Social engineering might not be something that springs to mind when you think about computer security and cyber threats, but it’s one of the most common exploits used by hackers to gain access to company networks and confidential information.
To help your business remain secure when implementing IoT, we’ve put together this handy guide on social engineering in the IoT – so you know what threats you should look out for and how best to mitigate them.
What is social engineering?
Social engineering is a form of fraud that uses human interaction to obtain sensitive information such as usernames, passwords, and credit card details. It’s an extremely common form of hacking and one that businesses need to be aware of when implementing IoT solutions.
Social engineering is essentially tricking people into providing sensitive information or performing actions that they normally wouldn’t. That could involve a wide range of things such as emailing employees pretending to be someone they trust and requesting their login credentials or setting up a fake website that mimics your company’s login portal and tricking users into entering their login details there. Social engineers don’t need to be inside your company to commit these kinds of attacks. In fact, they don’t even need to be in your country.
That’s because many IoT devices – such as routers, sensors, and printers – are designed to be accessible remotely. This means that hackers can use them to gain access to your company’s network without ever stepping foot inside your building.
How does social engineering work in the Internet of Things?
Social engineering attacks involving IoT devices will typically follow this process:
- The attacker finds an IoT device with default credentials – a quick search will reveal thousands of devices connected to the internet with their default login details. This makes them easy targets for hackers looking to use them as access points for their attacks.
- The attacker gains access to the device remotely – once they’ve accessed the device, the attacker can use it to gain access to the network it’s connected to. If a device on the network has remote access enabled, this can be done with no authentication.
- The attacker uses the device to attack other devices on the network – once an attacker has access to one device, they can use it to gain access to other devices on the network and move further inside your system.
- The attacker gains access to other devices on the network – once they’ve gained access to one device, attackers can use it to attack other devices on the network and move further inside your system.
Installing malware with remote device updates
One of the most common ways that hackers can exploit remote device updates is to use them to install malware on devices in your network. The attacker takes advantage of the fact that many IoT devices have remote device updates enabled by default and set up an account with the device manufacturer to receive automated updates. Once they’ve logged in to the account, they can simply change the update credentials to something they control.
Once they’ve updated the device remotely, they can use it to launch attacks against other devices on the network. There are a few ways attackers might exploit this. For example, they might install a keylogger to capture login details as they’re entered. They could also use the device to launch a Denial-of-Service (DoS) attack against your network.
Using compromised keys to gain remote access
Another threat posed by remote device updates is attackers using them to add new authorized devices to your network and access your network remotely. Many IoT vendors offer the ability for their customers to add new devices to their account and give them access to the devices they’ve already connected – for example, to add a new router to the wifi network and remotely manage it.
This functionality is normally used by customers to add devices to their accounts when their current ones break and need to be replaced. Attackers often use this functionality to add new devices to your account and log in to them remotely. Once they’re logged in, they can use them to launch attacks against your network.
Exploiting known vulnerabilities
Attackers could also use remote device updates to exploit known vulnerabilities in IoT devices. This means they’ll discover a flaw in the software running on the device and use it to gain access to the device and the network it is connected to. Once they have access to the device, they can use it to attack other devices on your network. One particularly common way that attackers exploit known vulnerabilities is by using them to install a rootkit – a special type of malware designed to gain administrative rights to a device. Once an attacker has a root kit installed on a device, they can use it to launch attacks against other devices on the network.
The cost of a successful attack
Along with the obvious risk of sensitive information falling into wrong hands, a successful attack against your network could result in significant financial losses. Depending on the scale of the attack, it could take your network offline, disrupting the delivery of your products or services and costing you significant revenue. If the attack impacts critical infrastructure – such as the electrical grid – it could put lives at risk and result in huge financial penalties.
The cost of a successful cyber attack against a large organization has been estimated at upwards of $2.5 million. Small businesses are likely to incur significantly lower costs in the event of an attack, but the impact could be just as devastating.
How you can protect your business from social engineering attacks
Social engineering attacks are difficult to defend against because they often rely on tricking people into providing access to the attacker. Good network and device security can help minimize the risk of these attacks by requiring authentication to access sensitive systems and devices. In particular, you should ensure that remote access to your network is protected by strong authentication methods that require more than just a username and password.
Remote access should be protected by 2-factor authentication, and you should also enforce strong log-in policies and limit who is allowed to log in remotely. You should also ensure that your network devices are kept up-to-date with the latest security patches and firmware updates. Finally, you should educate your employees on the threats of social engineering and help them identify and report suspicious emails and login attempts as soon as possible.
eInfochips offers complete solutions for the secure development of IoT products by including a variety of security practices in your product development lifecycle. To protect our products from the root, we use a secure-by-design approach. Workflows for security should be integrated into the product development lifecycle.
Everything from secure design to VAPT testing is covered. Finally, this approach assists customers in deploying secure products in the open world that aid in the protection of their products from social engineering attacks. Through a strategic, innovative, and managed operational approach, eInfochips assists enterprises in designing, deploying, and managing security products on a global scale, protecting connected device networks across the device connectivity application layer.
Threat modeling and VAPT for the device, OS/firmware, web/mobile applications, data, and cloud workloads in accordance with NIST, ENISA, OWASP, MITRE, and other security industry standards, regulations, and guidelines. To know more, please connect with our cybersecurity experts.