Skip to main content

IoT Systems: Internet of Things Attack Surface

IoT Systems: What Are They?

Internet of Things (IoT) systems have been increasing in popularity and have made a substantial impact on the technological world. Various sectors including the medical, industrial, and mining sectors have been incorporating IoT into their solutions due to its broad application surface and ability to solve real-world problems. Due to this, the term IoT has become somewhat vague and all-encompassing as its application extends beyond the business world and into our personal lives with home automation IoT devices becoming increasingly versatile and popular.

Due to the range of devices and the nature of some of these systems, it naturally raises interesting questions around what exactly IoT is and how secure our IoT devices are. Let’s take a look at the real-world applications of IoT systems, as well as the attack surface and security concepts behind them. This is intended as an introductory article that we’ll build on with further research and insights in the future.

An IoT system describes a network of devices that are interconnected through the internet to exchange data with each other to solve a specific problem. These devices can be embedded with sensors, software, and other technologies which are used for monitoring, control, and ultimately automation. The fundamental tenant of IoT is to provide traditionally unintelligent systems (e.g. home alarms) the ability to be connected online and utilise other technologies to morph into a smarter version of itself.

Real-World IoT Applications

With the widespread adoption of IoT systems across various industries, it’s worth taking some time to understand the real-world applications of IoT so that the impact of an attack in this ecosystem can be better understood.

The examples discussed below are some of the more common IoT system solutions that are in use today.

Medical Industry

IoT technology in the medical industry has made it possible to efficiently centralise record-keeping and tracking in hospitals by having all patient documentation easily accessible. This was designed to optimise productivity to provide patients with the best possible medical treatment. These systems are incorporated with sensor technology to accurately monitor and analyse patients’ medical states by measuring oxygen levels, blood pressure, heart rate, weight, sugar level, etc, in real-time. This is a significant breakthrough for early detection of warning signs for patients with diabetes and high or low blood pressure, or patients experiencing heart failure or an asthma attack. Medical staff can be alerted remotely while providing a solution for its prevention. Monitoring patients and recording data from surgeries have made it possible to make use of artificial intelligence with IoT to make accurate and calculated decisions on complex cases, and as a result, reduce errors in surgeries and medicine in general.

A simple example showing the practical benefits of this can be seen in this case from 2016 where emergency room doctors used historic data from a Fitbit to accurately diagnose and provide the correct treatment. Obviously, this example is a very simplistic version of the true benefits that trackers could provide in a controlled hospital setting.

IoT has already made an improvement in healthcare with its record-keeping and patient monitoring capabilities, as well with its applications in medical equipment such as connected imaging, clinical operations, laboratory tests, and medication management. Its adoption in the medical field is expected to continue to rise, with new IoT technologies continuously coming to market alongside new forms of application.

Mining Industry

The mining industry utilises IoT technology to gather sensor data from equipment which is analysed to optimise cost-efficient productivity while reducing operational downtime with predictive maintenance. Ventilation, chemical traces, and toxicity levels are constantly monitored inside underground mines to ensure faster and more efficient evacuations. The integration of IoT and traditional industrial control systems (ICS) has become more relevant by having internet-connected machinery and devices for remote and automated control, capable of making accurate decisions in microseconds with the use of AI. They are used especially in the case of emergencies, which are frequent and extremely unpredictable in the mining industry.

Environment Automation

IoT enables home and business automation which provides the capability to control domestic and corporate appliances through the internet and to automate them to make smart decisions. This may include complex heating, watering systems, security controls (cameras, sensors, and alarms), or even access control systems. Smart cities have been incorporating IoT with roadway infrastructure by monitoring traffic with cameras and sensors which control traffic lights to optimise citizens’ travel. Even vehicles have become more interconnected to enable self-driving cars and trucks using artificial intelligence (AI)-enabled cameras, motion sensors and onboard computers. This has also provided users with the ability to remotely control certain features of the car through an application.

The Impact Of Attacks On IoT Systems

Based on the real-world applications of IoT, as described above, it’s quite easy to see the importance of ensuring that IoT systems are configured securely and the potentially damaging ramifications if they are not. Fundamentally, although the attacks remain the same from a digital perspective, owing to the nature of the devices, this ecosystem allows attackers to bridge the digital and physical worlds. Due to the devices having a physical world presence (e.g. a smart control system for fire suppression), an attack against this ecosystem would allow a malicious actor to impact the physical world in ways not previously seen.

To properly determine the potential impact of a breach, we need to adopt the approach of reviewing a particular IoT system’s functionality in terms of what it controls, monitors or outputs and ask ourselves the question:

“What would happen if an attacker compromised the system?” – Or alternatively, “What physical work function is this device fulfilling? And what is the worst impact someone could cause if they were to act maliciously with that function?”

If an attacker were to compromise an IoT system in a hospital, they could potentially gain read/write access to all patients’ medical histories and private information, remotely control medical machinery, or restrict system access which could prevent doctors from treating patients. Even more nefariously, replay all heart-rate monitoring information with fake data, forcing doctors and nurses to miss heart failures across the hospital.

Smart IoT monitoring systems are used in the mining industry to ensure safety with faster and more efficient evacuations. However, if an attacker were to compromise the monitoring system, they could potentially force an evacuation of a mine by tampering with the ventilation, chemical, or toxicity levels. Since industrial control systems (ICS) can have remote and automated controls enabled using IoT, an attacker could compromise this to gain control over mining machinery. This could endanger the lives of mine workers, as well as have a severe impact on operational downtime and potentially cost the mining company a lot of money. Alternatively, the fire suppression system could be forced to switch on, potentially endangering lives.

IoT has enabled homes, businesses, and cities to become more interconnected for convenience, control, and automation. These systems can usually be controlled through a web-facing or mobile application. Mobile applications allow users to have all their IoT controls at a central location, making it extremely convenient. This convenience comes with an increased risk which could allow an attacker to potentially gain control of all the embedded devices by having physical access to a user’s phone. However, even if the user’s phone is not compromised, these systems are still exposed to the internet, thus making them a target for attackers. Should these IoT systems be compromised, it could allow an attacker to control home and business security cameras, access control systems, and even on a larger scale, impact a city’s traffic congestion.

The takeaway from these examples should show that there could very well be theoretical business impact through an attack on these IoT systems, but also that literal lives could be at stake. Therefore, it’s as important as ever that focus be placed on ensuring that the security of these IoT systems is top-notch.

Security Considerations For IoT Systems

IoT system security can be very broad, but ultimately the attack surface comes down to where and how processed data is being transmitted to and from the IoT device and how it carries out its intended functionality. To expand on that, some security considerations for IoT systems may include:

Is the data secure and trustworthy?
  • Is the data being stored securely by the IoT device?
  • Where is the device transmitting data to and receiving data from?
  • Is this data being transmitted securely?
  • Is the data trusted?
How does the IoT system integrate with the rest of the infrastructure and network?
  • Could the IoT system possibly be an entry point for lateral movement?
  • Are certain aspects of the IoT system properly segregated, if necessary?
  • What happens when a node in the network fails?
How is the system being accessed?
  • Are the IoT devices protected from physical tampering, internet-based attacks, hardware-based attacks?
  • What controls exist on the device to verify control commands?
  • How is the system maintained and updated?

IoT Systems: In Conclusion

The world is moving to a future where homes, businesses, industrial systems, and governmental infrastructure will be connected and controlled through IoT systems. The idea behind this blog post was to illustrate the wide adoption of IoT systems within our everyday lives and to illustrate the potential implications that a compromise of these systems could cause. Finally, I wanted to outline what security considerations there are for IoT systems and the kinds of questions that need to be asked when reviewing IoT security. In future blog posts I would like to explore some of these considerations in more depth and hopefully provide some case studies for existing IoT ecosystems, as well as possible attack scenarios and security configurations.

Further Reading