Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

IoT Vulnerabilities and Security Concerns

IoT Vulnerabilities and Security Concerns

Blog Article Published: 11/19/2022

Written by Megan Theimer, Content Program Specialist, CSA.

In Part 1 of this blog, we covered the many reasons that Internet of Things (IoT) security is needed and should be properly funded. Now, to help you understand how to design and develop IoT products securely, we will explain some of the challenges security engineers face when dealing with IoT devices.

Insecure Environments

IoT products that are left physically exposed are vulnerable to being stolen and reverse engineered to identify vulnerabilities in the software. Consumer IoT products often operate within environments (e.g., homes) that have limited security controls in place to protect against attackers. IoT product developers should anticipate the product operating within a network where WiFi routers are old, unpatched, and use weak authentication mechanisms.

What to Do:

  • Apply policy-based security to force IoT products to update the latest security-critical firmware/software.
  • Identify flexible self-service identity management capabilities for IoT products.
  • Encrypt key material within mobile applications when used to establish trust relationships with IoT products.

Limited Security Planning in Development Methodologies

There is still an IoT security gap, as some products have long-lead product cycles which lead to a continued influx of insecure devices onto the market. Regulatory, privacy, and compliance mandates require that devices added to certain systems be tested and verified prior to deploying, especially when dealing with sensitive information.

What to Do:

  • Create an IoT security training program for the development team.
  • Identify and participate in threat sharing initiatives and establish a framework for threat modeling the product.
  • Obtain buy-in from senior management on the need to incorporate security into the product.

Limited Management Support

Investors and technology startups can be unconcerned with the security of their products. Instead, they are focused on getting their products to market quickly and ensuring that core functionality works as expected. Security is often viewed as a consumer inconvenience that drives up support costs and diminishes user friendliness. For example, the simpler and longer lived a password is, the easier it is for the user to remember—and for the adversary to guess.

What to Do:

  • Begin product development with a threat model.
  • Derive security requirements from the output of the threat model and track those requirements through to closure.

Lack of Defined Standards

There is no accepted IoT reference architecture among vendors, despite IoT products and services requiring the cooperation of many technologies and protocols. Many IoT product developers choose an IoT platform as a starting point, and then build up their customizations and services from there. However, those platforms themselves often are not interoperable with each other, and developers may not make secure choices.

What to Do:

  • Carefully evaluate the environment in which devices are deployed and choose technologies accordingly.
  • Evaluate the performance vs. security tradeoff, exploiting the best matching protocol stack in order to reduce security risks and breaches.
  • Evaluate the security features offered by the IoT components and use them whenever possible.
  • Consider referencing CSA’s IoT Controls Matrix.

Difficulties Recruiting and Retaining Skills

IT security staff are consistently challenged with learning new technologies, however IoT introduces even more challenges to keeping staff sufficiently trained. Product Security Officers and their teams have to concern themselves with vulnerabilities within software, ways that attackers can compromise their product’s hardware features, and secure mechanisms for creating and distributing firmware and software updates to thousands of devices.

What to Do:

  • Create an IoT security training program for the development team

The Low Price Point Increases the Potential Adversary Pool

The low cost of typical IoT products, especially consumer devices, makes it simple for both researchers and malicious actors to acquire and spend time finding security issues and analyzing the security protections built into each device. This allows for the systematic discovery of security vulnerabilities related to both the hardware and software, knowledge of which can then be used to exploit weaknesses in operational environments.

What to Do:

  • Consider physical safeguards such as tamper detection to guard against physical access to sensitive internals.
  • Lock down physical ports (including test ports) on the product using passwords.

To learn more about IoT security, check out the full list of CSA’s IoT publications.

Share this content on your favorite social network today!