IoT seems to be buzz word in IT and business at the moment. Simply put, IoT is defined as everyday objects with computing devices embedded in them that have a means to send and receive data over the internet.
IoT devices have many applications that are designed to make life easier and simpler. Think of engineers being able to access a device, perform remote diagnosis and remediating any issue. This is after the device has informed the engineering team of an impending issue before it becomes a major problem! Another example is being able to turn the lights on in your house or heating before coming home using your smartphone.
As you can guess, with this data exchange over the internet comes security issues. Within the rest of this article, I will summerise the findings of the OWASP Internet of Things Top Ten Project that highlights the top ten security issues with IoT devices and some suggested countermeasures.
1. Insecure Web Interface
a) The first point concerns security related issues with the web interfaces built into IoT devices that allows a user to interact with the device, but at the same time could allow an attacker to gain unauthorised access to the device. Specific security vulnerabilities that could lead to this issue include:
i. Account Enumeration
ii. Weak Default Credentials
iii. Credentials Exposed in Network Traffic
iv. Cross-site Scripting (XSS)
v. SQL-Injection
vi. Session Management
vii. Weak Account Lockout Settings.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Default passwords and ideally default usernames to be changed during initial setup
ii. Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
iii. Ensuring web interface is not susceptible to XSS, SQLi or CSRF
iv. Ensuring credentials are not exposed in internal or external network traffic
v. Ensuring weak passwords are not allowed
vi. Ensuring account lockout after 3 -5 failed login attempts.
2. Insufficient Authentication/Authorisation
a) This area deals with ineffective mechanisms being in place to authenticate to the IoT user interface and/or poor authorisation mechanisms whereby a user can gain higher levels of access then allowed. Specific security vulnerabilities that could lead to this issue include:
i. Lack of Password Complexity
ii. Poorly Protected Credentials
iii. Lack of Two Factor Authentication
iv. Insecure Password Recovery
v. Privilege Escalation
vi. Lack of Role Based Access Control.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring that the strong passwords are required
ii. Ensuring granular access control is in place when necessary
iii. Ensuring credentials are properly protected
iv. Implement two factor authentication where possible
v. Ensuring that password recovery mechanisms are secure
vi. Ensuring re-authentication is required for sensitive features
vii. Ensuring options are available for configuring password controls.
3. Insecure Network Services
a) This point relates to vulnerabilities in the network services that are used to access the IoT device that might allow an intruder to gain unauthorised access to the device or associated data. Specific security vulnerabilities that could lead to this issue include:
i. Vulnerable Services
ii. Buffer Overflow
iii. Open Ports via UPnP
iv. Exploitable UDP Services
v. Denial-of-Service
vi. DoS via Network Device Fuzzing.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring only necessary ports are exposed and available
ii. Ensuring services are not vulnerable to buffer overflow and fuzzing attacks
iii. Ensuring services are not vulnerable to DoS attacks which can affect the device itself or other devices and/or users on the local network or other networks
iv. Ensuring network ports or services are not exposed to the internet via UPnP for example.
4. Lack of Transport Encryption
a) This deals with data being exchanged with the IoT device in an unencrypted format. This could easily lead to an intruder sniffing the data and either capturing this data for later use or compromising the device itself. Specific security vulnerabilities that could lead to this issue include:
i. Unencrypted Services via the Internet
ii. Unencrypted Services via the Local Network
iii. Poorly Implemented SSL/TLS
iv. Misconfigured SSL/TLS.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring data is encrypted using protocols such as SSL and TLS while transiting networks
ii. Ensuring other industry standard encryption techniques are utilised to protect data during transport if SSL or TLS are not available
iii. Ensuring only accepted encryption standards are used and avoid using proprietary encryption protocols.
5. Privacy Concerns
a) Privacy concerns are generated by the collection of personal data in addition to the lack of proper protection of that data. Privacy concerns are easy to discover by simply reviewing the data that is being collected as the user sets up and activates the device. Automated tools can also look for specific patterns of data that may indicate collection of personal data or other sensitive data. Specific security vulnerabilities that could lead to this issue include:
i. Collection of Unnecessary Personal Information.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring only data critical to the functionality of the device is collected
ii. Ensuring that any data collected is of a less sensitive nature (i.e. try not to collect sensitive data)
iii. Ensuring that any data collected is de-identified or anonymised
iv. Ensuring any data collected is properly protected with encryption
v. Ensuring the device and all of its components properly protect personal information
vi. Ensuring only authorised individuals have access to collected personal information
vii. Ensuring that retention limits are set for collected data
viii. Ensuring that end-users are provided with "Notice and Choice" if data collected is more than what would be expected from the product.
6. Insecure Cloud Interface
a) This point concerns security issues related to the cloud interface used to interact with the IoT device. Typically this would imply poor authentication controls or data traveling in an unencrypted format allowing an attacker access to the device or the underlying data. Specific security vulnerabilities that could lead to this issue include:
i. Account Enumeration
ii. No Account Lockout
iii. Credentials Exposed in Network Traffic.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Default passwords and ideally default usernames to be changed during initial setup
ii. Ensuring user accounts cannot be enumerated using functionality such as password reset mechanisms
iii. Ensuring account lockout after 3- 5 failed login attempts
iv. Ensuring the cloud-based web interface is not susceptible to XSS, SQLi or CSRF
v. Ensuring credentials are not exposed over the internet
vi. Implement two factor authentication if possible.
7. Insecure Mobile Interface
a) Similar to the point above, weak authentication or unencrypted data channels can allow an attacker access to the device or underlying data of an IoT device that uses a vulnerable mobile interface for user interaction. Specific security vulnerabilities that could lead to this issue include:
i. Account Enumeration
ii. No Account Lockout
iii. Credentials Exposed in Network Traffic.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Default passwords and ideally default usernames to be changed during initial setup
ii. Ensuring user accounts cannot be enumerated using functionality such as password reset mechanisms
iii. Ensuring account lockout after an 3 - 5 failed login attempts
iv. Ensuring credentials are not exposed while connected to wireless networks
v. Implementing two factor authentication if possible.
8. Insufficient Security Configurability
a) Insufficient security configurability is present when users of the device have limited or no ability to alter its security controls. Insufficient security configurability is apparent when the web interface of the device has no options for creating granular user permissions or for example, forcing the use of strong passwords. The risk with this is that the IoT device could be easier to attack allowing unauthorised access to the device or the data. Specific security vulnerabilities that could lead to this issue include:
Read more: Big data and its security implications
i. Lack of Granular Permission Model
ii. Lack of Password Security Options
iii. No Security Monitoring
iv. No Security Logging.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring the ability to separate normal users from administrative users
ii. Ensuring the ability to encrypt data at rest or in transit
iii. Ensuring the ability to force strong password policies
iv. Ensuring the ability to enable logging of security events
v. Ensuring the ability to notify end users of security events.
9. Insecure Software/Firmware
a) The lack of ability for a device to be updated presents a security weakness on its own. Devices should have the ability to be updated when vulnerabilities are discovered and software/firmware updates can be insecure when the updated files themselves and the network connection they are delivered on are not protected. Software/Firmware can also be insecure if they contain hardcoded sensitive data such as credentials. The inability of software/firmware being updated means that the devices remain vulnerable indefinitely to the security issue that the update is meant to address. Further, if the devices have hardcoded sensitive credentials, if these credentials get exposed, then they remain so for an indefinite period of time. Specific security vulnerabilities that could lead to this issue include:
i. Encryption Not Used to Fetch Updates
ii. Update File not Encrypted
iii. Update Not Verified before Upload
iv. Firmware Contains Sensitive Information
v. No Obvious Update Functionality.
b) Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring the device has the ability to update (very important)
ii. Ensuring the update file is encrypted using accepted encryption methods
iii. Ensuring the update file is transmitted via an encrypted connection
iv. Ensuring the update file does not expose sensitive data
v. Ensuring the update is signed and verified before allowing the update to be uploaded and applied
vi. Ensuring the update server is secure.
10. Poor Physical Security
a) Physical security weaknesses are present when an attacker can disassemble a device to easily access the storage medium and any data stored on that medium. Weaknesses are also present when USB ports or other external ports can be used to access the device using features intended for configuration or maintenance. This could lead to easy unauthorised access to the device or the data. Specific security vulnerabilities that could lead to this issue include:
i. Access to Software via USB Ports
ii. Removal of Storage Media.
b. Suggested below are some countermeasures to protect against the threats mentioned above:
i. Ensuring data storage medium cannot be easily removed
ii. Ensuring stored data is encrypted at rest
iii. Ensuring USB ports or other external ports cannot be used to maliciously access the device
iv. Ensuring device cannot be easily disassembled
v. Ensuring only required external ports such as USB are required for the product to function
vi. Ensuring the product has the ability to limit administrative capabilities.
IoT is here, and it is here to stay. By 2020, Gartner predicts, the Internet of Things will be made up of 26 billion “units.” The specific controls mentioned above will come to nothing if the manufacturers of IoT devices do not take them into consideration. The actions are simple as noted below:
- Conduct a security review of your devices to determine any vulnerabilities
- Document and implement minimum security standards for all devices and ensure that these standards are adhered to as part of the manufacturing process
- As per above, ensure security is an integral part of the product development lifecycle so that it is embedded into the device and not as an afterthought.
For enterprises the messages are pretty simple as well. Consider the following:
- Identify your critical information assets and isolate/protect those. Traditional security controls here are still effective
- Know that you will get breached! Ensure you have a way to detect this and respond on a 24x7 basis.
IoT devices have great potential to make our lives easier. However, if the security issues are not considered and addressed, the devices could lead to a lot more trouble than they are worth.