Why 98% of IoT traffic is unencrypted

         Last year Z-scaler report said something: That 91% of IoT traffic was unencrypted. While it’s possible that those numbers are not truly representative of the real problem, one thing is for sure – far too much IoT traffic is unencrypted when absolutely all of it should be.

Unencrypted IoT traffic most obviously means that attackers can perform Man in The Middle (MiTM) attacks. By tapping into that unencrypted stream of data, attackers can get in between devices – or a device and the larger network – and steal or alter the data.

The failures of IoT security are well documented. Connected devices are often speedily brought to market by manufacturers who make painfully obvious, but mostly easily preventable, security mistakes in the design process. They are then eagerly bought up by enterprises who often don’t take those faults into account and deployed into otherwise secure networks. From there, attackers discover them via a simple Shodan search and find an easy breach point into an enterprise.

And yet – whatever the state of its security – the IoT is growing voraciously. McKinsey estimates that there will be 43 billion IoT devices connected to the internet by 2023. If current trends continue – and 98 percent of IoT traffic is left unencrypted – it will be a feeding frenzy for cyber-criminals.

Often, when people think of an IoT hack – they think of a vulnerable doll or doorbell – attacks which leverage the functionality of a device – interesting but ultimately gimmicky. The real threats are far less colorful. Enterprise IoT deployments are often made up of hundreds if not thousands of individual devices, if only one of those devices were to be left exposed then it could provide an easy breach point into an otherwise secure network.

One can see just such an example in a now infamous IoT breach in Las Vegas. In 2017, hackers used a fish tank to carry out a casino heist. The fish tank in question was connected to the internet via a sensor that allowed its operators to remotely operate and control the tank. However, not long after it was installed, security staff noticed the fish tank sending data to a remote server in Finland. Further investigation revealed a massive breach – hackers had used that fish tank to exfiltrate 10 gigabytes of data from the casino’s database of high rollers.

The hack revealed three pressing points. Firstly, that the stolen information was unencrypted on the casino’s system and available for attackers to merely pick up. Secondly, the casino had insufficient access and authentication checks to stop attackers from getting from that IoT device to some of the most sensitive information they held. Finally, that fish tank was connected to the casino’s broader network – and by exploiting the weaknesses of that product – they could connect to and steal a horde of sensitive data.

The consequences of such attacks can vary from financial or customer data leakage to attacks on critical infrastructure. Think of the damage from large scale power grid outages, internet.

Like the Blog, then Share it with your friends and colleagues to make this AI community stronger. 

Learn more about  IoT traffic InsideAIML.

Keep Learning. Keep Growing.