IoT Security Fundamentals: Intercepting and Manipulating Wireless Communications
Introduction: IoT Manufacturers Favor Convenience over Security
Because IoT security is still an afterthought, cybercriminals in general consider smart devices a “low-hanging fruit” – a target easy to compromise and manipulate.
Security (and privacy) by design is key for IoT, and probably the only effective way for a smart gadget to protect its communications is to encrypt them. Unfortunately, it is still not easy to reconcile convenience with security when it comes to low-resource apparatuses. For that reason alone, many IoT products come with either ineffective features that encrypt communications and stored data or none at all.
According to a 2020 report by a threat intelligence team called Unit 42, 98% of the 1.2 million IoT devices on corporate networks they analyzed had no capability to encrypt traffic. As a result, 57% of these IoT devices were susceptible to traffic interception and manipulation, among other things. The same report further showed that mixing IoT and IT assets on VLAN may be dangerous, as compromised employee IoT devices could spread malware onto corporate networks.
Aamir Lakhani, cybersecurity researcher and practitioner at FortiGuard Labs, explains the whole production conundrum surrounding smart things before Dark Reading:
“Designing a device that is easy to set up and also secure is difficult because manufacturers need to contend with a large variety of home networks, routers, access points, and other devices. Therefore, manufacturers make their devices accessible for ‘the least common denominator,’ which usually means using security protocols that are not always the most secure for every environment.”
Threats to IoT that Lurk in Unprotected Wi-Fi Networks
Harvesting public Wi-Fi traffic is more popular than ever, and unsecured IoT devices certainly contribute to the fact that this method is relatively easy to apply. Every attacker can perform the following on public networks with:
- An off-the-shelf wireless network adapter and a software-defined radio. Software-defined radios (SDRs) are important equipment that allow cybercriminals to receive, transmit and analyze wireless signals across a wide range of frequency. HackRF One is a popular example of such an SDR-based tool.
- Freely available software, such as Wireshark and Bettercap, which require no extra hardware. The hacker could make a connection to an unsecured public network and acquire network packets from unprotected devices hooked to this network. An open source tool called IoT Inspector detected that a Chromecast device was constantly contacting Google’s servers even when it was supposed to remain idle. Unlike WireShark, strong technical expertise is not required to use this tool.
- A dedicated hardware tool called Wi-Fi Pineapple with which the attacker can broadcast a new Wi-Fi network and eventually actively intercept packets. This collection of attack tools equipped with user-friendly graphical web interface is designed to execute man-in-the-middle (MiTM) attacks – the biggest threat as far as Wi-Fi security is concerned.
A real-life example of manipulating radio communications in the realm of IoT can be seen in the Medtronic heart defibrillators where a critical flaw allowed a nearby hacker to alter settings of this device. All communications between the defibrillator and the control devices were exposed to interception within 20 feet range from the former, since the Conexus radio-frequency wireless telemetry protocol lacks any form of authentication. Through this protocol, control devices can remotely read and write memory to the heart implants; however, any attacker in close proximity to the defibrillator could also intercept, modify, inject and replay the telemetry data with the help of a software-defined radio. That is of course provided that the cardiac device radio communication functionality is being enabled.
Gaining unauthorized access to personal medical equipment is not a new thing, at least at a pen-test level. A couple of years ago, security researchers were able to demonstrate how to hack an Internet-connected insulin pump remotely.
Attacks on Other IoT Communication Protocols
When we discuss IoT, we should also consider the fact that, except for Wi-Fi, they tend to utilize other protocols for wireless communication, such as Bluetooth, Zigbee and Sigfox.
- Some Bluetooth-enabled devices are cars, medical devices, connected cars, mobile phones, keyboards, etc. Armis Labs discovered an attack vector dubbed BlueBorne that might have given cybercriminals control over devices and networks, and the option to plant malware on devices at close distance.
In the area of connected cars, a theft is possible through the interception of communications between a smartphone/wireless key fob and the targeted automobile. To execute this attack, hackers can use a tool that extends the range of the wireless signal to emulate the wireless key accessing the car when the owner is near it and uses his/her own wireless key fob.
Rolling codes – a security technique designed to prevent hackers from recording and replaying the fob signal – are typically found in car fobs and garage doors. Despite the good intent behind the implementation of this security feature in some IoT machines, it can be brute force penetrated within seconds.
- One can come across Zigbee in smart lighting controls and smart alarm systems. Tutorials are to be found online in which hackers show how to use SDRs to intercept Zigbee communications and replay them to the IoT devices so that an attacker can gain physical or remote access. On top of that, a GUI-equipped wrapper known as Attify ZigBee Framework could also sniff and capture packets from Zigbee devices to replay them, seeking to seize devices and steal sensitive data.
- SigFox is common among M2M networks that encompass a wide range of IoT devices (e.g., electronic healthcare products, smart electricity and water meters). All these gadgets are under a threat of having their wireless communications attacked by some malicious actor wielding a SDR attack tool. Note that it is indispensable for some smart devices to have the capability to trust other IoT machines, especially in the context of M2M communications (for example, end-point sensors used in the ICS/SCADA environment).
Sometimes having encryption is meaningless if the overall cyber hygiene practices are not up to par. By way of illustration, a cybersecurity company BitDefender detailed in a 2019 report how an IoT product called August Smart Lock came with encrypted communication capabilities between the device and the smartphone app, but the fact that the encryption key was hardcoded into the app could have given cybercriminals nearby an access point and opportunity to eavesdrop and intercept the Wi-Fi password.
At other times, security issues are in the design itself. A vulnerability in a communications module made by Thales for smart products could allow attackers with access to the targeted IoT device to retrieve sensitive information such as passwords, encryption keys and certificates from the Java code. It was found, for instance, in another case that an inherent flaw in Wi-Fi chips made by Cypress and Broadcom led to the encryption key for secure communicating being disabled. Everything from iPhones to Amazon’s Echo – one billion devices approximately – was exposed to this vulnerability.
Maybe customers often assume when in public that there are some Wi-Fi security measures in place, while there are none. That is why businesses entrusted with providing connectivity or design of IoT devices must implement somehow strong wireless encryption such as WPA2. It is very important to be done properly, because even though a measure like HTTPS can be great security-wise, it is often implemented ineffectively even by major websites.
In August 2018, a groundbreaking IoT law was passed in California. It obligates IoT manufacturers to be able to prove that they implemented, to the best of their abilities, into their products security measures that prevent “unauthorized access, destruction, use, modification, or unauthorized disclosure”. This concerns all functionalities of the device – that is, its capability to collect, store and transmit data. In addition, the IoT bill requires manufacturers of smart objects to introduce more security measures, such as unique passwords for each device or prompt users to create one.
Obviously, companies that produce IoT objects have stronger obligations now to give better security safeguards to their clients and that is unquestionably a step in the right direction.
- A hacker intercepted your WiFi traffic, stole your contacts, passwords, & financial data, Hacker Noon
- California’s New Cybersecurity Regulations: Internet Of Things Law, RSI Security
- FDA warning: Scores of heart implants can be hacked from 20ft away, ZDNet
- Four wireless standards hackers will target after Wi-Fi, Help Net Security
- How to Hack Nearly Any Wireless Device, Tom’s Guide
- IoT device vulnerabilities are on the rise, EDN
- IoT Security in 2020: Security Orchestration will Simplify Protection of IoT Applications, Sierra Wireless
- Nearly all IoT traffic is unencrypted, ITProPortal
- New Wi-Fi chip bug affects everything from Amazon’s Echo to home routers, Cyberscoop
- Over 90% of data transactions on IoT devices are unencrypted, CSO
- Spy on your smart home with this open source research tool, TechCrunch
- The Worst and Weirdest IoT Hacks of All Times, Finance Monthly
- Top Ten Security Challenges for Connected Cars, IoT.Business.News
- Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks, Security Week
- What is a man-in-the-middle attack? How MitM attacks work and how to prevent them, CSO