If the 2017 Consumer Electronics Show (CES) is anything to go by, 2017 will be a major year for the Internet of Things (IoT).
Unfortunately, it’s also going to a bumper year for cyber security exploits—including novel, and potentially catastrophic, attacks.
As such devices come of age we are going to start seeing them everywhere. Can’t say I’m looking forward to patching firewalls on my light bulbs and doorbell—but, then again, I probably won’t even be given the option.
IoT devices are fun, and, sometimes, genuinely useful. We’re not going to wait for security to catch up before we buy them. I’m looking at a pressure cooker that comes with a Bluetooth option. And, as a tech person, I obviously want that one. Probably never use that feature, of course. And the only thing stopping my buying a wifi kettle is that they are over £100—for a kettle. But it’s only a matter of time.
Apparently, there are going to be at least 20 billion IoT devices around by 2020.
Of course when we combine a rapidly growing market, consumer devices and poor cyber security you can see a train-wreck coming.
There are many attack vectors we need to worry about with IoT devices. The fact that they are out in the wild makes them difficult to protect and manage. In this article, we’ll consider 10 areas of IoT vulnerability identified by OWASP.
Many of these devices have a built-in web server that hosts a web app for managing the device. Like any web server/app, there may be flaws in the code that allow the device to be attacked. As these are connected devices weaknesses can be exploited remotely.
While there are often weaknesses in the implementation of authentication/authorization mechanisms a bigger problem is not making use of the features that are provided.
With consumer devices convenience always trumps security…until it’s too late. How many Amazon reviews complain that a device had weak security? Yet “Too complicated—and I know a lot about computers.” is a common refrain from the 1-star brigade.
Many devices are able to operate with their default (insecure) settings. But, if you had to configure security before using it this would be seen as friction. You get the security you deserve.
IoT devices may have services for diagnostics and testing. They may even have debugging services. If these are on open, insecure or vulnerable ports they are potential security holes. Such “maintenance” services have probably been lightly tested so are more likely to have exploitable code behind them.
There’s commercial pressure to expose more and more features and capabilities. Personally, I’m always attracted to the device with the richer API. However, more features mean more things that might contain flaws.
If your device is sending private information over an insecure protocol anyone could be reading it. And it’s not always obvious to people what information an IoT device might be sharing.
I read an article this week about a man who found his partner was having an affair. He discovered this because her daughter’s iPad was configured to share information with the family.
If information on the device is not encrypted at rest, and people have access to the device, your personal information is at risk. I drink way too many cups of tea. Don’t want that getting out because of a leaky kettle.
Many IoT devices connect to the cloud. If they have a cloud management interface this represents another potential security weakness.
An on-device management interface is harder for a remote attacker to access as it’s behind the home router. However, it’s also less likely to be patched than a cloud management interface.
Everyone wants to use their mobile phone for everything these days. Many IoT devices have a mobile interface. As IoT devices are often consumer/home products this makes sense when home computers are becoming less and less necessary.
However, another management interface is another breach waiting to happen. Building secure software is hard.
Even if you know what you are doing your IoT devices may not provide features to help you secure them. I’ve had devices before that constrain me to use a PIN for security. Am I able to chose encryption options? Can I create and access logs to monitor attacks?
Probably not. Advanced configuration options in highly technical areas are a source of support costs. Undetected theft of data? Not so much.
Can the device be patched to address discovered vulnerabilities? How do I know I need a patch? Is installing it scary and might brick the device? How do I know the patch is valid and not injected by a malicious agent to add my device to their botnet? Can I reset my device?
This isn’t on the OWASP list but seems crucial to me. IoT devices that have been replaced by a newer model, or found not to be as useful as the buyer thought (must be a huge number of these), are going to end up on eBay. So, you take a device that contains who knows what about you and send it to a stranger. Great.
Personally, I bin them—but, I appear to be quite radical in that view.
All IoT devices need a “Prepare for resale” option. Not just a “Reset to factory settings” option—who knows if that does what you need it to do. No. We need a clear and explicit “Prepare for resale” option.
So, if you are buying an IoT device research these vulnerabilities and only purchase devices that address them. And, if you are an IoT developer, consider how your device can avoid these vulnerabilities.
Of course, I don’t believe any of that will happen. Consumers will continue to purchase based on price/ease-of-use/features. Manufacturers will response to consumer demands in kind. And we’ll have many interesting cyber security stories to amuse, scare and temporarily outrage us in 2017.
Me? Oh, well, I love gadgets and will be buying based on features and price. Don’t have time to worry about security on light bulbs.
If you are interested in or concerned about cyber security, Learning Tree provides a suite of courses covering all the major topics.