Security

and
Privacy Concerns In IoT

 Unlock

Lock 
 Devices are collecting large amounts of data
that can capture your actions and location
throughout the day often we don't exactly know
all that is being collected or how this
information is being used
SECURITY ISSUES IN IoT
 SECURITY ISSUES IN IoT
• As per reports of OWASP(Open Web application Security
Project), IoT Security is challenged by
– Constrained Resources
– Limited Computational Power
– Usage of insecure Operating System
– Insufficient Authentication and authorization
– Lack of Transport encryption etc.
12/29/2023 NITTTR CHANDIGARH 5
 • Currently, there are over 23 billion IoT
1. Insufficient testing and connected devices worldwide. This number
updating will further rise up to reach 30 billion by 2020
2. Brute-forcing and the issue of and over 60 billion by the end of 2025.
default passwords • In fact, one of the main problems with tech
3. IoT malware and ransomware companies building these devices is that they
4. IoT botnets aiming at are too careless when it comes to handling of
cryptocurrency device-related security risks.
5. Data security and privacy concerns
(mobile, web, cloud) • Most of these devices and IoT products don’t
6. Small IoT attacks that evade get enough updates while, some don’t get
detection updates at all.
7. AI and automation • This means that a device that was once
8. Home Invasions thought of as secure when the customers first
9. Remote vehicle access bought it becomes insecure and eventually
10. Untrustworthy communication
prone to hackers and other security issues.
1. Insufficient testing and
updating • IoT manufacturers, however, are more eager to
2. Brute-forcing and the issue of produce and deliver their devices as fast as they
default passwords can, without giving security too much of a thought.
3. IoT malware and ransomware
4. IoT botnets aiming at • Unfortunately, most manufacturers offer firmware
cryptocurrency updates only for a short period of time, only to stop
5. Data security and privacy concerns the moment they start working on the next headline-
(mobile, web, cloud) grabbing gadget. Even worse, they use unsupported
6. Small IoT attacks that evade legacy Linux kernels
detection
7. AI and automation
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the
issue of default passwords
3. IoT malware and ransomware • The Mirai botnet, used in some of the largest
4. IoT botnets aiming at and most disruptive DDoS attacks is perhaps
cryptocurrency one of the best examples of the issues that
5. Data security and privacy concerns come with shipping devices with default
(mobile, web, cloud) passwords and not telling consumers to
6. Small IoT attacks that evade change them as soon as they receive them.
detection
7. AI and automation
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and
updating • There are some government reports that advise
2. Brute-forcing and the manufacturers against selling IoT devices that
issue of default come with default (read, hackable) credentials
passwords such as using “admin” as username and/or
3. IoT malware and ransomware passwords.
4. IoT botnets aiming at
cryptocurrency • These are nothing more than guidelines now,
5. Data security and privacy and there aren’t any legal repercussions to
concerns (mobile, web, cloud) incentivize manufacturers to abandon this
6. Small IoT attacks that evade dangerous practice.
detection
7. AI and automation • Weak credentials and login details leave nearly
8. Home Invasions
all IoT devices vulnerable to password hacking
9. Remote vehicle access
10. Untrustworthy communication and brute-forcing in particular.
1. Insufficient testing and updating
2. Brute-forcing and the
issue of default passwords • The only reason why Mirai malware was so
3. IoT malware and ransomware successful is that it identified vulnerable IoT devices
4. IoT botnets aiming at and used default usernames and passwords to log in
cryptocurrency and infect them.
5. Data security and privacy concerns
(mobile, web, cloud) • Therefore, any company that used factory default
6. Small IoT attacks that evade credentials on their devices is placing both their
detection business and its assets and the customers and their
7. AI and automation valuable information at risk of being susceptible to a
8. Home Invasions brute-force attack.
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and • As the number of IoT connected devices
ransomware continues to rise in the following years, so
4. IoT botnets aiming at will the number of malware and ransomware
cryptocurrency used to exploit them.
5. Data security and privacy concerns
(mobile, web, cloud)
6. Small IoT attacks that evade
detection
7. AI and automation
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
• While the traditional ransomware relies on
2. Brute-forcing and the issue of
encryption to completely lock out users out of
default passwords
different devices and platforms, there’s an ongoing
3. IoT malware and hybridization of both malware and ransomware
ransomware strains that aims to merge the different types of
4. IoT botnets aiming at attack.
cryptocurrency
5. Data security and privacy concerns • The ransomware attacks could potentially focus on
(mobile, web, cloud) limiting and/or disabling device functionality and
6. Small IoT attacks that evade stealing user data at the same time.
detection
7. AI and automation • For example, a simple IP camera is ideal for
8. Home Invasions capturing sensitive information using a wide range
9. Remote vehicle access of locations, including your home, work office or
10. Untrustworthy communication even the local gas station.
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords • The webcam can then be locked and footage
3. IoT malware and funneled to an infected web address which
ransomware could extract sensitive data using the malware
4. IoT botnets aiming at access point and demand ransom to unlock
cryptocurrency the device and return the data.
5. Data security and privacy concerns
(mobile, web, cloud) • The ever-increasing number of IoT devices will
6. Small IoT attacks that evade
give birth to unpredictability in regards to
detection
future attack permutations.
7. AI and automation
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and ransomware
4. IoT botnets aiming at
cryptocurrency
5. Data security and privacy concerns • The heated mining competition, coupled with
(mobile, web, cloud)
the recent rise of cryptocurrency valuations is
6. Small IoT attacks that evade
detection proving too enticing for hackers trying to cash
7. AI and automation in on the crypto-craze.
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of • While most find blockchain resistant to hacking, the
default passwords number of attacks in the blockchain sectors seems
3. IoT malware and ransomware to be increasing.
4. IoT botnets aiming at
• The main vulnerability isn’t the blockchain itself, but
cryptocurrency rather the blockchain app development running on it.
5. Data security and privacy concerns
(mobile, web, cloud)
• Social engineering is already being used to extract
6. Small IoT attacks that evade
usernames, passwords, and the private keys and
detection
we’ll see it being used more often in the future to
7. AI and automation
hack blockchain-based apps.
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
• The open-source cryptocurrency Monero is one of
2. Brute-forcing and the issue of
the many digital currencies currently being mined
default passwords
with IoT devices. Some of the hackers have even
3. IoT malware and ransomware
repurposed IP and video cameras to mine crypto.
4. IoT botnets aiming at
cryptocurrency • Blockchain breaches, IoT botnet miners and
5. Data security and privacy concerns manipulation of data integrity pose a huge risk for
(mobile, web, cloud) flooding the open crypto-market and disrupting
6. Small IoT attacks that evade already volatile value and structure of
detection cryptocurrencies.
7. AI and automation
8. Home Invasions • IoT applications, structures, and platforms relying on
9. Remote vehicle access blockchain technology need to become regulated
10. Untrustworthy communication and constantly monitored and updated if it were to
prevent any future cryptocurrency exploits.
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and ransomware
4. IoT botnets aiming at
cryptocurrency
5. Data security and privacy
concerns (mobile, web, • Data privacy and security continues to be the
single largest issues in today’s interconnected
cloud) world.
6. Small IoT attacks that evade
detection
7. AI and automation
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and ransomware • Data is constantly being harnessed, transmitted,
4. IoT botnets aiming at stored and processed by large companies using a
cryptocurrency wide array of IoT devices, such as smart TVs,
speakers and lighting systems, connected printers,
5. Data security and privacy HVAC systems, and smart thermostats.
concerns (mobile, web,
cloud) • Commonly, all this user-data is shared between or
6. Small IoT attacks that evade even sold to various companies, violating our rights
detection for privacy and data security and further driving
7. AI and automation public distrust.
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords • We need to set dedicated compliance and privacy
3. IoT malware and ransomware rules that redact and anonymize sensitive data
4. IoT botnets aiming at before storing and disassociating IoT data payloads
cryptocurrency from information that can be used to personally
5. Data security and privacy identify us.
concerns (mobile, web, • Cached and no longer needed data should then be
cloud) disposed of securely.
6. Small IoT attacks that evade
detection • If the data is stored, then the largest challenge is in
7. AI and automation compliance with various legal and regulatory
8. Home Invasions structures
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and ransomware
4. IoT botnets aiming at
cryptocurrency
5. Data security and privacy concerns
(mobile, web, cloud)
6. Small IoT attacks that • The largest IoT-based botnet two years ago
was the Mirai botnet. In 2017, it was the
evade detection Reaper, a significantly more dangerous botnet
7. AI and automation
than the famed Mirai.
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords • As important as large-scale attacks can be, what we
3. IoT malware and ransomware should be fearing in 2018 are the small-scale
4. IoT botnets aiming at attacks that evade out detection.
cryptocurrency
5. Data security and privacy concerns • We are guaranteed to see more and more micro-
(mobile, web, cloud) breaches slipping through the security net in the
6. Small IoT attacks that next couple of years.
evade detection • Instead of using the big guns, hackers will most
7. AI and automation likely be using subtle attack small enough to let the
8. Home Invasions information leak out instead of just grabbing
9. Remote vehicle access millions and millions of records at once.
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and ransomware
4. IoT botnets aiming at
cryptocurrency
5. Data security and privacy concerns
(mobile, web, cloud)
6. Small IoT attacks that evade • As IoT devices continue to invade our
detection
everyday lives, enterprises will eventually have
7. AI and automation to deal with hundreds of thousands, if not
8. Home Invasions millions of IoT devices.
9. Remote vehicle access
10. Untrustworthy communication
 • This amount of user-data can be quite difficult to
1. Insufficient testing and updating
manage from a data collection and networking
2. Brute-forcing and the issue of
perspective.
default passwords
3. IoT malware and ransomware
• AI tools and automation are already being used to
4. IoT botnets aiming at
sift through massive amounts of data and could one
cryptocurrency
day help IoT administrators and network security
5. Data security and privacy concerns
officers enforce data-specific rules and detect
(mobile, web, cloud)
anomalous data and traffic patterns.
6. Small IoT attacks that evade
detection
• However, using autonomous systems to make
7. AI and automation autonomous decisions that affect millions of
8. Home Invasions functions across large infrastructures such as
9. Remote vehicle access healthcare, power and transportation might be too
10. Untrustworthy communication risky, especially once you consider that it only takes
a single error in the code or a misbehaving
algorithm to bring down the entire infrastructure.
1. Insufficient testing and updating
2. Brute-forcing and the issue of • These are just some of the most pressing IoT
default passwords security challenges we need to consider while we
3. IoT malware and ransomware build an app based on IoT in the following years.
4. IoT botnets aiming at
cryptocurrency • As you can see, most of them revolve around two
5. Data security and privacy concerns things, keeping IoT secure against attacks and
(mobile, web, cloud) keeping the user-data secure against theft.
6. Small IoT attacks that evade
detection • Both of these challenges can be resolved with strict
7. AI and automation legal and regulatory frameworks aimed at
8. Home Invasions manufacturers, with large fines and working
9. Remote vehicle access constriction used for those who do not follow said
10. Untrustworthy communication frameworks.
 • Perhaps one of the scariest threats that IoT can
1. Insufficient testing and updating possess is of the home invasion. Nowadays, IoT
2. Brute-forcing and the issue of devices are used in a large number at homes and
default passwords offices which has given rise to the home
3. IoT malware and ransomware automation.
4. IoT botnets aiming at
cryptocurrency • The security of these IoT devices is a huge matter of
5. Data security and privacy concerns concern as it can expose your IP address that can
(mobile, web, cloud) pinpoint to your residential address.
6. Small IoT attacks that evade
detection • This vital information can be sold by the hackers to
7. AI and automation the underground websites which are havens for
criminal outfits.
8. Home Invasions
9. Remote vehicle access • Moreover, if you’re using IoT devices in your
10. Untrustworthy communication security systems, then there is a possibility that
they might compromise as well as leave your house
at a huge potential threat.
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
3. IoT malware and ransomware
4. IoT botnets aiming at
cryptocurrency
5. Data security and privacy concerns
(mobile, web, cloud)
6. Small IoT attacks that evade
detection • Apart from home invasion, hijack of your car is
7. AI and automation also one of the threat possessed by the IoT.
8. Home Invasions
9. Remote vehicle access
10. Untrustworthy communication
1. Insufficient testing and updating
2. Brute-forcing and the issue of
default passwords
• Smart cars are on the verge of becoming reality with
3. IoT malware and ransomware
the help of connected IoT devices. However, due its
4. IoT botnets aiming at
IoT association, it also possesses a greater risk of a
cryptocurrency
car hijack.
5. Data security and privacy concerns
(mobile, web, cloud)
• A skilled hacker might hijack by getting the access
6. Small IoT attacks that evade
of your smart car through the remote access. This
detection
will be scary situation as anyone can have control
7. AI and automation
over your car and it can leave you vulnerable to
8. Home Invasions
lethal crimes.
9. Remote vehicle access
10. Untrustworthy communication
 • There are many IoT devices which send messages
1. Insufficient testing and updating
to the network without any encryption. This is one
2. Brute-forcing and the issue of
of the biggest IoT security challenge which exists
default passwords
out there.
3. IoT malware and ransomware
4. IoT botnets aiming at
• It’s high time that all the companies ensure
cryptocurrency
encryption of the highest level among their cloud
5. Data security and privacy concerns
services and devices.
(mobile, web, cloud)
6. Small IoT attacks that evade
• To avoid this threat, the best way to do is to use
detection
transport encryption and standards like TLS.
7. AI and automation
Another way is to use different networks that
8. Home Invasions
isolates different devices.
9. Remote vehicle access
10. Untrustworthy • You can also use private communication which
communication ensures that the data transmitted is secure and
confidential.
1. Insufficient testing and updating • However, lack of basic security awareness among
2. Brute-forcing and the issue of staff as well as state-of-the-art cybersecurity
default passwords solutions has made the healthcare industry a
3. IoT malware and ransomware favourite target for hackers.
4. IoT botnets aiming at
cryptocurrency • A 2016 report from cybersecurity firm
5. Data security and privacy concerns SecurityScorecard found that healthcare is the fifth
(mobile, web, cloud) highest in ransomware counts among all industries,
6. Small IoT attacks that evade and more than 77 per cent of the entire healthcare
detection industry has been infected with malware since
7. AI and automation August 2015.
8. Home Invasions
9. Remote vehicle access • Among them was the notorious WannaCry
10. Untrustworthy ransomware attack in 2016 which affected over
300,000 machines across 150,000 countries,
communication including the UK's National Health Service (NHS).
Effective Ways to build security in IoT Apps

01
Automatic Application Scanning

02
Implement Already Vetted Architectures

03
Always Encrypt Sensitive Data
 • They provide instant feedback to the developer about
the security vulnerabilities that might be introduced
Automatic into the app due to a certain line of code they’re
writing.
Application • Implementing these tools from the start of the
Scanning development cycle means security testing isn’t left for
the end of the development phase; it becomes an
iterative process.
• However, these tools should be seen more as aids,
than as solutions because there’re many security
vulnerabilities they are not equipped to identify.
• Some popular source code analysis tools include
OWASP SWAAT Project, IBM Security AppScan
Source, VeraCode etc.
12/29/2023 NITTTR CHANDIGARH 31
 Implement • If you’re aiming to build a complete mobile
solution, then it’ll need to access real time data
Already Vetted on-the-go and perform different transactions.
• This will require strong and safe integration to
Architectures the cloud and other onsite systems. In short,
you’ll need to make sure your server-side
controls are fool-proof and efficient.
• So, how can you ensure the security of these
gateways? By using and implementing 3rd party
architecture (middleware) that have perfected
their art, instead of building your own custom
mobile gateways.
12/29/2023 NITTTR CHANDIGARH 32
 • Turning your sensitive data into an unreadable,
Always Encrypt protected, format seems like a no-brainer, but sadly as
highlighted by NowSecure in its report, 35% of all
mobile applications don’t encrypt the sensitive data
Sensitive Data they send over the network.

• Add another layer of security by building the habit of

never saving your sensitive data like credit card
numbers in the app or the mobile device itself. OWASP
has deemed insecure data storage as the second
biggest security risk for mobile devices and apps.
• Including data purging algorithms into your apps which
deletes the user’s sensitive data automatically, goes a
long way to maintaining the app’s security.

12/29/2023 NITTTR CHANDIGARH 33

Case Studies
Mirai Botnet, 2016 (aka Dyn Attack)
• Largest DDoS attack on Service Provider, Dyn using an IoT
Botnet

• Lead to huge portions of the internet going down, including

Twitter, the Guardian, Netflix, Reddit, and CNN.

• This IoT botnet was made possible by malware called Mirai.

• Once infected with Mirai, computers continually search the

internet for vulnerable IoT devices and then use known
default usernames and passwords to log in, infecting them
with malware. These devices were things like digital cameras
and DVR players.

IoT Malware Attacks Rise 217% From 2017

 JEEP CHEROKEE HACKING
• It was the summer of 2015, and Wired reporter Andy Greenberg was
driving a Jeep Cherokee in downtown St. Louis.
• A zero day exploit which allowed them to send instructions to the vehicle
through its entertainment system.
• The vents started blasting cold air at the maximum setting, the radio was
blaring Skee-lo at full volume, and the windshield wipers turned on. Unlike
the last time his car started acting up, the hackers weren't cackling in the
backseat, but 10 miles away.
• Fiat Chrysler recalled 1.4 million Jeep Cherokees and
issued a patch closing that vulnerability.
The Hackable Cardiac Devices from
St. Jude
• St. Jude Medical’s implantable cardiac devices have
vulnerabilities that could allow a hacker to access a
device. Once in, they could deplete the battery or
administer incorrect pacing or shocks, the FDA said.

• The devices, like pacemakers and defibrillators, are used

to monitor and control patients’ heart functions and
prevent heart attacks.

• The vulnerability occurred in the transmitter that reads

the device’s data and remotely shares it with physicians.
The FDA said hackers could control a device by
accessing its transmitter.
Thank you