Greetings, dear readers. We recently published an article about IoT testing. And we see how the views of that page are steadily growing. Given your interest in this topic, today we decided to talk about another aspect of it, which was poorly covered in the previous article. These are IoT vulnerabilities. Everything you read below was not invented by us and is only partly based on our own experience, although we have significant experience in this area. Most of the information below is a summary of huge studies, the results of which have been recognized by experts from all over the world. Enjoy reading!
Opening speech
So, you already know that the popularity of “smart” things is steadily growing, and by 2030 IoT will connect more than 25 billion devices around the world, and these are only the most modest forecasts. In this regard, the importance of the issue of IoT weaknesses is increasing. According to a large report published by NetScout in 2018, on average, the first IoT security attack occurs as early as five minutes after a device is connected. And the point here is not that someone is trying to attack you, it’s just that most of the attacks have long been automated, so they “hit” everyone who is in the zone of influence.
It is clear that specialists in cyber security in IoT could not leave this unattended. The most relevant research on this topic is the report of the non-profit organization OWASP from 2018. The publication also talks about the most common IoT device vulnerabilities and security risks. Below we briefly review the top 10 weaknesses discussed in the report.
Achilles the centipede: how to hack your IoT devices
Yes, indeed, today IoT is a many-legged Achilles, but after all, Rome was not built in one day, was it? Letting the future into our present brings us closer to the moment when we don’t have to worry about security at all. Well, in the meantime, you should be careful, but definitely not panic and not deny the existence of the Internet of things as such. So, here’s what you should pay attention to.
Physical accessibility of devices
And let’s start simple. One of the most commonplace IoT devices security vulnerabilities is the ability to physically get to them. Some devices can be installed outdoors, in crowded places, so it doesn’t cost anything for an attacker to copy the settings (IP network, MAC address, etc.) and replace the original device in order to listen or reduce network performance. It can hack an RFID reader, hack a hardware device, infect it with malware, steal data, or simply physically disable an IoT device.
The solution to this problem is as simple as the problem itself. Care must be taken to ensure that the devices cannot be accessed by anyone who so pleases. For these purposes, there are anti-vandal boxes, for example. And simple installation of devices at an unattainable height can protect you from undesirable consequences. This is clear enough.
Insecure Defaults
Any manufacturer wants to earn more and spend less. Some devices may have a lot of smart features but lack the ability to configure security protocols in IoT.
For example, checking passwords for strength is not supported, there is no possibility to create accounts with different rights (administrator and users), there is no setting for encryption, logging and notifying users about security events.
Inability to control the device
Another IoT security breach is that devices are most often a “black box”. They do not have the ability to monitor the state of work, to identify which services are running and with what they interact.
Not all manufacturers allow users of IoT devices to fully manage the operating system and running applications, as well as check the integrity and legitimacy of downloaded software or install update patches on the OS.
During attacks, the device firmware can be reconfigured so that it can only be repaired by completely flashing the device.
The solution to these problems can be the use of specialized software for managing IoT devices, for example, cloud solutions from AWS, Google, IBM, etc.
Insecure transmission and storage of data
There is also a data breach: IoT devices collect and store environmental data, including various personal information. A compromised password can be replaced, but stolen data from a biometric device (fingerprint, retina, facial biometrics) cannot.
At the same time, IoT devices can not only store data in unencrypted form but also transmit it over the network. If the transmission of data in clear text over a local network can be somehow explained, then in the case of a wireless network or transmission over the Internet, they can become the property of anyone.
The user himself can use secure communication channels to ensure his IoT network security, but the device manufacturer must take care of encrypting stored passwords, biometrics, and other important data.
Insufficient privacy protection
This paragraph echoes the previous one: all personal data must be stored and transmitted in a secure manner. But this paragraph considers privacy in a deeper sense, namely from the point of view of protecting the secrets of private life.
IoT exploits information about what and who surrounds them, including unsuspecting people. Stolen or mishandled user data can both inadvertently discredit a person (for example, when misconfigured traffic cameras exposed unfaithful spouses) or be used in blackmail.
To solve the problem, you need to know exactly what data is collected by the IoT device, mobile application, and cloud interfaces.
You need to make sure that only the data necessary for the operation of the device is collected, check whether there is permission to store personal data and whether it is protected, and whether data storage policies are prescribed. Otherwise, if these conditions are not observed, the user may have problems with the law.
Use of unsafe or obsolete components
The vulnerable IoT devices` components can nullify all configured security.
At the beginning of 2019, expert Paul Marrapese identified vulnerabilities in the iLnkP2P P2P utility, which is installed on more than 2 million devices connected to the network: IP cameras, baby monitors, smart doorbells, video recorders, etc.
The first vulnerability CVE-2019-11219 allows an attacker to identify the device, and the second one, iLnkP2P authentication vulnerability CVE-2019-11220, allows to intercept traffic in the clear, including video streams and passwords.
Over the course of several months, Paul contacted the manufacturer three times and twice the developer of the utility but never received a response from them.
The solution to this problem is to monitor the release of security patches and update the device, and if your IoT devices are unsecured for a long time… change the manufacturer.
Lack of secure update mechanisms
The inability to upgrade a device is itself an IoT weakness. Failure to install the update means devices remain vulnerable indefinitely.
But besides that, the update itself and the firmware can also be unsafe. For example, if you do not use encrypted channels to get the software, the update file is not encrypted or integrity checked before installation, there is no anti-rollback protection (protection against reverting to a previous, more vulnerable version), or there are no notifications about security changes due to updates.
The solution to this problem is also on the side of the manufacturer. But you can check if your device is able to update at all and if it meets the IoT security requirements. Make sure that the update files are downloaded from a trusted server over an encrypted channel and that your device uses a secure update installation architecture.
Insecure ecosystem interfaces
The use of insecure web interfaces, APIs, and cloud or mobile interfaces makes IoT devices vulnerable to compromise even without connecting to them.
For example, Barracuda Labs analyzed the vulnerabilities of IoT application and the web interface of one of the “smart” cameras and found breaches that allow you to get the password to the device:
- the mobile application ignored the validity of the server certificate;
- the web application was vulnerable to cross-site scripting;
- it was possible to bypass files on the cloud server;
- device updates were not protected;
- the device was ignoring the validity of the server certificate.
For protection, you need to change the default user and password, and make sure that the web interface is not subject to cross-site scripting, SQL injection, or CSRF attacks. Protection against brute-force attacks on passwords should also be implemented. For example, after three attempts to enter an incorrect password, the account should be blocked and allow password recovery only through a hard reset. This will protect your IoT device from attacks of malicious.
Weak or guessable password
Surprisingly, even in 2022, the biggest breach in security for IoT is created by users themselves, using weak, default, or leaked passwords.
Despite the obvious need for a strong password, some users still do not change their default passwords. Silex malware took advantage of this in June 2019, turning about 2,000 IoT devices into a “brick” within one hour.
And before that, the well-known botnet and Mirai worm managed to infect 600,000 IoT devices using a database of 61 standard login-password combinations.
The solution is to change your password!
Conclusion
As you can see, some of the internet of things vulnerabilities are quite simply solved by ordinary care when connecting or installing devices (physical). Of course, there are security vulnerabilities that can be found in the IoT devices themselves. Such problems are most often solved by updating or changing the manufacturer. This is about the end user.
In this regard, the requirements for the manufacturer and software developers are much higher. However, so far, they are not regulated by law, which means that not all manufacturers will be willing to spend more to make the device safer, unfortunately. The only way for a buyer to influence the industry is not to buy vulnerable IoT devices.