March 11, 2020 by Jake Pool
With demand for internet of things technology increasing exponentially, engineers are creating more and more devices on a monthly basis. But, as malware attacks continue to rise, it seems digital security teams can’t keep up with the vulnerabilities.
Take, for example, the growth of the Mirai Botnet that plagues enterprises to this day. In 2019, the malware used default credentials to gain access to a range of devices, including wireless presentation systems, SD-WAN routers, and home controllers.
In addition, security teams found some of the malware in new IoT device processors, which was an expansion of the targeted processor architectures.
The goal seems to be another massive DDoS (distributed denial-of-service) attack like the infamous one that affected Dyn’s servers and took down a slew of notable websites in 2016.
So, what are manufacturers doing to protect enterprises and consumers? And, do they even consider this a serious issue? The answers are ‘not much’, and ‘no’.
Surrounded by blue connectivity graphics (e.g. Wi-Fi), a red-targeted shield sits with a dart through it—representing penetrated cybersecurity measures.
To break down these bold answers, let’s look at some of the key vulnerabilities of IoT devices based on The Open Web Application Security Project’s Top 10 Internet of Things 2018 List.
Its list ranked the highest-priority issues of IoT devices, and another update will be released in 2020.
One of the most easily exploited vulnerabilities comes through the network services used to access an IoT device. Many of these insecure services are often unnecessary and leave an open door for remote access.
However, the door swings both ways with network security. Developers aren’t doing enough to ship secure devices. But consumers also shouldn’t assume an IoT device is secure the moment they take it out of the box. In the U.S., the FBI recommends that IoT devices never be on the same network as other devices with sensitive data.
Ultimately, it will be up to enterprises and customers to invest more in security and take steps toward routinely testing and securing their devices.
Using brute force attacks or researching publicly available credentials, hackers can gain access to IoT devices with weak passwords. While this is somewhat on the shoulders of the consumer, it’s still an out-of-the-box vulnerability. Many devices don’t even have authentication suggestions and set-up steps (much less two-step verification options) in the first place.
In addition, many IoT devices have hardcoded passwords embedded into the source code. The passwords are discoverable by simply asking around on the internet (as in the case of the 2016 Uber hack) or through reverse engineering. The task of protecting enterprise from the threat of a hardcoded password goes to the developers.
California recently passed laws trying to combat the issue that went into effect on January the 1st of this year, and the UK could follow suit—but it may be too little too late.
Hard coding passwords into the source code of an IoT device is one of the biggest vulnerabilities. Pictured: a line of code (foreground) and part of a data centre.
Within this issue lies two problems. First, many devices have no update mechanism at all. In this situation, the device is vulnerable to attacks because the burden of updating security falls solely on the end-user.
It can be difficult for non-tech savvy users and enterprises to keep up with much-needed security updates with no mechanism in place. This has led to a push for OTA (over-the-air) updates from companies like Texas Instruments.
However, even devices with an update mechanism in place fall short as they consistently lack firmware validation, are sent delivery updates that are not encrypted, or do not notify the user of security changes within the updates.
Many IoT developers make use of third-party libraries in the application software within the device. The problem is that developers are not thoroughly testing the libraries and many are outdated, which leaves them highly vulnerable to attacks.
This is where the importance of updates comes to attention. However, with no secure mechanism, a hard coded or weak password, and an insecure network service, many enterprises are handing hackers the keys to their—and sometimes your—most vital information.
Ghostly hands appear from the wrong side of a laptop keyboard to attempt a password breach. Image Credit: Blogtrepreneur via Flickr.
With awareness of the above key issues existing for years, developers are still not taking the vulnerabilities seriously. Why is that?
According to Peter Winston, CEO of Integrated Computer Solutions:
“Developers are under pressure by manufacturers to code faster to keep up with skyrocketing demand. They simply don’t have much time in the product development lifecycle to devote to security, since speed to market is their priority.”
Gartner projects we’re on track to reach 20.4 billion connected ‘things’ this year. Obviously the demand is high and is only going to get higher. Consumers want ‘smart’ devices in every way, shape, and form, so there could be billions of dollars at stake if you’re not the first to have a product on the market.
