stop internet services; details will be discussed later), so security measures to prevent cyber attacks are essential.

In this article, we will explain IoT security issues, examples of cyber attacks, and IoT security measures. We also explain frequently asked questions about IoT security issues, so if you want to know about IoT security issues and specific countermeasures, please refer to it.

Do you have many challenges? IoT security issues

There are six main security issues related to IoT security:

• Personal information may be leaked
• Confidential company information may be leaked
• May be used as a stepping stone for DDoS attacks
• It may be difficult to implement countermeasures for all the huge number of IoT products.
• It may be difficult to implement security measures directly inside IoT devices
• It may be difficult to completely dispose of all IoT devices that have reached the end of their maintenance period.

Personal information may be leaked

One of the security issues with IoT is that personal information may be leaked.IoT is used in a variety of places, including home appliances used in households and surveillance cameras installed in cities. If these products are subjected to cyber attacks such as malware, collected personal information and privacy information may be leaked.

For example, if a smart speaker falls victim to a cyber attack, personal information registered on the device and audio and video data collected by the device may be leaked. It is also possible that linked credit card information may be stolen.

Additionally, in the case of companies, customer information managed through IoT may be leaked. As long as you are connected to the Internet, the risk of cyber attacks is unavoidable. Please refer to the main security measures listed below.

Confidential company information may be leaked

In addition to personal information, there is also a risk that confidential company information may be leaked through IoT.For example, if IoT is used for new product development, information during development may be stolen if IoT is subject to a cyber attack. If customer and employee information is centrally managed using IoT, not only confidential information but also various other information may be leaked. If such damage occurs, the company may lose social trust as an incompetent company in terms of safety management.

The following are some of the routes that a cyber attack can take:

• Files attached to emails
• Website
• Apps
• File sharing software

Regardless of the method, if a company computer becomes infected with malware, it can allow intrusion into systems, including IoT, which could result in the extraction of confidential information. In order to prevent cyber attacks on in-house IoT, it is also necessary to take measures to prevent malware infection.

DDoSMay be used as a springboard for attacks

A typical issue with IoT security is that it can be used as a stepping stone for DDoS attacks.A DDoS attack is a method of attack in which a specific website is accessed from a large number of devices, causing the server to be overloaded and taken down. When a server is subjected to a DDoS attack and is unable to withstand the data processing load, it is no longer able to process data normally, making it difficult to use the web services provided through the server.

For example, here are some examples:

[OVH (France)]
・The company's own servers were hit by the world's largest DDoS attack, with a maximum of 1.5 Tbps, from more than 140,000 IoT devices that were allegedly infected with Mirai.

・Delays in accessing services using OVH servers from southern European countries

Source: Ministry of Internal Affairs and Communications | Current status and issues related to cyber security, etc. | Page 2 (as of February 5, 2024)

Mirai is a well-known malware that is used for DDoS attacks using IoT as a stepping stone, as in this case. It is a malware that hijacks infected devices so that it can be controlled remotely, and mainly targets IoT devices with weak security. There is a risk that IoT devices may be unknowingly infected with malware and used as a springboard for DDoS attacks.

It may be difficult to implement countermeasures for all the huge number of IoT products.

It may be difficult to implement security measures for all the huge number of IoT products.Implementing countermeasures for a large number of IoT products requires a significant burden in terms of cost and management.

When multiple IoT products are deployed, security measures tailored to the characteristics of each product are necessary. However, implementing security measures incurs a corresponding cost. The more devices that require security measures, the higher the costs of the measures.

Furthermore, even if security measures are taken for IoT products, it is essential to check whether any problems have occurred. If the number of products is small, you can check them one by one, but the more products there are, the more time it takes to check them and the more complicated they are to manage.

In this way, the greater the number of products introduced, the greater the burden of management. This burden is not a temporary burden, but a burden that will continue to be incurred while using IoT. Considering these burdens, it may be difficult to implement thorough security measures for all IoT products. To reduce the burden, consider introducing devices with security measures or a system that can centrally manage a large number of IoT devices.

IoTIt may be difficult to implement security measures directly inside devices.

Another security issue with IoT is that it may be difficult to implement security measures directly inside IoT devices.Due to the nature of IoT products, they may not be designed in a way that allows security measures to be retroactively added.

As a comparative example, if it is a general operating device such as a computer or smartphone, security measures can be taken by installing special software later or updating the system. You can also fine-tune settings while viewing the device screen.

However, the systems of IoT products are often packaged and have specifications that cannot be changed later. Unlike computers, there is no screen where you can check the settings, and changing the internal settings of the device may require specialized knowledge. In this case, it is difficult to increase the security of the device itself after installation, such as with computers. It is important to choose one that has sufficient security measures in place before installation.

Note that some products have built-in systems that detect equipment abnormalities and unauthorized access. Specific examples are as follows.

• multi-factor authentication
• Unauthorized access detection
• Device anomaly detection
• Program tamper detection
• Network automatic shutdown function in case of abnormality

Some IoT devices are equipped with functions that not only prevent cyber attacks, but also quickly detect attacks by attackers and prevent damage from spreading to other devices and linked systems. When introducing a device, be sure to check whether the device is equipped with security measures and, if so, what they are.

It may be difficult to completely dispose of all IoT devices that have reached the end of their maintenance period.

It may be difficult to completely dispose of all IoT devices that have reached the end of their maintenance period.When disposing of equipment that has completed its useful life, the data must be properly erased. However, this data erasure process may not be perfect. Please keep this in mind.

First, IoT devices may store data not only in their internal memory, but also in the cloud or other connected devices. Completely and securely erasing stored data from all data storage locations can be a technically complex task. If you need to distinguish between areas that will not be erased and areas that will be erased, and you are concerned about a lack of knowledge or resources, it will be difficult for your company to handle this perfectly.

Countermeasures include resetting IoT devices to their factory settings following the manufacturer's instructions, using specialized data erasure tools, or asking a specialized company to do the work before disposing of the device. If the device is connected to a cloud service, it is also necessary to delete or disconnect any related accounts. If you have any concerns about handling the issue yourself, you should consult a trusted company before disposing of the device.

IoT devices are being targeted! Explaining examples of cyber attacks

We will explain the following three examples from among the actual cases where IoT devices were targeted.

• Case where multiple IoT devices with vulnerabilities were targeted
• Cases of unauthorized access to security cameras
• Cases of voyeurism, virus spread, and being used as a springboard for attacks on other companies

Case where multiple IoT devices with vulnerabilities were targeted

In some cases where IoT devices have fallen victim to cyber attacks, multiple IoT devices with vulnerabilities have been targeted.The details of the case are as follows:

During the National Police Agency's Internet fixed-point observation, we observed an increase in accesses targeting multiple IoT devices.
We observed an increase in accesses to destination port 37215/TCP from around late November 2020, and to destination port 52869/TCP from around mid-December of the same year. These accesses have the characteristics of Mirai bots, where the destination IP address and initial TCP sequence number match.

Source: National Police Agency | Increase in access targeting multiple IoT devices with vulnerabilities | Page 1 (as of February 5, 2024)

In this case, the National Police Agency observed changes in the number of accesses targeting IoT devices. The observed accesses had characteristics of the Mirai malware, which indicates that it was a cyber attack targeting IoT devices.

The purpose of the access, as determined by the analysis, was to download and execute malicious programs. It has been found that vulnerabilities in certain products are exploited to download malicious programs unintentionally by users, and that there is a risk of malicious programs being executed. If multiple vulnerable products are used, the infection may spread from one device infected with a malicious program to other devices.

Cases of unauthorized access to security cameras

There is a case in which unauthorized access occurred to a security camera that was managed using IoT.The details of the case are as follows.

① Install a network security camera ② Use the default ID and password ③ Unable to connect to the network ④ Unauthorized access discovered

Reference source: Fukuoka Prefectural Police | Damages caused by unauthorized access to security cameras (IoT devices) in the prefecture and elsewhere (as of February 5, 2024)

One possible cause of unauthorized access is the use of default IDs and passwords. Pre-set IDs and passwords are often simple combinations. Therefore, if default IDs and passwords are continued to be used, they tend to be easily guessed in a brute force attack. When introducing IoT devices, IDs and passwords should be changed from their default settings.

Also, some devices are equipped with multiple functions and may be configured to use functions that are not necessary. If multiple functions are used, the frequency of communication and operating time will increase, which may increase the risk of being attacked. It is important to identify the functions that are necessary and disable the functions that are not necessary.

Cases of voyeurism, virus spread, and being used as a springboard for attacks on other companies

There are also cases where IoT devices are hijacked and used as a springboard for voyeur photography, virus spread, and attacks on other companies.The details of the case are as follows:

Security and commercial network cameras can suffer from problems such as "becoming inoperable," "images being illegally viewed," and "recorded data and settings being tampered with."
A remote connection is made to a fax machine or multifunction device (printer) and copied or printed files are stolen.
They are infected with viruses or malicious programs aimed at remote control and used as stepping stones for cyber attacks.
IoT devices such as air conditioners can be remotely controlled, causing disruption to daily life.

Source: Ehime Prefectural Police｜For customers purchasing IoT devices (as of February 5, 2024)

If an IoT device is hijacked, there is a risk that not only information will be stolen, but also that the information and settings within the system will be tampered with. In particular, if the settings are tampered with, operations may become impossible and the system may become unusable. There is also a risk that an attacker may be able to take control of the device.

Additionally, once an IoT device is infected with malware, it may be used as a stepping stone for a DDoS attack. Users must be careful because they may become complicit in cyberattacks and become perpetrators without their knowledge.

Avoid problems! Explaining IoT security measures

We will explain three IoT security measures to avoid problems occurring.

• Update your password regularly
• Create a strong security environment
• Update firmware regularly

Update your password regularly

Be sure to update your IoT passwords as necessary, not just during initial setup.You can reduce the possibility of unauthorized access by changing your password at the time of installation and changing it as appropriate during use.

However, do not reuse passwords that you use for other services, or use passwords that are easy to guess. If you reuse passwords, there is a risk that the password may be leaked from another service rather than from IoT. Attackers will consider the possibility that stolen passwords are being reused. Of course, we cannot deny the possibility that they may be used in attacks on IoT.

Additionally, if you use a password that is easy to guess, the risk of unauthorized access increases. It is important to avoid including information that can be easily guessed, such as your personal name or birthday, in your password.

When setting a password, use a random mix of the following elements:

• uppercase letter
• lowercase letter
• special character
• numbers
• symbol

In IoT, security can be increased by setting a password that is difficult to guess and changing it regularly.

Additionally, we recommend using two-factor authentication. Two-factor authentication is a mechanism that authenticates based on factors other than passwords when accessing. For example, combining passwords with biometrics (such as fingerprints or iris). This makes it possible to prevent unauthorized access to some extent by impersonating someone other than the user.

Create a strong security environment

Creating a highly secure environment is also an effective IoT security measure.Even if it is not possible to implement security measures for IoT devices themselves, there is a high possibility of preventing cyber attacks by strengthening the environment surrounding IoT devices.

A specific method is VPN, which uses a virtual dedicated line. A VPN is a method of communication that uses a dedicated line that only specific users can use, rather than a shared line that anyone can access. To understand this dedicated line, it may be easier to imagine it as a tunnel. The communication exit and entrance are paired and the route is kept secret. This will prevent attackers from gaining access or stealing data.

However, implementing multiple security measures may increase costs and management effort. If you implement security measures that require complex management, there is a risk that they will not be able to be managed properly and human error will occur. Let's take appropriate measures while reducing the burden of security measures as much as possible.

Update your firmware regularly

Regularly updating firmware is also one way to ensure IoT security.Firmware is software that runs the hardware built into electronic devices.

It plays a role in controlling the operation of hardware and is installed in products as they become products. However, if firmware is not updated, it may be subject to cyber attacks that exploit vulnerabilities.

Firmware is a program provided by product manufacturers to improve vulnerabilities and functions, and updating a device's program to a newly provided program is called an update. Since improvements to device defects and vulnerabilities are applied, risks can be reduced to some extent by being conscious of updating devices every time an updated version of firmware is provided.

When the latest version of firmware is released, you will usually receive an update notification from the manufacturer. When you receive the notification, update it so that you always use the latest firmware.

Please note that if a firmware failure occurs due to a failed update, the device system may stop working. When updating firmware, be sure to follow the instructions and rules specified by the manufacturer and pay close attention.

Frequently asked questions regarding IoT security issues

We will explain the following two frequently asked questions regarding IoT security issues.

• What exactly is IoT?
• Are there that many attacks targeting IoT devices?

What exactly is IoT?

IoT is a technology that connects things to the Internet. In Japanese, it is translated as "Internet of Things."

Traditionally, the things that connected to the Internet were generally computers such as PCs and smartphones. As computers and communication devices have become smaller, various things that were not previously connected to the Internet can now be connected to the Internet.

IoT mainly enables the following:

• Remote monitoring
• Remote control
• Communication between things

It is possible to monitor the status of things using sensors attached to IoT devices, and to issue instructions to things via the Internet to operate them, etc. Furthermore, by communicating with other things connected to the Internet, devices can be operated automatically.

IoT is used in a wide variety of products in our daily lives, such as smart home appliances and self-driving cars. Its use is expanding to fields such as manufacturing and medicine, and it is a technology that is expected to be used in even more diverse situations in the future.

For more information on IoT, please refer to the following article.

IoT is the Internet of Things! Explaining the mechanism, what can be achieved, and implementation examples

IoTAre there that many attacks targeting devices?

Attacks targeting IoT devices are on the rise.According to documents released by the Ministry of Internal Affairs and Communications, the percentage of cyber attacks observed in 2019 by target is as follows:

Reference source: Ministry of Internal Affairs and Communications | Recent trends in cyber attacks, etc. December 3, 2020 | Page 4 (as of February 5, 2024)

The same document also reports that cyber attacks observed in 2019 totaled 327.9 billion packets. Half of these attacks were aimed at IoT devices, which shows how easily IoT devices are targeted.

As mentioned above, IoT devices are difficult to secure and prone to vulnerabilities. When introducing IoT, it is important to take security measures into consideration of the possibility of attacks from malicious third parties. Don't be complacent and assume that your company's IoT system is safe, but take appropriate security measures by assuming various attacks.

summary

So far, we have explained the security issues surrounding IoT. In the event of a cyberattack, there is not only the risk of information leakage and hijacking of IoT devices, but also the risk of being used as a springboard for attacks on servers and other companies.In some cases, IoT may become unusable or the user may unknowingly become a perpetrator.

To prevent cyber-attacks, effective measures include updating passwords and firmware to keep it up to date. Understand the importance of security measures and take proper measures to enjoy the benefits of IoT with peace of mind. You may have some troubles. In that case, please feel free to contact us.