Security Issues with IoT Devices
Security
May 16, 2024
As more Internet of Things (IoT) devices become prominent in our daily lives, concerns about their security shortcomings also increase. These devices—such as smart thermostats, smart appliances, and internet-connected security cameras and systems—add a layer of convenience and ease of access to many technologies we use regularly. While they have many advantages, they also have the disadvantage of being more vulnerable to cyberattacks.
Researchers recently identified vulnerabilities in Telit Cinterion cellular modems that leave millions of IoT devices at risk. The most severe vulnerability could allow arbitrary code to be executed remotely on the modem without prior authentication. Telit Cinterion cellular modems are widely used in the automotive, industrial, financial, healthcare, and telecommunication sectors. Researchers recommend disabling nonessential SMS capabilities for vulnerable IoT devices and employing private Access Point Names (APNs) with strict security settings.
Vulnerabilities were also previously discovered in the popular internet-connected treadmill, Peloton. While these vulnerabilities could allow threat actors to gain access to the network, they would also require threat actors to have physical access to the treadmill. Using social engineering, a determined threat actor could compromise the smart home device.
Additionally, smart home security systems are vulnerable to compromise. Earlier this year, Wyze cameras had a security incident in which 13,000 accounts were compromised, and approximately 1,500 users were able to view the feed of other Wyze cameras. Wyze had a similar incident in September 2023.
IoT devices are often used to build botnets, as their usually lax security measures make them ideal targets for threat actors. Many IoT devices still use default login account credentials and often go unpatched. Once compromised, threat actors can remotely control these devices. Botnets are frequently used in distributed denial-of-service (DDOS) attacks, and can also be used for credential stuffing, cryptojacking attacks, phishing, and infecting more devices with botnet malware.
In March, the Connectivity Standards Alliance (CSA) Product Security Working Group released its IoT Device Security Specification 1.0 to upgrade IoT security measures.
Highlights of these requirements include:
- Factory resets must return the device to a secure default.
- No hardcoded default passwords.
- Secure storage of sensitive data.
- Data must be stored and transmitted securely.
- Secure software updates to patch security issues.
- Secure development process.
- Known vulnerabilities must be identified, disclosed, and mitigated.
Recommendations
- Keep all devices patched with the latest security updates after appropriate testing.
- Change the default password for accounts and devices.
- Use strong, complex passwords and multi-factor authentication (MFA) wherever possible, choosing authentication apps or hardware tokens over SMS text-based codes.
- Read more about IoT Devices and best practices in the IoT Device Security and Privacy NJCCIC product.