IT369: IoT – The Internet of Things

Housekeeping
● Next week is our final week of class
● Final Exam is the schedule set by GMU:
• https://registrar.gmu.edu/wp-content/uploads/Spring-2025-Final-Exam-Sched
ule.pdf

• GMU/CEC/IST Course Evaluations Open 4/25 -

https://gmu.bluera.com/gmu
● If section response rates are above 50%, I will add 5 points to all students.
● If section response rates are above 75%, I will add 7 points to all students.
 IoT (Internet of Things)
● 7B people on earth; 2B personal computers; 24B IoT devices
● Internet of Things (IoT) - what does that really mean?
○ Interconnected, The Internet or simply any interconnected network?
○ Things?
○ What makes it different than any other collection of connected devices?
● Common themes:
○ Non-standard computers, operating systems, firmware, usually wireless
○ Usually pre-configured with some final enrollment/connection
○ Very little support for end-user administration (vs. operation)
○ “The resultant benefits of a connected society are significant,
disruptive and transformative.” -IoTSF
Embedded
Systems
 Embedded Systems
• Challenges of Embedded Devices
• Lack of positive physical control
• Multitude of providers, little standard controls
• Corporate-provided devices vs. BYOD
• Wireless = freedom as well as risk
• Spatial security? GeoFencing & Enclave Restrictions
• Efficiencies
• Where are the similarities and differences among cloud,
computers, Embedded Systems, Industrial Control
Systems (ICS), and the Internet of Things (IoT)?
What are the
major
components?

What
vulnerabilities
exist for each
layer?

Where is your
security for
each?
 Limited Attack Surfaces?
● No apparent UI - does this limitation of attack surfaces help or
hinder? What key items are beyond our control?
● Pre-configuration and limited configurability would appear to
minimize vulnerabilities but the need for some default set of
credentials presents an opportunity to capitalize on laziness.
● As manufacturers provide distributed updates via the Internet, what
is the implication and vulnerability to the consumer?
● Ability to independently monitor, patch, and protect is highly
limited.
● Unseen attack surfaces often exist.
● Default credentials widely available:
Default Credentials are not
hard to find
Default
Credentials,
with option to
reset if you
can reach the
router
https://ipvm.com/
reports/ip-cameras-
default-passwords-
directory
 Centrally Controlled? Sharing Our Data?

Not always centrally controlled, but many contain some means of

central connectivity, for patches, for instructions, for centralized
knowledge or processing, such as Alexa or Google home, among many
others. And many components share with one another more and more.
Data aggregators collecting tons of data points.
 Centralized Systems = Data Collection

● Alexa conversations sent for processing.

● Reasonable assumption that Amazon (and others) might use these
massive data sets and machine learning to not only improve their
services, but with the side effect of obtaining more information
about us than we expect?
● Devices like thermostats and cameras provide remote (Internet)
storage, configuration, and monitoring, so where is our boundary
protection?
● How can accessing my thermostat in read-only mode assist a
hacker?
● Impact when our data is anonymous, scrubbed, or aggregated?
Heatmap
Tracking:
Fitness
Devices
 Vehicles
● Average vehicle recently
had 30-100 computing
devices in it
● “… Ford Focus typically
uses roughly 300 chips,
whereas one of Ford’s new
electric vehicles can have
up to 3,000 chips” -CNBC
● Vulnerability has been
shown in vehicle brakes,
steering, all dash devices,
hood, trunk, locks, horn,
and heat/AC.
Vehicles
 Mirai Botnet: IoT Device DDOS
● Fall of 2016
● 3 students aged 18-20
● Hijack of hundreds of thousands of IoT devices
● Began as a way to attack rival Minecraft hosts
● Affected IP cameras and home routers
● Used IoT devices with default passwords
● Evolved into tons of traffic
● Knocked entire web-hosting companies offline
● Source Code is on Github - many variants exist
Geo-located Site Map: Mirai Impact
 Busted...

● Cybersecurity journalist Brian Krebs accused Paras Jha , the owner of

a DDOS mitigation company, and Rutgers University student
● Three students charged. Pled guilty to Computer Fraud & Abuse Act
● Sentenced to 2500 hours community service, 6 months home
confinement, and $8.6M restitution
 Vulnerabilities and Hacks Case Study
● Onity makes hotel key card readers.
○ 2012 hack
○ 4 million units in Marriotts, Hiltons, and InterContinentals
○ Fairly simple device was able to hack by using alternate port, providing a
charge, and… well, here’s a 12-second video showing you:
https://www.youtube.com/watch?v=MrwNt96NlyQ
○ Arduino board (simpler version of Raspberry Pi), 9-volt battery, wires, voila!
○ Took months for Onity to figure out they had been hacked
● DOES Onity qualify as IoT? ICS? Or a poorly defended network?
● Does the recent move to using your smartphone for hotel access
introduce risks? Is that risk yours or the hotels?
● Likely lessons to be learned either way
● All code and steps on Github:
https://github.com/lolptdr/onity-ht-lock-hack
 Think Hotel Safes are Safe?
All hotel safes have a master key and code, which is often not cleared:
• Saflok hotel safes have a default master password set as 999999.
• Mesa Hotel Safe default reset password is 000000.
• Safemark hotel safe override code is set by default to 999999.
• Hotel Safe ME Series’ master code is 888888.
• Burg-Wächter PointSafe has a master code of 12345678.
• Burton Hotel Safe’s master code is 000000.

https://youtu.be/vW7M84khZy8
 Privacy Expectation and Violation
● Mass surveillance more and more possible
○ Fitbit, cars, and phones with GPS
○ Phones becoming our entire collection of information
○ If I hacked your phone and your house, what do I have?
● What is our expectation of privacy when we have home
automation? IoT? Smartphones?
● Some is apparent, some buried in user agreements, but much is
surely shared without our knowledge.
● HIPAA protects our medical privacy and has strict penalties for
spillage or misuse; what is our recourse?
 Where are the IoT Laws?
● California had first IoT law. Bruce Schneier: “50 windows in a house,
and you’ve just locked one.”
● Our GMU class rewrote IoT legislation for Virginia, but it died in
committee (2019). Simple default passwords forbidden. Forced
change-on-install, patch responsibility, hack alert. Multiple
password support responsibility of manufacturers.
● Federal legislation:
https://www.securitymagazine.com/articles/94123-iot-cybersecurity
-improvement-act-signed-into-law
 Internet of Things & Cybersecurity
• Spectrum of interconnected devices growing daily and will continue
to become more interrelated
• Zero Trust approach to all devices, users, and attack surfaces
• Traditional Applications and Data on computers now expanded to
include…everything
• Protect using vigilance and constantly using penetration testing
 Protecting Data and Software Apps
● Know the governance and enforce laws
● Establish & communicate policies across our organization’s networks
on usage, data retention, surveillance, transparency
● Identify and communicate known and suspected vulnerabilities
● Demand good hygiene and best practices on configuration,
limitation of attack surfaces, vulnerability assessments
● Research and communicate continuous reevaluation of risk
● Perform regular penetration testing and analysis of traffic
● Frequent vulnerability testing, and patch-patch-patch!
 Resource: IoTSF
● Internet of Things Security Foundation (see Canvas for PDF)
○ https://iotsecurityfoundation.org/best-practice-guidelines/
○ Great guides on Principles, Security Compliance Framework, Consumer
Issues, Vulnerability Disclosures
○ This document WILL be referenced on the final exam
○ Conferences
○ Resources, Publications, Forums, Videos, Questionnaires, etc.
○ https://www.iotsecurityfoundation.org/tag/iot-security-compliance-framew
ork/
 In Summary
● Awareness, education, and constant vigilance is required for this
highly disparate collection of devices becoming part of our lives
● Like we’ve discussed, establish governance, set guidelines, release
policy early and often, educate users, observe operations, adjust as
needed.
● Use tools like the IoTSF framework to help your organization
● IoTSF Security for Smart Buildings
● Perform penetration testing on all your organizations’ devices.
● The IoTSF document on Canvas for this week is included on the Final
Exam.
 NSO Pegasus spyware
• Read the PDF article (on Canvas) from the Scientific American on the NSO
Pegasus software and watch the video linked below:
• https://www.scientificamerican.com/article/what-is-pegasus-how-surveillance-spyware-inv
ades-phones/

• 9 minute video: https://wapo.st/3ikCSKR

• Potential questions include:
• How can the use of end-to-end encryption be bypassed by software like Pegasus?
• What role did WhatsApp play in the NSO Pegasus case?
• What is the difference between zero-day and zero-click?
• Possible solutions to recognize if/when spyware is on a device?
• When does surveillance cross the line between ethical protection and unethical invasion of
privacy?
• How do we limit the use of spyware?
• How has the United States participated?
 For more information (optional)
IF you are interested in more information on NSO Pegasus:
• https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html
• 2023 book Pegasus: How a Spy in Your Pocket Threatens the End of Privacy, Dignity,
and Democracy by Laurent Richard and Sandrine Rigaud
• https://www.pbs.org/wgbh/frontline/documentary/global-spyware-scandal-exposing-
pegasus/

• The 45 countries found using the spyware as of 2022 are: Algeria, Bahrain,
Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel,
Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico,
Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi
Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey,
the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen and
Zambia. It is likely many more use it today.