The IoT World Congress has just ended and TipTapLabs was there to get to know the market tendencies and discuss projects and synergies with our partners. Additionally, we thought it would be a fun idea to make a basic security scan while we were there, in this post, we will talk about our findings.
Let us start with the basics. By doing Wi-Fi network scans we found out many networks in some booths were using insufficient wireless encryption (they were using WEP versus WPA2). Anyone interested in getting into this network would barely need 10 minutes to get the password. Once in the network, one could potentially launch an attack on any of the other connected devices (Wannacry) or simulate servers via Man in the Middle attacks to steal data.
Then we started with the IoT stuff. There were a lot of Industrial IoT (IIoT) companies, so we checked the radio bands normally used by those IoT devices which they connected to. Immediately we saw a lot of devices transmitting packets over those radio bands. When analyzing the captured packets we saw that most of them were belonging to three protocol groups:
So far so good, those protocols provide the option to use security in the communications so that only basic information could be extracted from them (PAN_ID, source, destination, protocol, etc.) However, oh surprise, we found many cases where security was not correctly configured and we could almost immediately start getting information about industrial equipment measures. The figure shows how we got into one of those IIoT equipment’s temperature, humidity, pressure, co2, etc. measures.
Another interesting thought is that in IoT, digital security needs to be accompanied by physical security. Devices are no longer in hardened data centers, just like our traffic sniffer, someone could have activated a jammer inside the congress hall (remember, the frequencies are open to public use, so anyone can build a transmitter) all the products that used the jammed frequency would have stopped working.
In this Congress, we saw new products and projects, Industrial IoT, Blockchain, Cloud, DataMining or Artificial Intelligence. Security (digital and physical) should be on the top of the priorities among all of them. No matter how good your technology is, if you do not control its security, it is worth nothing.
Article written by Luis Cuervo, Security Manager at Barbara IoT.