As we all know, IoT is one of the greatest technology of recent times and is here to stay. If we go by numbers, by 2025, forecasts suggest that there will be more than 75 billion Internet of Things (IoT) connected devices in use. This would be a nearly threefold increase from the IoT installed base in 2019. [Statista] IoT cybersecurity is a hot area for highly paid jobs but equally demands expert technical skills in not one but all domains of IoT landscape like hardware, firmware, website, mobile app, database and networks.
Below is a list of a few frequently asked questions in IoT cybersecurity interviews. In case you wish an answer to your IoT Security question, please add in comments below and we will be happy to answer.
Why do you think IoT cybersecurity is important for IoT manufacturers?
While increased adoption has given wings to IoT growth, the core industry is really concerned about the security and privacy concerns surrounding this platform. Since many of these devices work primarily as trackers and monitors, the primary function is to send back data at regular intervals sometimes in seconds. This becomes a considerable amount of data size over a larger duration say weeks or months. Also with the minimalistic embedded computing devices capabilities in IoT devices, placing complicated security tools or technologies becomes impossible.
Name some critical areas where IoT devices are used and security is very essential?
- Energy Generators
- Oil Refineries
- Medical and Surgical Equipment
- Health Monitoring Systems
- Smart Door Locks
- Controlling Pumps & Valves
- POS Terminals
- Surveillance Systems
- Smart Tolls
Explain the attack surface for IoT devices.
Attack surface refers to the exposed areas or vulnerabilities in the IoT device that can be exploited by a malicious hacker to gain unauthorized access.
Given the nature of architecture, the attack surface for IoT devices is very diverse and comprises of possible attacks at various levels.
- Device Memory
- Device Firmware
- Device Data Storage
- Mobile Interfaces
- Web Interfaces
- Network Communication Interfaces
- Cloud Interfaces
- Administrative Interfaces
- Third-Party and Backend APIs
Which is the commonly used security standard reference for IoT cybersecurity?
The most commonly used IoT cybersecurity standard is by OWASP. They release a list of top ten threats concerning web application security every few years. The IoT device security list describes each vulnerability, provides examples, and offers suggestions on how to avoid it.
- I1: Weak Guessable, or Hardcoded Passwords
- I2: Insecure Network Services
- I3: Insecure Ecosystem Interfaces
- I4: Lack of Secure Update Mechanism
- I5: Use of Insecure or Outdated Components
- I6: Insufficient Privacy Protection
- I7: Insecure Data Transfer and Storage
- I8: Lack of Device Management
- I9: Insecure Default Settings
- I10: Lack of Physical Hardening
For further details, please refer OWASP IoT Top 10 – 2018
What is IoT botnet. Explain with example.
In simple words, botnet refers to a connected network of bots. All these bots are controlled by a central Command and Control Center (C&C). The C&C serves as the master for all slave bots and issues command that the bots then follow. Botnets are used in many cyberattacks, but primarily they are used to perform Distributed Denial of Service attacks on target networks.
Few famous examples of IoT botnets are:
- Mirai Botnet
- Dubbed as one of the most famous IoT botnet attacks, this was conducted used to successfully perform a high-volume DDoS attack on the renowned KrebsonSecurity (In-depth Security News and Investigation Portal) and DYN (DNS Service Provider).
- Mirai in Japanese means ‘The Future’. The source code for the underlying malware used at the heart of Mirai botnet was also released to the general public in 2016.
- Bricker Bot
- This is an advanced generation of malware targeting iot device security in specific.
- What makes it extremely dangerous is the fact that it aims to render the target device permanently unusable by running a series of commands for memory corruption.
- Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions and Answers [Part 1]
- Cyber Security Vulnerability Assessment and Penetration Testing (VAPT) Interview Questions and Answers [Part 2]
- Frequently Asked Cyber Security Interview Questions and Answers
- IT Security Risk and Compliance Interview Questions with Answers