Last year Z-scaler report said
something: That 91% of IoT traffic was unencrypted. While it’s possible
that those numbers are not truly representative of the real problem, one thing
is for sure – far too much IoT traffic is unencrypted when absolutely all of it
Why 98% of IoT traffic is unencrypted | Insideaiml
traffic most obviously means that attackers can perform Man in The Middle
(MiTM) attacks. By tapping into that unencrypted stream of data, attackers can
get in between devices – or a device and the larger network – and steal or
alter the data.
The failures of IoT
security are well documented. Connected devices are often speedily brought to
market by manufacturers who make painfully obvious, but mostly easily
preventable, security mistakes in the design process. They are then eagerly
bought up by enterprises who often don’t take those faults into account and
deployed into otherwise secure networks. From there, attackers discover them
via a simple Shodan search and find an easy breach point into an enterprise.
And yet – whatever
the state of its security – the IoT is growing voraciously. McKinsey estimates
that there will be 43 billion IoT devices connected to the internet by 2023. If
current trends continue – and 98 percent of IoT traffic is left unencrypted –
it will be a feeding frenzy for cyber-criminals.
Often, when people
think of an IoT hack – they think of a vulnerable doll or doorbell – attacks
which leverage the functionality of a device – interesting but ultimately
gimmicky. The real threats are far less colorful. Enterprise IoT deployments
are often made up of hundreds if not thousands of individual devices, if only
one of those devices were to be left exposed then it could provide an easy
breach point into an otherwise secure network.
One can see just such an example in a
now infamous IoT breach in Las Vegas.
In 2017, hackers used a fish tank to carry out a casino heist. The fish tank in
question was connected to the internet via a sensor that allowed its operators
to remotely operate and control the tank. However, not long after it was
installed, security staff noticed the fish tank sending data to a remote server
in Finland. Further investigation revealed a massive breach – hackers had used
that fish tank to exfiltrate 10 gigabytes of data from the casino’s database of
The hack revealed
three pressing points. Firstly, that the stolen information was unencrypted on
the casino’s system and available for attackers to merely pick up. Secondly,
the casino had insufficient access and authentication checks to stop attackers from getting from that IoT device to some of the most sensitive information they
held. Finally, that fish tank was connected to the
casino’s broader network – and by
exploiting the weaknesses of that product – they could connect to and steal a
horde of sensitive data.
The consequences of such attacks can vary from financial or customer data
leakage to attacks on critical infrastructure. Think of the damage from large
scale power grid outages, internet.