5 domains where IoT security needs to be addressed

smarthomesecurity-e1445623963123

I’ve recently written an article in TechCrunch on the much-disputed issue of IoT security. Fact of the matter is IoT truly is a phenomenon that can change our lives – or destroy them. There are many things that are right with IoT but there are also many others that are wrong and need to be fixed.

With many thanks to Art Swift and Larry Loeb for their excellent thoughts on IoT security, following are five areas where IoT security issues need to be tackled.

Network connectivity

What makes IoT devices great is their unbroken and automated connectivity, and their constant flow of useful information to data centers. But this is also where they are flawed. Since engineers who build IoT devices aren’t necessarily network security experts, they leave many security gaps behind.

And since IoT devices are always online, every single one of them can become an attack vector and a point of infiltration for hackers. Automated systems get authenticated once when they go online and remain authenticated until they’re reset. Weak implementation of protocols allowed Charlie Miller and Chris Valasek used to conduct the famous Jeep hack earlier this year.

Updating mechanisms

Another issue of concern is the mechanism of updating the firmware installed on IoT devices. It is fair to say that there’s no software that is flawless, a statement that applies to IoT devices as well. Every piece of software installed or embedded on IoT devices will eventually be found to have flaws that need to be fixed.

Closing devices to software updates means devices will have to exist with discovered flaws forever, which is out of question. Another option would be to demand users to install updates on their devices by themselves, which is also impractical, since you couldn’t expect users to manually push updates on the dozens and scores of connected devices they own.

A third option would be to leave openings on devices that would allow manufacturers to automatically push updates on devices. But that could itself become an attack vector and a loophole for attackers to exploit. Back to the Jeep example, Miller and Valasek used an update-delivery flaw to modify firmware on the cars devices and execute arbitrary code. A similar flaw on Cisco devices has allowed hackers to install malicious backdoors on router devices belonging to one of the brands that is supposedly renowned for its secure products.

Device isolation across the network

Often breaking into one device will allow you to compromise other devices sharing the same network. This is another point where IoT security leaves much to desire. Devices are blindly trusting of their peers, and when attackers find their way into a single device, they move laterally across the network and propagate their damage across other devices, carrying out other nefarious activities, including escalation of privileges or gaining access to databases containing sensitive information.

In the Jeep hack example, the researchers made their initial infiltration through a flaw in the entertainment system and later gained access to other devices that eventually allowed them to take full control of the car’s break and steering system.

Remote interfaces

Since IoT devices are set up once and then forgotten, most users will not bother to change the administrative credentials that allow access to devices’ settings interfaces. The most dangerous one is web interfaces, which can be accessed from practically any point that is physically connected to the device.

Employing simple measures such as making sure administrative passwords are changed during the initial setup or using two-factor authentication methods can go a long way to preventing IoT hacks.

Data transfer

A lot of IoT devices are using non-encrypted protocols or outdated and flawed encryption methods when sending their data over to the cloud. This can lead to data theft, or worse, the theft of credentials and hijacking of device identities. New and updated TLS and SSL protocols should be implemented on all devices. The point here is to understand that IoT devices are no different from websites: Not taking data transfer security seriously can lead to a host of dangerous attacks.

Of course, like the Heartbleed bug, we might later find out that the current protocols need to be patched. Again, the patching mechanisms themselves need to be checked for security holes.

FEATURED IMAGE: MACROVECTOR/SHUTTERSTOCK (IMAGE HAS BEEN MODIFIED)

Advertisements

31 comments on “5 domains where IoT security needs to be addressed

  1. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  2. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  3. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  4. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  5. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  6. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  7. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  8. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  9. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  10. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  11. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  12. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  13. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  14. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  15. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  16. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  17. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  18. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  19. […] From options for connectivity threats to knowledge safety and the quarantine of probably compromised units, startups and tech giants are creating options for the issue areas in IoT security. […]

    Like

  20. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  21. […] From solutions for connectivity threats to data protection and the quarantine of potentially compromised devices, startups and tech giants are developing solutions for the problem areas in IoT security. […]

    Like

  22. […] in tandem with becoming smarter, our homes are also becoming less secure, and the billions of devices that are being added to our hyper-connected world every year are […]

    Like

  23. […] I’ve mentioned in previous posts (here and here), the IoT industry is full of security holes, inherent from the fact that it’s a fledgling […]

    Like

  24. […] I’ve mentioned in previous posts (here and here), the IoT industry is full of security holes, inherent from the fact that it’s a fledgling […]

    Like

  25. […] a dark side to IoT, and as hot new gadgets make our homes smarter, they’re also making them more vulnerable to new forms of cyber-attacks and malicious […]

    Like

  26. […] a dark side to IoT , and as hot new gadgets make our homes smarter, they’re also making them more vulnerable to new forms of cyber-attacks and malicious […]

    Like

  27. […] a dark side to IoT, and as hot new gadgets make our homes smarter, they’re also making them more vulnerable to new forms of cyber-attacks and malicious […]

    Like

  28. […] a dark side to IoT, and as hot new gadgets make our homes smarter, they’re also making them more vulnerable to new forms of cyber-attacks and malicious […]

    Like

  29. […] there are several security domains where IoT technology is lacking sorely, most notably at Wi-Fi network level. Vulnerabilities in […]

    Like

  30. […] and tablet wielders. Unfortunately, while the IoT industry is still taking its baby steps, device update mechanisms and support leaves a lot to desire. This necessitates extra precaution on your […]

    Like

  31. […] and tablet wielders. Unfortunately, while the IoT industry is still taking its baby steps, device update mechanisms and support leaves a lot to desire. This necessitates extra precaution on your […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s