Assessing the Severity of SQL Injection Threats to IoT Security

Check out this post on assessing the severity of SQL injections on IoT devices. Click here to learn more.

July 18, 2018
45 Shares 2,782 Views

The evolution of the IOT has changed the world in countless ways. Many people are still struggling to adapt to it. One of the biggest learning curves that most people face is trying to understand the security vulnerabilities that the IOT network faces. Unfortunately, SQL injections can be an even bigger danger to the IOT than traditional networks.

Anybody that uses devices that are connected to the IOT must be aware of these risks. IOT developers must also take appropriate precautions to ensure they are properly secured. Many security experts argue that resolving any security vulnerabilities that expose any IOT devices to an SQL injection attack needs to be a top priority. The most common way these devices are hijacked is if the hacker used an SQL injection to gain control of a smartphone that controls these devices. This is a problem with IoT devices that are controlled by WeMo smartphone apps.

Some devices are more susceptible than others. Cameras are most at risk, because they can be hacked and turned into spy systems. Smart locks are better secured, but still need to be protected.

Why SQL injections are such a serious threat to IOT devices

In order to completely hijack and IOT devices, hackers need to assume root level of control of it. One of the easiest ways for them to do this is by using an SQL injection.

The scope of this risk is still being appraised by leading security experts. However, they have released preliminary findings suggesting that SQL vulnerabilities can have a devastating impact on IOT networks.

A number of botnets have been studied carefully. They exploit several different security vulnerabilities, but those that allow them to initiate SQL injection attacks are among the most common.

One IOT worm known as Hajime claims to be fighting this epidemic. The anonymous developers of the Hajime worm claim that their creation is programmed to hunt down malicious networks and block them from infecting other devices. It operates by identifying seemingly vulnerable IOT devices and patching the flaws that expose them to being hijacked by an SQL injection.

So far, Hajime seems to be delivering on its promises. The self-proclaimed vigilante worm has assumed access to over 300,000 IOT devices and updated security patches to thwart SQL injection attacks.

As altruistic as this sounds, security experts caution against trusting Hajime. They still don’t know exactly what the worm really does. It is possible that it has a more sinister motive and is being disguised as a vigilante application to keep people off their guard. Even if the application does what it is claiming, it could inadvertently replace some SQL injection vulnerabilities with others.

Nevertheless, the Hajime has helped highlight the severity of the risks that SQL injections have created.

How can developers prevent SQL injection attacks against IOT devices?

IOT devices are difficult to secure for a number of reasons. One of the biggest concerns is that these devices need to be able to be accessed remotely, which means they cannot be shielded with a firewall.

This leaves IOT devices exposed to many types of attacks that would easily be thwarted by desktop or mobile devices. Due to the dangers of SQL injections, they need to be one of the biggest concerns.

What measures can be taken to address these problems? Since SQL attacks are designed to take root control of a device, having an anti-root feature in place is one of the best ways to secure the device. This will identify any attempt to access the root level controls. If such an attempt is made, the device can lock out any intercepting traffic.

This would make it much harder for a hacker to coordinate an SQL injection attack. They would need to:

  • Decompile source code of any vulnerable apps used on an IOT device that they could penetrate
  • Get rid of any SSL pinning functions and anti-root features
  • Compile the app again
  • Manually or remotely reinstall it on the device

This would be a very cumbersome process. Some hackers would have the dedication and fortitude to go through with it. However, simply equipping all vulnerable apps with anti-rout this would be a very cumbersome process. Some hackers would have the dedication and fortitude to go through with it. However, simply equipping all vulnerable apps with anti-root functions would be enough to deter at least 90% of would be hackers from launching SQL injection attacks.