IoT automation platforms in smart buildings are presenting attackers with new opportunities for both physical and data compromise, Trend Micro researchers warn in a newly released report.
Their findings have serious implications for organizations operating inside smart buildings, including spying on users, unlocking doors and stealing data, as well as employees working from smart home environments.
What are IoT automation platforms?
A recent Gartner report estimates that, by 2021, there will be 25.1 billion internet-connected devices, growing at a rate of 32% per year.
IoT has made possible complex IoT environments (CIEs), consisting of 10 IoT devices chained together and integrated into an environment using an IoT automation platform (also called automation servers), which serves as a brain for the CIE and allows the creation of user-friendly smart applications. This inadvertently creates new and unpredictable attack surfaces that can be hard to manage.
Whether a smart building is purpose-built to support IoT or not, there are three main types of automation systems outlined in the report: local standalone servers, cloud-based servers, and virtual assistant-based servers. The first category is the most common, so Trend Micro Research accordingly set up two types, FHEM and Home Assistant servers, to control 100 test connected devices over two sites.
Researchers found the biggest issue with automation rules is that they become increasingly complex as more devices and actions are added. They are prone to logic errors, and it becomes more challenging to manage, track, and debug actions, especially if there are functional overlaps between rules.
The research reveals a variety of new threats specific to complex IoT environments, including: cloning a user’s voice to issue commands via a voice assistant speaker; adding a phantom device to fool presence detection checks in smart locks to keep doors unlocked; inserting logic bugs to switch off smart alarms, and more.
IoT automation exposed on the internet
They also warn that many IoT automation servers are exposed on the public internet, including 6,200 Home Assistant servers found via a simple Shodan search.
Attackers could exploit this security oversight to break into smart buildings, or reprogram automation rules, steal hardcoded sensitive data including router log-ins, add new devices, infect devices with malware, and conscript devices into botnets.
Trend Micro recommends a list of precautionary measures to implement to mitigate the new threats presented by complex IoT environments, including:
- Enable password protection on the devices
- Change default settings and replace default passwords with new, strong ones
- Do not jailbreak devices (you could end up disabling built-in security features) or install applications from unverified third-part marketplaces
- Update the device firmware
- Enable encryption in both disk storage and communication platforms
- Follow router specific best practices (e.g., enable the router firewall, disable WPS, enable the WPA2 security protocol, use a strong password for Wi-Fi access)
- Make regular backups of the configuration and automation rule files of your IoT automation server.
“There is no one- size-fits-all cybersecurity solution for connected devices. In addition to following the best practices and general guidelines we provided, users must be able to rely on the device manufacturers to enable strong security out of the box,” the researchers noted.
“Ultimately, we may need to rely on security by obscurity: connected devices hiding among billions of other connected devices online and avoiding being compromised by hackers.”