DSBP - Threat Modeling and IoT (Lesson)

Threat Modeling and IoT

Introduction

How Easily Can Your Smart TV Be Hacked? Video

In this lesson, you will learn about threat modeling to determine what risk users are willing to take and what effort they are willing to put in to secure their IoT devices. We have learned a lot about “best practices,” the actions we should take to secure devices like computers, smartphones, and other devices. However, best practices are not always used.

What are some reasons for users not taking action to secure their devices?

Reasons for Not Taking Actions to Secure Devices Cartoon

Many of you are not following policies for securing your devices. So frustrating!

Threat Modeling

But these reasons are based on “feelings.” There is a better way to identify which digital areas of your life really need to be secured. It’s called Threat Modeling.

Threat modeling is a structured process through which we identify potential security threats and vulnerabilities, quantify the seriousness of each, and prioritize techniques to protect systems or software. Essentially, Threat Modeling is a tool for thinking about cybersecurity.  We have been studying these topics: threats, vulnerabilities, and protection techniques. However, Threat Modeling goes a step further by investigating what are the risks and rewards of taking action to protect systems. 

The following are five questions to ask in a Threat Modeling exercise:

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How likely is this to happen?
  4. How bad are the consequences if I don’t protect it?
  5. How much trouble will I tolerate to avoid the consequences?

Internet of Things (IoT)

Now let’s switch gears and talk about the Internet of Things (IoT). Why? Hold that thought! Let’s define the IoT first.

IoT are physical objects that are embedded with sensors, software, and other technologies. They connect and exchange data with other devices and systems over the Internet or networks. In other words, IoT are devices that run with small, specialized instruction sets and connect to the Internet.  IoT can be small like a smart lightbulb or big like a self-driving truck.

Example Video

We want to protect access to these devices from malicious actors, that’s why! Smart home devices are awesome and very convenient. You can adjust the temperature, lights, security, etc. in your home or even throw a treat to your pet, all from your phone.

Managing Various Parameters of the Home Video

However, IoT devices can be very vulnerable to cybersecurity threats. Because they are network devices, malicious actors can access the entire network through one device!

Threat modeling is typically used for enterprise systems.  However, we can apply the same principles to our personal digital systems. These include many IoT (Internet of Things) devices, aka “smart” devices for homes. Threat modeling is very important because there are billions of IoT devices!

How many IoT devices do YOU have?

Most users have more than just a PC and a smartphone. Their personal digital systems include MANY other devices like tablets, Alexa/Echo devices, smart doorbells, smart watches, smart TVs, etc.  These are considered part of the Internet of Things (IoT).

75 billion estimated IoT devices connected to web by 2025 26.66 billion number of active IoT devices by 2020

There were 26.66 billion IoT devices worldwide in 2020. The population was approximately 7.8 billion people.  That equals approximately 3.5 IoT devices for every person on the globe! China has 12% of the IoT inventory. Approximately 75 billion IoT devices are expected by 2025, which is almost triple the 2020 number!

Famous IoT Vulnerabilities Activity

Threat Modeling Question: How Likely is it to Happen?

Users have a hard time believing that someone would want to hack their devices… Like, who would want to attack my refrigerator? How would they even find it in my kitchen, in a huge, crowded city? But IoT attacks usually do not target a specific person. They are attacks of opportunity.  It’s very similar to a common crime where criminals walk at night in neighborhoods trying the handles on cars. Once they find an unlocked car, they steal any valuables.

IoT attackers are similar, but they use a special tool to find “unlocked” doors. The online tool called Shodan is used to scan the Internet for open devices that can be exploited for vulnerabilities.

Shodan is a search engine that gathers information about all Internet connected devices. Shodan, which stands for Sentient Hyper-Optimized Data Access Network, is designed to map and gather information about Internet-connected devices and systems. It’s a search engine but very different from Google or Bing because typical search engines look for web content and Shodan looks for devices. Shodan lets the user find specific types of devices connected to the Internet using filters such as Product Name, Geolocation, IP address, Ports, etc.

Shodan can be used to find vulnerable systems on the Internet, including traffic light controls, security cameras, truck onboard monitoring systems, and other devices. The primary users of Shodan, though, are cybersecurity professionals, researchers, and law enforcement agencies. These professionals use Shodan for threat modeling and hardening their systems.

Name the Smart Device Activity

Securing IoT Devices

  1. Change the default username for the admin account. Vendors publish the device's default username and password in manuals which are posted on the Internet for anyone to find. Many vendors use “admin” or “administrator” as the username for the primary account.  Don’t make it easy for hackers to guess the first part of logging into your device, change the username!
  2. Create a unique, strong password for the admin account. Attackers will try password attacks like credential stuffing or brute forcing, so make sure you create a new, strong password that isn’t used on any other accounts.
  3. Don’t connect IoT devices to the Internet unless necessary. Are you sure this device needs to be connected to the Internet? For example, my printer needs to be on the home network so I can print from any computer in my house.  But I don’t install the add-on printer software that allows it to check my ink supply or send me notifications. This means my printer never connects outside to the Internet.  NOTE: If you can reach your device from your phone when you are not home, then it is connected to the Internet in some way! This is a vulnerable device and must be protected.
  4. Use a firewall on your home router. A firewall offers protection against unauthorized users trying to access your network. The modem/router provided by your Internet Service Provider (ISP) should have a firewall installed by default. If you added a home router to your network, turn on that firewall.
  5. Try searching for your IP address in Shodan.
    • Do a Google search for “my IP address” - this will provide your external IP address.
    • Go to shodan.io and enter that IP address into the top search bar.
    • If there are results, investigate them to see which device in your home is connected to the Internet and responding to the Shodan scan.

 IoT Devices and Hacks Flip Cards

Reflection and Wrap-up

In this lesson, you have learned about IoT devices and how they can become wide-open doors to malicious actors if you are not careful. You have also learned how to perform threat modeling to harden and secure your network.

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON. Video 1 courtesy of Wizer Security Awareness Training, CC-BY, Video 2 and 3 courtesy of Shutterstock, CC-BY, Shutterstock.com. Image(s) used under license from Shutterstock.com and may not be repurposed.