Complimentary 90-day, on-prem license available for entities involved in Covid19 response.

The Challenges of Ensuring IoT Security

Category: Web Security Readings - Last Updated: Fri, 14 Feb 2020 - by Zbigniew Banach

It’s no secret that cybersecurity and the Internet of Things don’t go well together. Thousands of IoT devices are finding their ways into homes, businesses, industry, transport, healthcare, and many other areas of our lives, but security is rarely high on device manufacturers’ list of priorities. In the young and booming IoT ecosystem, there are no industry standards for architecture or security and devices often use custom-built operating systems and proprietary communication protocols. Internet of Things security remains a veritable minefield and problems with IoT cyberattacks and malware can only continue to grow along with the number of devices. So why is it so hard to secure IoT devices, and what can we do about it?

Internet of Things security

The Rise of IoT

The last decade has seen a rapid increase in embedded device connectivity, and with good reason. Solutions that combine data gathering, tracking, and analysis promise to revolutionize manufacturing, industrial maintenance, supply chain management, logistics, retail, urban administration, infrastructure management, food production, surveillance, and many other sectors. The potential for efficiency gains and new income streams is enormous. At the same time, the need to process and understand huge amounts of data from thousands of sensors and devices ties in with cloud solutions, artificial intelligence, machine learning, Big Data, and other trending technologies.

In the consumer space, making everything “smart” often seems like a solution in search of a problem, but there is no doubt that more and more home and personal devices will get Internet connectivity. Smart TVs, household appliances, wearables, toys, home automation systems, cars, medical devices – manufacturers are keen to add connectivity to seemingly every new product. In the rush to get the next big thing to market, security is often the first victim.

Why Security Comes Last in IoT Devices

Rapid innovation combined with the promise of quick profits in an immature and competitive market is definitely not good for security. But beyond blaming greedy manufacturers, there are good reasons why ensuring IoT device security is so hard. By their very nature, smart devices focus on innovative functionality and ease of use, and adding security might restrict core features or degrade the user experience. This is especially true for consumer-oriented products that need to run straight out of the box without overly technical setup procedures.

Another problem is that device manufacturers with little or no prior experience with computing, networking, or security are now adding IoT features to their existing product offerings. Security is hard at the best of times, and studies show that even experienced IT vendors can struggle to secure their devices properly. If you add fragmentation and a lack of standardization into the mix, it’s no surprise that new players often can’t get security features right. And while web interfaces make administration easier and REST APIs provide some measure of interoperability, both approaches can also leave devices wide open to attacks from anywhere in the world.

On a more technical level, maintaining software security requires regular testing, patching, and updating. Even assuming that vendors have the time, money, and motivation to support their products all across the lifecycle (which is not always the case), providing firmware updates for embedded devices is a challenge in itself. How is the update delivered? How is it installed? Can it be automated? Will it cause compatibility problems? Is it secure and protected from tampering? In fact: is it at all possible to update the firmware in the field? After all, updating the software is not the first operation that comes to mind for a lightbulb, washing machine, or office elevator.

Then there is the problem of resource constraints. Encryption is a cornerstone of information security, yet many IoT products are low-power embedded devices that don’t have the computing resources to support encryption or secure key negotiation. Of course, dedicated security chips can be used, but this increases costs, complexity, and power consumption, so manufacturers don’t have any motivation to take this route, especially in consumer-grade products. Local storage is also limited, and IoT solutions often rely on cloud storage to store the data they generate – which opens up a whole new can of worms in the form of cloud security.

The Dangers of Insecure IoT Devices

IoT devices can pose a security threat in more ways than one, especially as they are often connected to higher-value targets. A compromised device, such as a smart printer, might provide attackers with a foothold to gain access to the main company network. Insecure devices can also be directly targeted by ransomware or other malware, for example, to be used for cryptocurrency mining or as DDoS attack drones in a botnet (think Mirai). If company equipment is hijacked and used for criminal purposes, the legal consequences can be unpleasant. Ironically, despite the huge variety of IoT hardware and operating systems, large-scale attacks on IoT devices are possible largely due to the common use of web-based user interfaces. With more advanced techniques, devices can be discovered and compromised even behind a NAT.

Insecure connected devices can contain valuable personal information or allow access to it. For example, footage from IP cameras might be used to track individuals or plan criminal activities and hacked home assistant devices can be used for eavesdropping. Insecure home automation systems such as smart locks may allow physical access to the property, while vulnerabilities in insulin pumps and pacemakers might directly threaten human life. Smart power meters are being rolled out in many countries despite privacy and security concerns. And let’s not forget the possibility of your Internet-connected car being hacked and remotely controlled or disabled.

For organizations, the biggest risk is the lack of awareness and oversight when it comes to deploying smart devices. With connectivity being added to so many products, corporate security teams may not even be aware that a new printer, NAS box, or security camera is increasing the organization’s attack surface by exposing a web interface or another communication channel. This is especially dangerous because network security systems may not detect such devices, even though securing them often requires more care and effort than with typical servers and workstations.

OWASP Top 10 IoT Security Weaknesses

  1. Weak, Guessable, or Hardcoded Passwords
  2. Insecure Network Services
  3. Insecure Ecosystem Interfaces
  4. Lack of Secure Update Mechanism
  5. Use of Insecure or Outdated Components
  6. Insufficient Privacy Protection
  7. Insecure Data Transfer and Storage
  8. Lack of Device Management
  9. Insecure Default Settings
  10. Lack of Physical Hardening

Source: OWASP Internet of Things Project

How to Secure IoT Devices in Your Organization

As the market and technology mature, standards and best practices should emerge to guide IoT device manufacturers in developing and delivering more secure products. For the time being, stopgap IoT security solutions are available, such as security services that isolate devices from the public Internet by acting as a proxy to filter out any malicious traffic. For devices that provide a web user interface and/or communicate via REST APIs, you can use a web vulnerability scanner to check for issues.

Other than that, the best advice is to research the device, vendor, and software in detail before committing to a product and to treat any IoT device as insecure by default – see above for the OWASP list of common problem areas. Finally, apply some common-sense security measures to make sure nothing slips under the radar: keep an inventory of all devices, install the latest firmware before deployment, restrict administrative access, and isolate devices from production systems as much as possible.

Netsparker

Keep up with the latest web security
content with weekly updates.