Second-hand IoT devices could be a ticking time bomb for security
12-07-2021 | By Robin Mitchell
IoT technology has begun to mature, but the release of newer devices is seeing many older devices either discarded or resold. What historic problems have IoT devices faced, why are older IoT devices a potential security threat, and how can engineers combat these challenges?
The problems with older IoT devices
Of all technologies developed by man, IoT devices have only been possible thanks to the development of cheap Wi-Fi and Bluetooth solutions. While IoT devices can use any network technology such as Ethernet, the use of wireless technologies makes IoT devices highly practical and portable.
However, the introduction of IoT devices has also brought about many security concerns and threats that the world was arguably and still is, unprepared for. For example, the many billions of devices worldwide lacking basic security measures provide attackers with a perfect platform to launch large-scale DoS attacks. Most IoT devices also integrate credentials and sensitive information such as Wi-Fi passwords which can provide attackers with an entry point into networks.
Generally speaking, most older IoT devices suffer from serious security flaws whether it be the use of basic default passwords, no passwords at all, or use of unencrypted communications. While the exact truth is unclear, it is most likely that these security flaws manifested from a lack of security understanding by engineers who did not have the foresight to see the potential damage that an IoT device can cause. While an IoT device on its own has very little capability to cause harm, when combined with a large pool of devices it can be used for a wide range of attacks or malicious purposes.
When world governments started to recognize the trouble with IoT devices, rules and regulations have slowly been introduced to try and protect customers of IoT devices from such security threats. For example, some regulations require that devices have a reset mechanism whereby all sensitive data is erased while other regulations require that each IoT device has a unique default password that uses random numbers and letters.
How second-hand IoT devices could become a major threat
As technology continues to improve, older devices are replaced with newer devices. Disposing of older electronics comes with its own range of issues such as environmental damage caused by burying electronics in landfills.
Furthermore, some may see the act of throwing away perfectly functioning devices as highly wasteful and therefore may want to give their older devices a new lease of life. As such, some may sell their older electronics to others who are perfectly content with older technology at a discount price. This is very commonly done with computers and phones, and ensuring privacy and data security is relatively easy to do; a computer’s hard drive can be destroyed while a smartphone can be factory reset.
However, older IoT devices are riddled with a range of security issues, and the reselling of older IoT devices could introduce serious security concerns for both the seller and recipient of such devices. The first main area of concern comes from the fact that many older IoT devices lack proper security reset features that can guarantee the removal of all personal data on-device. As such, an attacker could purchase an older IoT device from a seller, hack the IoT onboard FLASH to find Wi-Fi passwords and other credentials, then locate the seller’s network and gain unauthorized access. From there, an attacker can penetrate other devices on the network, install malware, and even use the victim’s network to access illegal online content that would not trace back to the attacker.
The second area of concern from second-hand IoT devices is that the very security threats that a seller is trying to get away from are being passed onto the buyer. While the seller may be protecting themselves, they are essentially putting the buyer at risk from outdated security practices. As such, attackers would still be able to target individuals who use older IoT devices leaving networks and the wider internet at risk.
The third area of concern from second-hand IoT devices is that attackers could be the sellers of faulty IoT devices. An attacker, in theory, could load an older IoT device with malware and then sell the device at a discount price. The recipient of the device would then install the IoT device in their own home and be completely unknowing of whatever malware is running on the device.
How can engineers overcome security challenges?
Unfortunately, it is too late for devices that are already on the market as many of these are either no longer supported by updates, don’t support updates at all, or are inaccessible. Unless an engineer can remotely brick a device (which is highly unethical), insecure IoT devices can continue to operate. However, engineers can look towards the future and start to make design changes to their devices to ensure the safety of customers including those who may purchase the device second-hand.
Firstly, engineers should ensure that their devices have a simple factory reset system that is easily accessible by the user. This factory reset should do more than just forget a few settings; it should completely and utterly wipe any permanent storage. By doing this, attackers will not be able to extract Wi-Fi and other sensitive credentials that may provide network access or login details to online services.
Secondly, engineers should consider integrating a warning system or alert that informs the user when the device is outdated. This could be in the form of a simple amber light that flashes or a full-screen display warning. Such a warning may be able to provide users with an indication that their device has not been updated for a long time or that it’s time to dispose of the device, but either way, users should be made aware that their device is no longer secure.
While there are many other security measures (such as no default passwords), these are all covered by local laws and regulations, and engineers of IoT devices should start to consider printing these out and reading them whenever they start a new project. Implementing strong security features may be a hassle, but if each engineer pulls their weight and implements even the most basic features, the world can be made a safer place.