IoT Vulnerabilities and Security Concerns
Published 11/19/2022
Internet of Things (IoT) devices (also known as "smart devices") represent a wide variety of internet-connected devices. This includes medical devices, cars, drones, simple sensors, and more. They often pose a security challenge because of their limited size and the difficulty of securing IoT devices. Providing sufficient resources for IoT secure product engineering is essential to:
- Reduce the likelihood of counterfeit products
- Limit the ability of attackers to compromise your customers’ privacy
- Limit your liability in the case of a compromised device
- Limit the ability for an attacker to cause damage or harm
- Reduce the likelihood of damage to your reputation
The impact of a compromised IoT product is never positive. At a minimum, customers will hesitate to purchase the product. At worst, it will invite legal action or cause physical harm.
Below, learn about several IoT device vulnerabilities and what to do about them.
Lack of Data Protection
IoT products used within the home pose extra risk. VTech, a device manufacturer of high-tech educational toys, announced that it suffered a security breach in December 2015. This breach exposed the personal data of 12 million people.
An interesting aspect of this breach is that the issue wasn't with the devices themselves. Instead, the online services that the devices connected with were not secure enough. Remember that IoT devices do not operate in a vacuum. We need to secure the entire ecosystem that they're a part of.
What to Do:
- Encrypt all account registration using TLS.
- Implement software assurance techniques within your dev team.
- Thoroughly review protocol specifications for security/privacy updates.
DDoS Attacks
The substantial quantities associated with IoT products makes them valuable to those wishing to perform a DDoS attack. Additionally, compromising IoT products for use in botnets can be simpler than identifying and exploiting an unpatched vulnerability. Some IoT products ship with no password protections or use default passwords for local access.
What to Do:
- Implement software assurance techniques within your dev team.
- Never ship IoT products without password protections.
- Do not share default passwords across a class of devices without requiring immediate password updates on first use.
Medical Devices are Especially Vulnerable
Concerns related to the security of connected medical devices are nothing new. As early as 2008, researchers were discussing threats to wirelessly reprogrammable implantable medical devices like implantable drug pumps. These vulnerabilities can result in life-threatening injuries or death.
What to Do:
- Implement software assurance techniques within your dev team.
- Authenticate access to all ports.
- Encrypt the keys stored on devices.
Critical National Infrastructure
A vulnerable grid of smart cities or factories can have a direct impact on the functioning of modern society. If we think of a typical Industrial Control System (ICS), we see that there are many areas of concern. This includes:
- The connection of systems that designers never intended to connect to the internet.
- The use of legacy protocols that have no security mechanisms built-in.
- The fact that a cyber-physical system (CPS) can cause harm and damage if compromised.
What to Do:
- Begin a move toward upgrading legacy protocols to more secure choices.
- Incorporate safety engineering into IoT/ CPS product designs.
- Implement secure interface connectivity within your IoT products.
Insecure Environments
IoT products that remain physically exposed have a broad attack surface. Theft and reverse engineering become genuine possibilities. IoT developers should anticipate the product operating within a network where security procedures are weak and out of date.
What to Do:
- Apply policy-based security to force security-critical firmware and software updates.
- Identify flexible self-service identity management capabilities for IoT products.
- Encrypt key material within mobile applications when used to establish trust relationships with IoT products.
Limited Security Planning in Development
An IoT device security gap definitely exists. Some products have long-lead cycles which create a continued influx of insecure devices onto the market. Thankfully, regulatory, privacy, and compliance mandates require testing and verification of certain devices prior to deployment. This is especially true when dealing with sensitive information.
What to Do:
- Create an IoT security training program for the dev team.
- Participate in threat sharing initiatives.
- Establish a framework for threat modeling the product.
- Obtain security buy-in from senior management.
Limited Management Support
Investors and technology startups can be unconcerned with the security of their products. Instead, they focus on getting their products to market quickly. People often view security as an inconvenience that drives up costs and diminishes user friendliness. For example, simple passwords are easier for the user to remember—and for the adversary to guess.
What to Do:
- Begin product development with a threat model.
- Derive security requirements from the output of the threat model.
- Track security requirements through to closure.
Lack of Defined Standards
IoT products require the cooperation of many technologies and protocols. However, no accepted IoT reference architecture exists among vendors.
Many IoT product developers choose an IoT platform as a starting point. They then build up changes and services from there. However, those platforms themselves often do not operate with each other, and developers may not make secure choices.
What to Do:
- Carefully evaluate the environment in which devices are deployed and choose technologies accordingly.
- Evaluate the performance vs. security tradeoff. Exploit the best matching protocol stack to reduce security risks and breaches.
- Evaluate the security features offered by the IoT components and use them whenever possible.
- Consider referencing CSA’s IoT Controls Matrix.
Difficulties Recruiting and Retaining Skills
IoT introduces new challenges to keeping staff sufficiently trained. Product Security Officers and their teams have to concern themselves with:
- Vulnerabilities within software.
- Ways that attackers can compromise their product’s hardware features.
- Secure ways to create and distribute updates to thousands of devices.
What to Do:
- Create an IoT security training program for the dev team.
The Low Price Point Increases the Potential Adversary Pool
Typical IoT products have a relatively low cost. This makes it easy for both researchers and threat actors to gain access to these devices. Then, actors can easily search for security gaps and use this knowledge to exploit the device's weaknesses.
What to Do:
- Consider physical security solutions such as tamper detection.
- Lock down physical ports (including test ports) on the product using passwords.
To learn more about IoT security risks, check out the full list of CSA’s IoT publications.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024
The Rocky Path of Managing AI Security Risks in IT Infrastructure
Published: 11/15/2024