With current estimates suggesting that the global network of online and inter-connected smart hardware and applications known as the IoT or Internet of Things will expand to over 20 billion devices by 2020, the market for self-monitoring cars, household appliances that check in regularly with your local supermarket, and numerous other such gadgets, looks set to grow at a steady pace.
So the general consensus that devices, software, and network connections in the IoT are based on largely unsecured, bargain-basement technology and components should be a cause for concern, for all of us. Just recently, legislators in the USA made substantial moves to incorporate some of these concerns into law – but the issue of security flaws and lax practices in the manufacture, deployment, and management of the Internet of Things remains largely unresolved.
IoT – An Enabling Environment for Lax Security
In addition to being a growth sector, the IoT is a buyer’s and investor’s market, where consumers are looking to get the maximum benefit for the minimum amount they can spend. Unfortunately, an environment like this encourages manufacturers and vendors to cut corners, in the rush to get their products and services out there into the money stream.
This manifests as practices such as the use of generic components and software code, vendor-specific PIN numbers, default passwords, and access codes – which all translate into exploitable vulnerabilities and an ecosystem with poor security baked in.
A recent study by IBM Security and the Ponemon Institute suggests that 80% of organizations routinely leave their IoT apps untested for security vulnerabilities. The IoT Village held at the DEF CON security conference has discovered 113 critical vulnerabilities across consumer and business IoT products, over the past two years.
Not an encouraging picture. The Open Web Application Security Project (OWASP) has categorized several areas of IoT security vulnerability, which we’ll consider now.
IoT Security Flaw #1 – Weak On-board Web Interfaces
Many IoT devices have an onboard web server, which hosts a web application used in managing the device. Flaws in the underlying code of these web servers and apps may make the device vulnerable to attack – perhaps remotely since it’s connected to the internet.
IoT Security Flaw #2 – Poor Authentication Protocols
The way devices speak to their controllers and each other often equates to an open channel, as the mechanisms used to authorize or authenticate legitimate communications may be weak or generic. Insecure default device settings may be deployed automatically – and users may be unaware of this, or not given the opportunity to reconfigure weak security settings for themselves.
IoT Security Flaw #3 – Unsecured Maintenance Services
Services used for device debugging, testing, and diagnostics may operate on open, unsecured, or vulnerable ports. And these maintenance services aren’t typically subjected to extensive security testing.
IoT Security Flaw #4 – Data Transfer and Privacy Concerns
IoT devices may issue a continuous stream of information about themselves and their environment – not all of which is immediately apparent to the user. Personal, geographic, and financial information may be involved (depending on the device, and its application). And if weak or no encryption is used on these data streams, such information may become available to eavesdroppers, hackers, or third parties.
IoT Security Flaw #5 – Vulnerable Cloud and Mobile Management Platforms
With many IoT devices connecting to the cloud and/or wireless and mobile networks, exploitable code and weak security features in the software and infrastructure used to manage these platforms are also a serious concern.
Management platforms located on the device may address these issues to some extent, but these interfaces run the risk of not being updated or patched regularly.
IoT Security Flaw #6 – Poorly Implemented Security Features and Updates
Economic constraints and market considerations have been fueling the trend for IoT device manufacturers to take the minimum path when it comes to providing onboard security. There are typically very few security options to choose from – and ways of configuring these features for individual use cases may also be limited.
The problem of safely and efficiently rolling out security patches and software updates for IoT devices is one that’s been vexing operators in this sector since the Internet of Things began. Until there are unified standards and methods for doing so, the IoT ecosystem will remain a mishmash of unsecured devices running legacy operating systems and software – all potentially vulnerable to exploits and the latest modes of attack.
IoT Security Flaw #7 – Remote and Local Wipe Capabilities
When replacing an IoT device with a newer model, or selling off any equipment with smart sensors on board (like a household appliance, or automobile), having a record of all the information that’s been stored on it fall into the wrong hands is a very real danger. One of the “white hat” hacker delegates at last year’s DEF CON IoT Village was able to remotely access and take over control of a car he’d previously sold to a third party – on the basis of the data stored in its various sensors, which he still had access to.
So one existing flaw in IoT device design which needs to be addressed is enabling device owners to locally delete the contents of a device memory, before disposing of the equipment. Organizations needing to replace or re-purpose their existing IoT devices may also benefit from the ability to wipe their memories remotely – though this capability needs to be handled with some care so that it isn’t hijacked by malicious third parties.
IoT and the Need for a Coordinated Security Effort
For a safe and stable IoT environment, all of these security flaws must be addressed in a coordinated effort involving device manufacturers, vendors, supply chain partners, users, regulatory authorities, and jurisdictions at all levels.
Not an easy task – but it’s something that has to be done, if we wish to avoid crises like the DDoS (Distributed Denial of Service) attack which took down some of the biggest names on the internet in October 2016 or the more localized assault which disabled the key card system of a luxury hotel in Austria, earlier this year.
Share this Post