By: Avishay Shraga, Head of Security Technologies, Altair Semiconductor
Almost everyone owns a “smart” or “connected” IoT device nowadays, and recent estimates forecast that the number of IoT devices will reach a staggering 55 billion in the next 5 years. Smart cities are poised to contribute to this explosive growth, with an expected investment of $189.5 billion in smart technologies in 2023, many of which involve large-scale IoT device deployments.
While these devices vary greatly in function, there are some common elements that define them as connected devices which bridge the physical and virtual worlds:
- Connected – obviously, every connected device has to support (at least) one type of connectivity – be it through traditional communication protocols such as Wi-Fi, Bluetooth and 4G, or IoT- specific communication protocols such as Zigbee.
- Purposely built – a “true” IoT device is not just any device that is now being connected as an afterthought. IoT devices are built to perform a specific task and as such are designed for maximum efficiency and reduced cost.
- Perform a specific function – each IoT device exists for a specific purpose, be it to monitor its environment or to regulate the temperature in a room.
These unique traits are what make IoT devices so appealing and have significantly contributed to their wide adoption by consumers and corporates alike. But in parallel, these are exactly the same characteristics that make IoT devices vulnerable to security risks.
A study published by the Weizmann Institute’s Prof. Adi Shamir (a world-renowned expert in encryption, and one of the founders of the security company RSA) demonstrated how a flaw in wireless technology makes it easy to use malicious radio signals to hack into consumer IoT devices – and to infect them with malware capable of spreading through the IoT network.
The study was published back on 2017, but a recent study has confirmed that some of the vulnerabilities have endured, and its findings are certainly relevant for other IoT vendors, as both the vulnerabilities and methods of operations remain true to this day.
The researchers have reviewed the published incidents and academic research on hacking IoT devices and have introduced a new taxonomy of attacks, which is based on how the attacker deviates from their “official” functionality:
- Ignoring the functionality
- Reducing the functionality
- Misusing the functionality
- Extending the functionality
Prof. Shamir and his colleagues opted to explore the last type of attacks, in which the attacker extends the designed functionality of the IoT device, and uses it in order to achieve a completely different and unexpected physical effect. They chose a rather benign looking IoT device to test their proof-of-concept, “smart” lightbulbs – bulbs with the built-in capability to send and receive data.
Connected LEDs are smart light bulbs that are connected (directly or with the aid of a light controller) to a local LAN, allowing the user to control brightness and sometimes color remotely. Using a simple radio transceiver, costing just a few hundred dollars, the team performed an over-the-air hack of the smart lightbulbs. This hack enabled them to manipulate the devices’ software and hijack an entire smart lamp network. The attacks used (or more correctly – abused) a communication protocol called Zigbee– a wireless standard, invented in the 90’s that is widely used in home consumer devices. While it is supposed to be secure, it hasn’t been held up to the scrutiny of other security methods used around the internet. The team discovered that in a specific implementation of Zigbee there is a bug in the code that makes it possible to infect lightbulbs with malicious code. This is what enabled the attackers (researchers) to manipulate the activation of the bulbs and cause them to change brightness levels or flicker. This was performed from a distance of up to 100 meters, proving that this attack could also breach isolated (“air-gapped”) networks. Even worse, the team had shown that a malware (“worm”) uploaded to a single bulb has the potential of spreading quickly over large areas, provided that the density of compatible IoT devices exceeds a certain critical mass. This could potentially enable attackers to control an entire IoT deployment (for instance – to control all the smart lighting within a city).
It is important to note that prior to publishing the findings, the researchers informed bulb manufacturers, and delayed publication of their findings until the vulnerability was fixed.
Other vendors should assume that similar vulnerabilities might be present in their products, and act to identify and eliminate these by incorporating components made by security-minded manufacturers.
Research clearly shows that IoT devices today are not designed to be secured. Given the manufacturers’ (and consumers’) motivation to keep prices down, it is unlikely that major improvements in devices’ security will be made voluntarily. IoT security standardization and regulation is being introduced, but it will take some time to make an impact on the security levels offered by device makers. With this in mind, we should ask ourselves if the risk exposed by Prof. Shamir and his team is theoretical or applicable to our own lives and devices. Given that the research has shown at least one potential method of attacking devices (giving us the “how?”), we should ask ourselves why anyone would attack connected devices and what the potential impact would be. Hackers have demonstrated their interest in connected devices, in a series of proof of concept hacks and real-life cybercrime incidents (like the Mirai botnet). At this point in time, it seems that IoT devices are hacked in order to “recruit” them into powerful botnets or to use their computing power to mine cryptocurrency. As IoT devices will proliferate, hackers will find additional nefarious uses – like holding devices for ransom (think of a smart thermostat set to “cold” on a freezing winter’s day) or stealing sensitive data stored/measured by the devices. As for the potential damage, it is likely that hijacked IoT devices will suffer from greater wear and tear (and even more frequent battery replacement) and that infected IoT networks will consume greater bandwidth and offer a reduced quality of service – all of which are important factors that affect IoT’s profitability/ business model.
The adoption of IoT devices is a fact of life, and a life-saver for many organizations and individuals. But, as demonstrated by the studies discussed in this post, proper security is paramount to the successful operation of IoT deployment. A security mechanism has to be introduced during the design and manufacturing phases. It cannot be added later as an afterthought or patch.
Altair Semiconductor’s technology answers these security concerns. Designed with security in mind, Altair’s cellular IoT technology is manufactured in secured environments, undergoes rigorous testing and validation and is made to counter a large array of security threats. The chip design process ensures that security is “baked in” and therefore does not interfere with other critical parameters of the chip, such as power consumption and performance.
To conclude, I believe that this study is still very relevant today. It demonstrates that even a well-respected company such as Phillips can release products which have security flaws. If it happened to them, it could happen to anybody – as the entire industry is using the same (often flawed) protocols, open source code and operating systems. The only way to overcome this is to work with security-minded IoT vendors like Altair and its ecosystem partners, who focus on making your product safe and secure.
For the complete research paper please see: “Extended Functionality Attacks on IoT Devices: The Case of Smart Lights”.