In this post I will introduce the beginner to a high-level overview of the most common IoT attacks performed by hackers and crackers.
By the end of reading this post you should have a good understanding of where vulnerabilities exist in these systems and how you can mitigate these threats.
Where possible I will also point out where you can go to gain more experience in this fascinating field of network security/cyber-security.
The “Internet of Things” may be a relatively new concept today but the underlying networking technology is what we use for the internet.
So whether you’re learning IoT security or network/cyber security in general then it’s basically the same thing.
What are the some of the most common attacks in IoT systems..? Let’s find out!
Throughout this post I may refer to hackers and crackers as attackers as it’s important to note that these two terms are not the same.
A hacker is someone who is creative with technology, making it do things that it wasn’t initially intended to do.
A cracker bypasses security mechanisms such as passwords. Unless the cracker has explicit permission to do so, this is illegal in most cases.
Thus a cracker may perform hacks and a hacker may perform cracks.
Can IoT Be Hacked?
“Internet of Things” devices and servers are susceptible to hacking just as much as any other computer connected to the internet.
Steps can be taken to reduce the risk of hackers from taking over these systems however not everything can be made 100% “hack-proof”.
In my post: “Are smart homes dangerous?” I explain the risk to your personal security from hackers who could theoretically gather your sensor data through surveillance of your own systems.
How Are IoT Devices Hacked?
There are a multitude of methods to hacking “Internet of Things” devices.
Many of these methods are well-known in the information technology industry and we call these: attack vectors.
In this post I will take you through some common IoT attacks where I give a brief explanation on each subject on how these attack vectors are used by hackers.
Why Are IoT Devices Vulnerable And What Makes IoT Devices Vulnerable To Cyber-Attacks?
IoT devices are vulnerable to cyber-attacks simply because there is no way of fully securing them.
The first step to protecting our “Internet of Things” devices is for us, the human to acquire the knowledge needed to protect our systems.
Many hackers will compromise IoT systems for many reasons.
These reasons can include financial gain or for bragging rights among the hacker community to display how clever they are.
How Do I Learn IoT Security?
Reading and acquiring theory knowledge is important to learning anything let alone information technology.
But until you actually place this knowledge into practice is when you truly begin to master the subject.
Linux is the hackers operating system of choice.
I for one can’t recommend it enough and for reasons I won’t go into right now.
Kali linux is arguably the biggest network security distribution available today and is an excellent environment to learn.
However before we can run we need to walk..
Before we can learn the specifics about Kali linux we need to know the basics of linux itself.
My LPIC1 (Linux Professional Institute 1) certification posts cover in detail the foundational skills of using and administering the system.
Although still in development by me, it’s designed to educate the absolute beginner into becoming a Linux Admin professional.
Other than linux then we’re going to need to know basics of networking too!
It’s only when we can place these two subjects together we can then begin to understand security in the “Internet of Things”.
FREE Download: CIoTP Checklist!
The ‘Certified Internet of Things Practitioner’ Certification provided by CertNexus is an excellent blueprint to begin learning IoT.
To download your CIoTP PDF CheckList file Click Here
Common "Internet of Things" (IoT) Attacks
Installing malware (malicious software) is a common IoT attack by hackers used to run undesirable programs on a victims system.
Malware exists in many different forms and can be executed in many different ways.
Here are some of the most common forms of malicious software that we need to prevent from running on our “Internet of Things” systems:
1.1 Trojan Horse
A trojan horse is a software program that looks like a legitimate and trust-worthy application in order to get the victim to install it.
The main goal here is to not arouse suspicion from the victim to get them to run the program.
Usually a trojan horse is made up of two programs. One being the malicious program and the other being a perfectly legitimate program.
This way, the victim will run the application and it will perform as expected and not alert him/her to the fact that they have just compromised their own system.
When an attacker has gained access to an IoT device or system it’s not uncommon to then create what is known as a backdoor.
This essentially is the process of creating another weak point in the system in the event that he/she gets locked out of their initial entry point.
If the owner of the IoT system updates software that then patches a vulnerability it could lock out the attacker for example.
A Keylogger records a victims keystrokes from a computer and can be implemented in either hardware or software form.
A software keylogger is installed as an application whereas a hardware keylogger is a physical device that is plugged into a device that exists on the IoT system.
Once an attacker has successfully installed a keylogger on to a victims device he/she can then gain access to your data and passwords for example.
Ransomware is software installed by an attacker that encrypts your personal data then asks the victim to pay a ransom fee in order to recover the data.
This attack seems to be emerging more frequently lately and it’s not uncommon to see these attacks against hospitals and education departments.
Spyware is a software program that once installed, it records a victims information before sending it remotely back to the attacker.
Spyware could consist of a keylogger, screen snapshots, camera and microphone recordings for example.
Many people believe that closed-source home automation equipment designed by manufacturers could be using spyware on it’s customers.
Amazon Alexa for example could be recording, storing and further processing our information that was gained through unethical practices.
A worm is another form of malicious software that could potentially be a common IoT attack.
It’s job is to stay as hidden as much as possible on a victims system and spread itself to other connected devices.
A virus is a malicious software program designed to cause harm to a computer system.
When we talk about malware we are usually referring to a virus.
Viruses are common IoT attacks that could cause very significant damage to our systems.
Imagine a virus that could take control of medical equipment or smart traffic lights for example.
1.8 Hacked Firmware Updates
Firmware is software that is installed on embedded devices such as microcontrollers.
Vulnerabilities in these firmware’s pose a security risk and it’s down to the device manufacturers to create updated software that patches these issues.
Sometimes hackers can change the firmware files directly at the manufacturers source.
This means that anyone who downloads and installed the updated firmware version may be installing a dangerous hacked firmware.
Checksums are created by manufacturers against their firmware files and these should always be checked by the user to match before installing firmware.
How To Mitigate IoT Malware Risks
- Keeping software up-to-date can patch vulnerabilities
- Using an operating system built around security such as linux
- Physically locking away and monitoring IoT nodes
- Install software from trustworthy vendors/repositories only
- Verify integrity of software using hash sum checks before installing
2. Network Attacks
Many common IoT attacks happen over a network such as the internet or a local network.
Because there are so many parts that make up a network it also introduces many weaknesses in which an attacker can exploit.
A (Distributed) Denial of Service attack happens when multiple computers try to make a connection to the same host at the same time.
A host can usually only handle so many requests until it becomes over-whelmed and eventually becomes inoperable.
Attackers can take control of multiple systems around the world and use these systems to attack a common host/victim to create a DDOS.
This network of “robots” is what we call botnets.
2.2 MITM (Man-In-The-Middle) Attacks
TCP/IP is the de facto protocol suite used around the world to network computers and IoT devices together.
One of the protocols in this suite is called ARP (Address Resolution Protocol).
ARP can be attacked in a way that is undetected unless a specific system is actively monitoring it’s activity for anything suspicious.
This attack vector is usually referred to as “poisoning the ARP cache” or simply “ARP poisoning”.
An attacker can perform a man-in-the-middle attack which essentially places his/her computer in between a gateway and a victim computer or IoT device.
Once this attack is taking place the attacker can then execute further attacks or gather information (eavesdrop) that is passed between the gateway and the victim device.
Examples of eavesdropped data could be from video streaming, voice conversations, password login’s and images.
2.3 Wireless Attacks
Wifi encryption standards have certainly been improving since it was first introduced.
However cracking Wifi encryption is not the only means of gaining unauthorised access to a wireless network.
Not only that but Wifi is not the only wireless technology used in IoT.
Wireless standards such as LoRa/LoRaWAN, Bluetooth, Zigbee and Z-wave are common to see in Internet of Things networks too.
Once an attacker has gained access to an IoT network via wireless communication he/she could then proceed to perform many other attack vectors including a MITM attack as mentioned above.
Attackers can make various identifying aspects of computers look like something else.
A MAC address for example is unique to every device connected to the internet.
However an attacker can temporarily change (spoof) this address to make it appear as something different.
I’ve seen Wifi networks that rely on MAC addresses as part of it’s identity system.
This is not a safe method by any means as an attacker can simply spoof his/her own MAC address to one that is already authorised on the network.
There are many other spoofing attacks that can be achieved including:
- Bluetooth MAC address spoofing
- DNS spoofing (which I cover in the next section)
- GPS spoofing on mobile devices
- Text Message (SMS) spoofing. An attacker can make a text message look like it’s from anyone he/she wants.
- Email spoofing
Rogue Wireless Access Points (AP’s) can be configured and deployed near a victims network by an attacker to entice victims to connect.
The attacker can send “disconnect” network packets to the victims computer which will then in turn, force it to reconnect.
Except it’s very possible for the victims computer to then “reconnect” to the attackers rogue access point instead.
This all takes place without the victim being aware of anything happening.
Pharming is the term used to redirect a victim to a dangerous website whenever a victim attempts to connect to a legitimate website.
Domain Name System (DNS) is part of TCP/IP.
When we want to visit a website for example we usually type in the domain name into the address bar of a web browser.
To connect to this website, the DNS system must resolve this name to it’s IP address.
An attacker can re-route a victims traffic to send them to a website that looks very similar to what the victim was expecting. Here the attacker can steal personal information.
This is why we always look for the padlock in the address bar of a web browser whenever we need to enter personal information in the website such as login or credit card details.
Without this SSL (Secure Socket Layer) connection we could be potentially connecting to an attackers website.
How To Mitigate Network Attacks
- Use strong Wifi encryption
- Configure and utilise a guest connection
3. Password Attacks
Next on this list of common IoT attacks is targeting passwords.
Because passwords are the single most common form of authenticating a user it’s no surprise that an attacker will want your password.
But how does an attacker find your password?
3.1 Password Cracking
Cracking passwords are usually performed either by bruteforce or wordlists.
The bruteforce method tries every possible combination of characters to attempt to guess a password.
The wordlist method is trying every word in a list of common passwords or the wordlist could even be tailored to a particular victim.
If you would like further information on how hackers use text manipulation to create these password list files I have a post here.
3.2 Password Sniffing
Password sniffing is the term used to listen out on a computer network for password data.
The Man-in-the-Middle attack mentioned above could be performed before running a tool such as Wireshark to record data packets sent between a victim and a gateway.
How To Mitigate Risk From Password Attacks
- Change default usernames and passwords
- Use long, strong passwords comprising of random uppercase, lowercase, special characters
- Lock out the user after a number of failed login attempts
- Never store passwords in clear-text
- Never use the same password for different accounts
- Change passwords regularly
4. Social Engineering
One of the most effective and common IoT attacks that an attacker can perform is social engineering.
The reason why SE works so well for an attacker is due to the fact that they are targeting the weakest part of any network… the human.
People can be duped into giving away information such as passwords without even knowing they have been a target of a social engineering attack.
Let’s explore some of these common IoT attacks using various methods of social engineering:
An attacker performs a phishing attack by reaching out to an unsuspecting victim via electronic communication such as Email or SMS text message.
An SMS phishing attack is known as Smishing.
This Email or text message is designed to look like a legitimate message from a company or individual who you trust.
The goal for the attacker here is to entice the victim to respond to the message such as clicking a link.
Even though the link may look like it’s taking you to a trustworthy site, and the destination website may look legitimate, it is in fact a trap to steal your personal information.
This is one of the reasons why an SSL certificate (A padlock in address bar of web browser) is important as it’s job here is to identify a trustworthy source.
If your “Internet of Things” or home automation setup includes commercial products such as Amazon or Google then you may be targeted with a phishing attack using these big tech companies as the bait.
4.2 Spear Phishing
A spear phishing attack is essentially a phishing attack as I previously mentioned above but the attacker is targeting a specific individual.
Usually phishing attacks are conducted on a mass scale as to capture as many victims as possible.
However a spear phishing attack has been engineered in a way that targets someone in particular.
The Email/SMS etc. may look like it’s from your boss or friend for example.
4.3 Shoulder Surfing/Dumpster Diving
Shoulder surfing and dumpster diving attacks are nothing new and go back as far as the dawn of the computer age.
Shoulder surfing is the term used to describe someone who watches over someone’s shoulder while they are typing personal information into a computer such as a password.
Dumpster diving is the term used to describe an attacker who physically rummages through dumpsters looking for personal information that’s been thrown away.
To mitigate this risk would involve destroying any paper work to make it illegible before an attacker has a chance to steal this information from your trash.
One of the most common IoT attacks involving social engineering is impersonation.
To trick a victim into giving an attacker the information he/she wants could be executed by pretending to be someone trustworthy such as the phishing attack I mentioned above.
Not only will an attacker try to use SMS or Email to entice a victim to perform an action the attacker wants but almost being bold enough to make telephone calls to a victim.
An attacker ringing a desk clerk at an office and pretending to work in the IT department to gain company information is a good example of impersonation.
How To Mitigate Risk From Social Engineering Attacks
- Be vigilant when giving personal information over electronic communication
- Double-check destination Email addresses
- Directly type in website addresses rather than clicking through links
- Use screen shields in areas where shoulder surfing is possible
5. Elevation of Privilege
A common IoT attack known as ‘elevation of privilege’ requires an attacker to first gain unauthorised access to a computer system.
Usually the attacker gains access by using a regular user account.
Once he/she is inside the system they will try to gain access to an Administrator account.
This gives them more access to the system as a whole and ultimately cause more harm than can be done with a regular user account.
Points 6,7,8 and 9 below needs to be made aware of to the average user. However these subjects will require further network security knowledge in order to mitigate risks.
A Fuzzing attack is the process of sending random data to computer software in an attempt to break the system or cause it to malfunction in some way.
Common IoT attacks such as this will require in depth network security knowledge as fuzzing attacks are not generally dealt with by the average user.
More information on fuzzing can be found on the Wikipedia page.
7. Cross-site Scripting
Cross-site scripting (or XSS) is another common IoT attack that we need to be aware of.
An XSS attack is carried out by an attacker who sends malicious code to a legitimate and trusted website.
XSS is yet another IoT attack that the average user won’t deal with.
This is a network security topic and out of scope of this post.
More information on cross-site scripting can be found on the Wikipedia page.
8. Code Injection
Computer programs usually need data entered into it by humans.
But sometimes these software programs have vulnerabilities which could execute code when entered in-place of the expected data.
An attacker could enter small snippets of code instead of this expected data which could cause the program to run unexpectedly.
By injecting code into a program, an attacker could perform many attacks on an IoT system such as:
- Installing malware
- Manipulating database entries
- Elevation of privilege
- Denial of access
9. Buffer Overflow
Most of us know by now that computers use memory to store data.
But what happens when a computer program tries to store more data than is expected?
A buffer overflow occurs when software “overflows” this data and leaks it into other parts of memory.
This can cause serious problems for the system as a whole and introduces some major security issues.
If an attacker can get his/her malicious code into memory that a program is executing then a successful hack can be achieved.
Unfortunately buffer overflows can be quite common and this is one huge reason to keep software programs updated.
Software developers can apply updates when these vulnerabilities are discovered and so this helps reduce the chances of our IoT systems from being hacked.
More information on buffer overflows can be found on the Wikipedia page.
9.1 SQL injection
SQL injection is another form of code injection that I mentioned in the previous section above.
As the name suggests, SQL (Structured Query Language) is a common language used around the world that is used to query databases.
This is another one of those common IoT attacks that happen all to often by hackers who use it to manipulate database data on an unauthorised computer system.
Once successfully executed an SQL injection attack, it’s possible for a hacker to steal data from the database.
Again, this vulnerability is due to software that is expecting data from a user but instead receives a code snippet which would then be executed by the program.
10. Malicious Node Injection
Not only is virtually securing “Internet of Things” devices important but physical security plays an equal part in keeping the bad guys out too.
IoT devices that are not kept under lock and key is just inviting an attacker to access your devices and the network as a whole.
Open source developer boards such as Raspberry Pi can be configured by an attacker to break in.
All he/she would need to do is physically plug it in to your “Internet of Things” system to open a wide range of security problems.
An attacker could configure a Wifi access point on the Raspberry Pi to connect in to your IoT network from across the street for example.
This post covered some of the most common IoT attacks and threats that exist today.
My goal here was to introduce the beginner to these security concepts and to encourage learning more about these threats.
As the “Internet of Things” become more common in our daily lives such as the implementation of home automation it’s important to understand and mitigate risks.
Regular users can take action on most of the topics in this list. However other subjects will require more in depth knowledge of network security.
owasp.org focuses on web application security and is a great source of information for further reading on this subject.
Don’t get caught off-guard. Thanks for reading.