Most digital devices today are created with wireless capabilities and sensors built into them. The Internet of Things (IoT) makes use of these features to connect and control the devices. Cheaper broadband and mobile data connections have helped grow the number of both IoT deployments and connected devices, but privacy and security remain a major concern for the commercial viability of IoT networks.
Some of the real-time IoT threats include:
- Connected cars. Hackers have gained access and disabled vehicle brake
- Smart homes. Hackers have compromised home gateways and gained access to connected devices such as CCTV, lights, fans and door locks.
- Surveillance cameras. Security experts have managed to break into a police wireless mesh network in the US.
- Power grids and utilities. Hackers have gained access to a power grid network and managed to shut down the infrastructure.
- Smart cities. Hackers have gained access to a city's traffic-light system and manipulated the traffic signals.
- Medical devices. Attackers have hacked pacemakers, hearing aids and internet-connected drug infusion pumps.
- Connected airplanes. Hackers have gained access through a plane's entertainment network and changed the flight's direction.
- Smart retail. The thermostat controls of a commercial refrigerator can be compromised resulting in a large quantity of food spoiling that impacts company revenue.
These security flaws are easily identified using code reviews, penetration testing, SSL testing, hardware testing, web application security testing and effective system testing. Everyone from device manufacturers to consumers share the responsibility for IoT security as depicted in Figure 1.
Figure 1. Who has responsibility for taking care of IoT security?
Top 10 IoT vulnerabilities and preventive methods
Gartner forecasts that 20.4 billion connected things will be in use worldwide by 2020. To date, 80% of IoT apps have not yet been tested for vulnerabilities. OWASP has published best practices for how IoT device manufacturers and developers can avoid vulnerabilities in the IoT ecosystem. (See Figure 2.)
Figure 2. Security tops the list of IoT ecosystem vulnerabilities
The table below describes the OWASP vulnerabilities and best practices for addressing them.
|Privacy Concerns||Attackers take advantage of multiple vulnerabilities in the system such as insufficient authentication and a lack of data encryption to fetch personal data, which is not protected or collected unnecessarily.||They are easy to identify by reviewing the details collected during device setup.||Handshake, OpenPDS, Garlik, Epic Browser|
|Poor Physical Security||Physical security issues exist when the device could be disassembled that allows the storage medium to be accessed to steal the stored data.||USB ports and SD cards could be used to access the device and data. The user needs to review whether the ports are really required. If not, they need to block the ports that are not required. Administrative capabilities should be limited to local access. To ensure physical security, the minimum number of ports should be used. Also, the device should not be easily disassembled and the data storage medium should not be easily removed.||nGuard, port checked to check open ports|
|Insufficient Security Configurability||When the user doesn’t have administrative rights, they will not be able to change the security configuration even though it is significant. If a web interface does not have any rules for strong password configuration, then the security configuration is incomplete.||The administrator should set specific security regulations that prevent modifications without proper approval. To ensure proper security, the configuration for normal users should be separated from the administrative user. A strong password configuration should be enforced, end users should be notified of all security events and logging should be enabled for all the security events.||Security configuration tools by Windows, active directory tool to find weak passwords, OWASP-password-strength test|
|Insecure Software and Firmware||Software and firmware could become insecure when they contain hard-coded sensitive data such as username and password. The security issues can be found by anyone by monitoring the network traffic during update.||To protect the device, the software and firmware updates should be done securely and regularly whenever updates are available. Update files should be encrypted and the update should be validated by the user.||Network sniffer tools like Wireshark|
|Insecure Mobile Interface||The mobile interface becomes insecure when passwords used are simple. An insecure mobile interface could be easily identified whether the SSL is being used or not.||To avoid security threats, the user should change default passwords and not allow the application to collect too much data. The application should encrypt the data and use multi-factor authentication methods to authenticate the user.||OWASP Zed Attack Proxy Project, Clang Static Analyzer, Quick Android Review Kit are the few tools that could be used for mobile interface security testing.|
|Insecure Cloud Interface||The cloud makes life easy by storing all of your data, making it available everywhere. The data could be stored over cloud so that the user need not store anything on the device. However, uses the cloud increases the security risks.||It’s important to ensure that the interface is not susceptible to SQLi, CSRF and XSS and uses a strong password. User data must be encrypted and protected.||SAINT and OpenVAS tools can be used for testing|
|Lack of Transport Encryption||When the data is not encrypted all communication between the device and internet can be seen easily by using any network sniffing tool such as Wireshark. Anyone who has access to the network to which the device is connected can access the data easily.||Use SSL protocol to encrypt the data between devices and between devices and the cloud. SSL client/server must be enabled with forward secrecy by disabling weak ciphers and reordering ciphers, so the strongest are at the top of the supported cipher suites list.||Wormly, Nmap, Nessus, SSL scans and SSL tests could be used to find weak ciphers, SSL flaws, DigiCert|
|Insecure Network Services||Insecure network services are any services that exist in the network that don’t use a proper authentication process for authenticating users.||Close all the unnecessary ports, Abnormal service request should be blocked on service gateway layer.||Port Scanner – Nmap|
|Insufficient Authentication/Authorization||Attackers use multiple Phishing techniques to access systems that have insufficient authentication to steal user data such as username, password, credit card details, etc. Hackers can gain access easily when simple passwords are used.||Use strong passwords, use multi-factor and mutual authentications to authenticate access to any service or device.||OWASP password-strength test on the server side|
|Insecure Web Interface||Web interfaces are easy to access from any computer running on any operating system or mobile handsets. Modifying the web interface is very simple.||The preventive actions could be changing default credentials and encrypting the credentials.||Wapiti, Zed Attack Proxy, W3af, Vega, Skipfish|
Figure 3. Best practices for addressing IoT security issues
The IoT ecosystem is very complex and operates across devices, operating systems, protocols and applications. This complexity creates vulnerabilities, but there are specific actions companies can take to prevent a security breach as well as tools for testing which are essential for application developers and device manufacturers to release secure IoT ecosystems that customers and users can trust.
About the Authors
Mullai Parvathi G
Mullai Parvathi G is a Technical Leader at Aricent with 9+ years of experience in protocol testing, application testing, gateway testing and test automation in various domains such as wireless, telecom and IoT. She has contributed to Wi-Fi testing and user experience testing proposals. She is interested in exploring new tools and uses them to improve the test coverage. She spends her free time quilling and reading.
Engineering Project Manager
Tamil Selvan is working as an Engineering Project Manager at Aricent with 13 years of software testing experience in both manual & automation testing and worked with clients like mobile device manufacturers, telecom operators, banking customer, energy and utilities and security solution providers. He is passionate about designing automation frameworks for mobile and web applications. He enjoys travel and reading.