Before we jump into the issues and challenges, let’s get a better idea of IoT devices. Devices that have a sensor attached to it and transmit data from one object to another or to people with the help of the Internet is known as an IoT device.IoT devices are wireless sensors, software, actuators, and computer devices. An IoT device is any device that connects to a network to access the Internet, so Personal Computers, cellphones, speakers, and even some outlets are considered IoT devices. Today, even cars and airplanes use IoT devices, meaning if these devices are attacked by threat actors, then cars or airplanes could be hijacked or stolen. With such widespread use of IoT devices in place globally, authenticating and authorizing IoT devices within your organization’s network has become vital. Allowing unauthorized IoT devices onto your network can lead to threat actors leveraging these unauthorized devices to perform malware attacks within your organization.
Need for IoT Security
Security breaches in IoT devices can occur anytime, including manufacturing, network deployment, and software updates. These vulnerabilities provide entry points for hackers to introduce malware into the IoT device and corrupt it. In addition, because all the devices are connected to the Internet, for example: through Wi-Fi, a flaw in one device might compromise the entire network, leading other devices to malfunction.Some key requirements for IoT security are:
Data security, including device authentication and data confidentiality and integrity.
To comply with regulatory requirements and requests to ensure that IoT devices meet the regulations set up by the industry within which they are used.
IoT Security Challenges:
Malware and Ransomware
The number of malware and ransomware used to exploit IoT-connected devices continue to rise in the coming years as the number of connected devices grows. While classic ransomware uses encryption to lock users out of various devices and platforms entirely, hybridization of malware and ransomware strains is on the rise to integrate multiple attacks.
The ransomware attacks could reduce or disable device functions while stealing user data. For example, a simple IP (Internet Protocol) camera can collect sensitive information from your house, office, etc.
Data Security and Privacy
Data privacy and security are the most critical issues in today’s interconnected world. Large organizations use various IoT devices, such as smart TVs, IP cameras, speakers, lighting systems, printers, etc., to constantly capture, send, store, and process data. All the user data is often shared or even sold to numerous companies, violating privacy and data security rights and creating public distrust.
Before storing and disassociating IoT data payloads from information that might be used to identify users personally, the organization needs to establish dedicated compliance and privacy guidelines that redact and anonymize sensitive data. Mobile, web, cloud apps, and other services used to access, manage, and process data associated with IoT devices should comply with these guidelines. Data that has been cached but is no longer needed should be safely disposed of. If the data is saved, complying with various legal and regulatory structures will be the most challenging part.
Brute Force Attacks
According to government reports, manufacturers should avoid selling IoT devices with default credentials, as they use “admin” as a username and password. However, these are only guidelines at this point, and there are no legal penalties in place to force manufacturers to stop using this risky approach. In addition, almost all IoT devices are vulnerable to password hacking and brute-forcing because of weak credentials and login details.
For the same reason, Mirai malware successfully detected vulnerable IoT devices and compromised them using default usernames and passwords.
Nowadays, organizations face a significant IoT skill gap that stops them from fully utilizing new prospects. As it is not always possible to hire a new team, setting up training programs is necessary. Adequate training workshops and hands-on activities should be set up to hack a specific smart gadget. The more knowledge your team members have in IoT, the more productive and secure your IoT will be.
Lack of Updates and Weak Update Mechanism
IoT products are designed with connectivity and ease of use in mind. They may be secure when purchased, but they become vulnerable when hackers find new security flaws or vulnerabilities. In addition, IoT devices become vulnerable over time if they are not fixed with regular updates.
Top IoT Vulnerabilities
The Open Web Application Security Project (OWASP) has published the IoT vulnerabilities, an excellent resource for manufacturers and users alike.
Weak Password Protection
Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.
Weak, guessable, default, and hardcoded credentials are the easiest way to hack and attack devices directly and launch further large-scale botnets and other malware.
In 2018, California’s SB-327 IoT law passed to prohibit the use of default certificates. This law aims to solve the use of weak password vulnerabilities.
Insecure network services
Unnecessary or unsafe network services that run on the devices, particularly those that are exposed to the internet, jeopardize the availability of confidentiality, integrity/authenticity of the information, and open the risk of unauthorized remote control of IoT devices.
Unsecured networks make it easy for cybercriminals to exploit weaknesses in protocols and services that run on IoT devices. Once they have exploited the network, attackers can compromise confidential or sensitive data transmitted between the user’s device and the server. Unsecured networks are especially vulnerable to Man-in-the-Middle (MITM) attacks, which steal device credentials and authentication as part of broader cyberattacks.
Insecure Ecosystem Interfaces
Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.
Useful identification tools help the server distinguish legitimate devices from malicious users. Insecure ecosystem interfaces, such as application programming interfaces (APIs), web applications, and mobile devices, allow attackers to compromise devices. Organizations should implement authentication and authorization processes to authenticate users and protect their cloud and mobile interfaces.
Insecure or Outdated Components
Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.
The IoT ecosystem can be compromised by code and software vulnerabilities as well as legacy systems. Using unsafe or outdated components, such as open source or third-party software, can create security vulnerabilities that expand an organization’s attack surface.
Lack of Proper Privacy Protection
User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.
IoT devices often collect personal data that organizations must securely store and process in order to comply with various data privacy regulations. Failure to protect this data can result in fines, loss of reputation and loss of business. Failure to implement adequate security can lead to data leaks that jeopardize user privacy.
Insecure Default Settings
Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.
IoT devices, like personal devices, come with hard-coded, default settings that allow for easy configuration. However, these default settings are very insecure and vulnerable to attackers. Once compromised, hackers can exploit vulnerabilities in a device’s firmware and launch broader attacks aimed at businesses.
Lack of Physical Hardening
Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.
The nature of IoT devices suggests that they are deployed in remote environments rather than in easy-to-manage, controlled scenarios. This makes it easy for attackers to target, disrupt, manipulate, or sabotage critical systems within an organization.
Lack of secure update mechanisms
Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
Unauthorized firmware and software updates pose a great threat to launch attacks against IoT devices.
How Encryption Consulting’s PKI-as-a-service helps secure your IoT devices?
Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment and build the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization. Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required, and control over your PKI and its associated business processes will always remain with you. Furthermore, for security best practices, the CA keys will be held in FIPS 140-2 Level 3 HSMs hosted either in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.
Parnashree Saha is a data protection senior consultant at Encryption Consulting LLC working with PKI, AWS cryptographic services, GCP cryptographic services, and other data protection solutions such as Vormetric, Voltage etc.