Saturday, August 27, 2016

IoT Security


IoT technology is growing at a dangerously fast pace. Digitally connected devices are touching every aspect of our lives, including our homes, offices or cars. But, as with every good thing, there is a downside of IoT also.

With the increase in the number of digitally connected devices, more and more data is being collected. And, that in turn is increasing the attack vectors. Attackers are exploiting vulnerabilities in IoT devices to steal our sensitive data and invade our privacy.





But, can we prevent that? Can we ensure the security of the sensitive data collected from us by the IoT devices?

Let’s understand in more detail what the security concerns of IoT devices are and how best we can address them.


Security Concerns of IoT Devices


Cybercriminals can attack the IoT devices in a number of ways. They can exploit vulnerabilities of insecure web interfaces, cloud interfaces, lack of encryption or they can take advantage of weak authentication mechanism to enumerate user accounts and steal sensitive data or make DoS attacks.

Let’s understand each of them in more detail.


Insecure Authentication


If the authentication mechanism is not secure enough, attackers can exploit that to gain unauthorized access of user accounts and steal sensitive data. There are a number of ways that can happen. For example,

  • If default usernames and passwords are not changed properly, attackers can take advantage of that to gain unauthorized access of user accounts.
  • Attackers can take advantage of weak passwords to gain unauthorized access of the devices.
  • If the collected user credentials are not encrypted properly, attackers can take advantage of that and capture them for malicious purposes.
  • Attackers can enumerate user accounts to access the IoT devices.

No doubt, this can lead to data loss or data corruption. It can even result in denial of access or complete device takeover.

Prevention


We can take a couple of steps to prevent this type of attacks:


  • Make sure to change default credentials at the time of initial setup of the devices.
  • Passwords need to be kept sufficiently strong. Users should not be allowed to set weak passwords.
  • Credentials, whenever they are collected from users, should be encrypted using sufficiently strong encryption algorithm. Plaintext credentials should never be transmitted across the network.
  • Account lockout should be implemented, so that user account gets locked immediately after a certain number of failed login attempts.
  • We need to make sure password recovery mechanisms are made secure.
  • We need to make sure, when a device is plugged into the network, it authenticates itself before it starts sending or receiving data.


Vulnerable Web Interfaces, Mobile Interfaces and Cloud Interfaces


Attackers can exploit insecure web interfaces, mobile interfaces and cloud interfaces to steal sensitive data in a number of ways:

  • Attackers can exploit security vulnerabilities in the mobile, web or cloud interfaces to perpetrate SQL Injection, Cross Site Scripting or CSRF attacks and steal sensitive user data.
  • If the web interface does not properly implement HTTPS, attackers can exploit that to steal transmitted unencrypted sensitive data.
  • Attackers can exploit vulnerabilities in the mobile app, cloud interfaces or web interfaces to enumerate user accounts and gain unauthorized access of the devices.
  • Attackers can use the insecure mobile, web or cloud interfaces to gain unauthorized access to user accounts exploiting weak passwords or default credentials.

Prevention


Couple of steps can be takes to prevent this:

  • Web, Cloud and mobile interfaces should be properly tested so that they do not contain any SQL Injection, XSS or CSRF vulnerabilities.
  • Web interfaces should implement HTTPS wherever possible.
  • Web Application Firewalls should be used to protect the web interfaces.
  • Web, cloud and mobile interfaces should make sure weak passwords are not allowed and default credentials are changed during the initial setup.
  • Web, cloud and mobile interfaces should also implement account lockout mechanism so that it creates much difficulty for the attackers to enumerate user accounts.
  • 2 Factor Authentication should be implemented wherever possible.
  • Web, mobile or cloud interfaces should use proper transport encryption for transmitted data.
  • It is always better to implement firewalls and IPS.


Vulnerable Network Services


Attackers can exploit vulnerable network services in the following way:

  • Attackers can exploit security vulnerabilities in the network services to perpetrate attacks like buffer overflow or DoS attacks.
  • Attackers can take advantage of open ports to collect information on the devices, so that they can plan for more attacks.
  • Attackers can even exploit open ports via UPnP or exploit UDP services.

Prevention


We can prevent this type of attacks in a number of ways:

  • We need to ensure only the necessary ports are open and exposed outside.
  • We need to make sure network ports or services are not exposed to the internet via UpnP.
  • A number of automated tools can be used to make sure the vulnerabilities in the network services are detected and mitigated.


Lack of Transport Encryption


If the data in transit are not encrypted properly, attackers can take advantage of that to steal sensitive data.

  • Usually, local network traffic does not get exposed outside the network. But, if the wireless network is not configured properly, it can make the traffic visible to anyone within the range of the wireless network. And, that can lead to complete compromise of the devices or user accounts.
  • If proper encryption protocols like SSL/TLS are not used, attackers can easily capture the data in transit and exploit that for malicious purposes.

Prevention


  • We need to make sure communications between the devices and the internet are encrypted using proper encryption protocols like SSL/TLS.
  • It is always better to use accepted encryption standards and avoid proprietary encryption protocols.
  • It is always better to use firewalls with the devices.


Privacy Concerns


Due to lack of proper protection of data, attackers can capture sensitive and personal data collected by the devices, which no doubt raises privacy concerns. To prevent this, we can take a couple of steps:

  • We need to identify all the data types that are being collected by the devices, mobile app, web interfaces or cloud interfaces. We need to make sure to only collect data that is necessary.
  • Collected data should be properly protected using encryption while at rest or in transit.
  • Only authorized individuals should have access to personal data.
  • We need to make sure proper data retention policy is in place and individuals are given a choice to collect data beyond what is necessary for the operation of the devices.


Insufficient Security Configurability


This vulnerability exists if the devices have limited or no ability to alter security controls or the web interfaces have no options for creating granular user permissions and cannot enforce use of strong passwords. Attackers can take advantage of this to exploit the vulnerabilities in the devices to steal sensitive data or make more attacks.

Prevention


We can take a couple of steps to address this.

  • We need make sure normal users are separated from administrative users and principle of least privileges is enforced. Password security options should be made available.
  • Encryption options should be made available to encrypt sensitive data collected by the devices.
  • We should enable logging of security events.
  • Users should be notified about security events.


Insecure Software/Firmware


IoT devices should have the ability to be updated when vulnerabilities are discovered. But, if the update files are not protected, they can be captured by attackers and exploited for malicious purposes. Attackers can capture unencrypted update files or can perform their own malicious updates via DNS Hijacking.

This type of attacks can happen because of a number of reasons, like:

  • update files are not encrypted
  • updates are not verified before they are applied
  • firmware contains sensitive information like hardcoded credentials
  • there is no proper update functionality

Prevention


We can prevent this in a number of ways:

  • All the devices should have the ability to be updated.
  • Update files should be encrypted.
  • Update files should not contain any sensitive data.
  • We need to make sure updates are signed and verified before they are applied.
  • We should ensure the update server is secure.
  • We need to make sure, when power is first introduced to the devices, the authenticity and integrity of the software on the devices are verified using cryptographically generated digital signatures.


Poor Physical Security


Attackers can exploit physical access of the system also to perpetrate attacks. They can use USB ports, SD cards or other storage means to access the Operating Systems and data stored in the devices and exploit that for malicious purposes.

Prevention


We can make sure the following:

  • We need to make sure data storage medium cannot be easily removed.
  • Only the external ports and USB ports that are necessary should be used.


2 comments:

  1. IOT Security is so nice so advance in security line.Thanks Admin your post is really nice.

    Pos Solutions

    ReplyDelete