Attacks Against IoT Devices Through APIs & How to Prevent Them

PUBLISHED ON April 8, 2019
LAST UPDATED March 18, 2022

You would never leave the keys to your building lying around, so why do so many organizations leave the keys to their business exposed?

In a world where the level of connectivity between humans and devices is growing exponentially, it’s no surprise that the technology with which we do so also continues to advance. A great example of this is the ability for IoT devices to connect via Wi-Fi. Bluetooth connectivity models have had their shortcomings, mainly the limited range, and consumers were demanding a new method. While Wi-Fi connectivity, and the convenience associated with this model, is extremely desirable, it also introduces a slew of new vulnerabilities.

Most of these devices will use RESTful API calls to communicate back to the cloud, and it is often much harder to secure this kind of communication than a simple user portal. This results in a variety of different attack types, most commonly – attacks against the device itself and attacks against the API.

Attacks Against Devices

When it comes to IoT devices, the lack of human interference both helps and hurts end users. This makes it incredibly easy to connect to devices from afar (i.e. unlocking a smart lock to let the maintenance guy in), but it can also enable a malicious hacker to do just the same. To properly secure an IoT device, you need a robust primary key infrastructure (PKI) with a private key that’s unique to each device. This should then be used to authenticate to the cloud API. Without this, a hacker can gain access to the internal storage or examine network flows by inserting a proxy in the path, thus reverse engineering the authentication schema.

One simple reverse engineering action provides that malicious hacker the keys to other devices that are managed by the same vendor. This is concerning when it comes to certain IoT devices such as smart locks or even baby monitors.

Attacks Against the API 

Attacks can also come against the API itself, and they are fairly frequent. Because APIs are often made available to the public Internet and therefore to users around the world, this also means they are available to hackers as well. Just as a malicious user would launch an attack against a web application, they can do the same for APIs. Common web application attacks, like SQL injections and cross-site scripting attacks, are just as effective in RESTful API JSON payloads as they are in HTTP arguments of standard web applications. The challenge here is that many of the technologies used to secure web applications weren’t built to secure APIs and they don’t support checking JSON payloads.

Don’t be the team that lets the convenience benefits of APIs obfuscate the security consequences. Whether you’re selecting a security vendor, evaluating your current vendor, or you’re revamping your security strategy, be sure that you account for APIs.

You can read the original article published on IoT Agenda here

About the Author

Andrew Useckas

Andrew has a varied career ranging from ethical hacking, penetration testing and security product development for the US Department of Defense, senior consulting positions for fortune 500 enterprises, and corporate CISO responsibilities for large enterprises. Andrew has an exceptional blend of software development skills combined with extensive knowledge and experience of the network and security industries.