We’ve already seen what IoT vulnerabilities can lead to. The massive DDoS attacks on DYN, was easily one of the largest DDoS attack ever. As it turned out, that attack was launched not from the usual botnet of hijacked servers, but from a multitude of IoT devices.
It happened before. It can happen again.
Sadly, the use of IoT devices as an attack vector is just one of the myriad of security issues that now plague this nascent technological ecosystem. It’s important to grasp the implications of these developments and see if we can learn from what has happened in the past.
Not so long ago, we also saw the explosion of the Internet. During the early stages of its rapid growth, architects, engineers, and developers rolled out wave upon wave of technologies that, while equipped with great functionality, were seriously lacking in security. Protocols like FTP, HTTP, and Telnet are the first few examples that come to mind.
Many of these grossly insecure technologies, which even now are still used by many organizations, are putting people and businesses at risk. Attackers exploit their vulnerabilities to steal confidential information, infiltrate networks, or carry out a variety of nefarious acts.
Alarmingly, we seem to be experiencing deja vu with the Internet of Things. Stimulated by the almost unlimited supply of IP addresses through IPv6 along with technological advancements and cost reductions, we’re now seeing a market being flooded by a plethora of products. But close inspection of these products reveal that many of them were built with very little regard to security.
The Open Web Application Security Project has identified these ten (10) as the top vulnerabilities and security issues that afflict most IoT devices and their supporting systems.
1. Insecure Web Interface
Most IoT devices are administered through a Web Interface. Unfortunately, many of these Web interfaces have weak security. For example, some of them simply accept login credentials in plaintext. Others don’t require the use of strong passwords. Still others don’t have provisions to lock out users who have made several failed login attempts (an indication of a brute force attack). If these weaknesses are not addressed, they can be exploited and subsequently result in data loss or even loss of control over the device.
2. Insufficient Authentication/Authorization
When IoT is introduced into highly critical areas like energy, healthcare, manufacturing, transportation, and telecommunications, run-of-the-mill authentication/authorization systems are not enough. IoT systems deployed in mission-critical areas must be equipped with multi-factor authentication and granular access control mechanisms that can substantially reduce the risk of unauthorized access.
Without strong authentication/authorization systems, administrative user accounts can easily fall into the hands of impostors, who will then have the ability to execute commands or access other parts of the internal network. These malicious individuals can then wreak havoc and endanger lives and property.
3. Insecure Network Services
IoT systems rely heavily on network communications. For this reason, these networks must be tightly secured. Otherwise, network services can be compromised through buffer overflows, fuzzing, DDoS, and other forms of attacks.
First, devices can be rendered unusable. Second, they can either be subjected to a denial of service attack or themselves used to launch such attacks. The DDoS attacks on KrebsOnSecurity.com and DYN are perfect examples of what can happen when IoT devices fall into the wrong hands.
4. Lack of Transport Encryption/Integrity Verification
In an IoT environment, data transmissions are usually carried out between several endpoints. There may be data exchanges between:
- Mobile apps and front-end cloud services
- Web applications and front-end cloud services
- IoT devices and back-end cloud services
- Mobile apps and IoT devices
- IoT devices and other IoT devices
Ideally, these data exchanges should be transmitted through TLS-protected protocols or other secure channels. But if these communications are carried out over unencrypted protocols, transmitted data can be intercepted and acquired.
Depending on the kind of data that ends up compromised, attackers can do different things to it. If it were login credentials, those credentials could be used for gaining access to the system. Other pieces of data could be aggregated and then used to provide insightful information regarding certain behaviors of either the users or the system as a whole. Still others could be tampered with, thereby harming the integrity of the system.
5. Privacy Concerns
Some IoT devices collect and store personal information such as the user’s birthday, phone number, home address, gender, or, worse, financial or health information. This can have huge repercussions from a privacy perspective, as personal information can be used to perform identity theft. Businesses that use these kinds of IoT devices are subject to the requirements of laws and regulations like HIPAA, PCI-DSS, SOX, GLBA, and several state data breach notification legislations.
Thus, if your business is operating in a highly regulated industry and you’re planning to deploy IoT devices in the workplace, you should make sure personal information is adequately protected.
6. Insecure Cloud Interface
Cloud services are vital to IoT systems. They facilitate data exchanges between IoT devices and their respective web/mobile applications as well as data exchanges between IoT devices and other IoT devices. It’s also where the bulk of the data gathered by IoT endpoints are stored and processed. This data is used for analytics, control, integration with enterprise applications, and several other purposes.
It’s therefore imperative to ensure the security of cloud interfaces. Failure to do so may result in massive data loss as well as loss of control of all devices connected to the cloud platform. Worse, if these cloud services are also connected to enterprise applications, those applications can likewise be at risk of getting attacked. Poorly designed cloud interfaces usually suffer from weak authentication/authorization mechanisms, lack of data-in-motion encryption, and other access control deficiencies.
7. Insecure Mobile Interface
There are usually two ways to administer/manage IoT devices. One is through a web interface, which we discussed earlier, another is through a mobile interface, i.e. through an app running on an iOS, Android, or Windows device. Like web interfaces, mobile interfaces need to be equipped with strong authentication/authorization mechanisms.
If an attacker manages to gain unauthorized access into an IoT device’s corresponding mobile app, that attacker will in turn be able to control the IoT device. In other words, he could, for example, open doors, manipulate processes, cut off power, or shut down support systems.
8. Insufficient Security Configurability
Secure devices are usually equipped with configurable security features. You can, for example, choose the number and type of characters required for password authentication. It might be all right if the built-in security level is only high/strict. But this is seldom the case. Devices that have non-configurable security are usually set to low levels of security.
9. Insecure Software/Firmware
Some IoT devices perform firmware updates (mostly during restarts or at regular time intervals) through insecure network protocols like TFTP. On its own, TFTP is neither encrypted nor is it equipped with strong authentication features. Hence, it is highly vulnerable to man-in-the-middle attacks.
Once an attacker is able to grab the firmware update as it traverses the network, he could modify it to serve his own purposes. After tampering with it, the attacker can then push the modified update to the device and subsequently gain control. If the device is a hub that communicates with other IoT devices, the attacker might then be able to take over those devices as well.
These man-in-the-middle attacks are typically carried out in the local network. However, it’s also possible to perform a malicious update through Internet-based attacks like DNS hijacking.
Equally important is the ability of the device to perform security updates. If the device is incapable of carrying out updates, it wouldn’t be able to patch security vulnerabilities.
10. Poor Physical Security
The physical security of an IoT device, especially one used in a business setting, is as critical as the other technical security we mentioned earlier in this post. Imagine what could happen if a malicious individual gains physical access to a mission-critical device.
He could remove or break into the storage medium and extract whatever information is stored there. If the device is equipped with external ports like a USB port or an SD card slot, the intruder could gain access through those and attack the operating system or storage medium.
It might seem like a pretty long list but there’s really no way around it. IoT is poised to be tightly interwoven into the fabric of society. If IoT systems can be easily compromised, the potential damage to people (not just IT systems or infrastructure) can be catastrophic. It is therefore imperative that businesses carefully scrutinize what and how IoT systems are incorporated into the organization and ensure that more than just adequate security is enforced.
Learn how Defence Intelligence can improve your security posture http://defintel.com