I’ve recently written an article in TechCrunch on the much-disputed issue of IoT security. Fact of the matter is IoT truly is a phenomenon that can change our lives – or destroy them. There are many things that are right with IoT but there are also many others that are wrong and need to be fixed.
What makes IoT devices great is their unbroken and automated connectivity, and their constant flow of useful information to data centers. But this is also where they are flawed. Since engineers who build IoT devices aren’t necessarily network security experts, they leave many security gaps behind.
And since IoT devices are always online, every single one of them can become an attack vector and a point of infiltration for hackers. Automated systems get authenticated once when they go online and remain authenticated until they’re reset. Weak implementation of protocols allowed Charlie Miller and Chris Valasek used to conduct the famous Jeep hack earlier this year.
Another issue of concern is the mechanism of updating the firmware installed on IoT devices. It is fair to say that there’s no software that is flawless, a statement that applies to IoT devices as well. Every piece of software installed or embedded on IoT devices will eventually be found to have flaws that need to be fixed.
Closing devices to software updates means devices will have to exist with discovered flaws forever, which is out of question. Another option would be to demand users to install updates on their devices by themselves, which is also impractical, since you couldn’t expect users to manually push updates on the dozens and scores of connected devices they own.
A third option would be to leave openings on devices that would allow manufacturers to automatically push updates on devices. But that could itself become an attack vector and a loophole for attackers to exploit. Back to the Jeep example, Miller and Valasek used an update-delivery flaw to modify firmware on the cars devices and execute arbitrary code. A similar flaw on Cisco devices has allowed hackers to install malicious backdoors on router devices belonging to one of the brands that is supposedly renowned for its secure products.
Device isolation across the network
Often breaking into one device will allow you to compromise other devices sharing the same network. This is another point where IoT security leaves much to desire. Devices are blindly trusting of their peers, and when attackers find their way into a single device, they move laterally across the network and propagate their damage across other devices, carrying out other nefarious activities, including escalation of privileges or gaining access to databases containing sensitive information.
In the Jeep hack example, the researchers made their initial infiltration through a flaw in the entertainment system and later gained access to other devices that eventually allowed them to take full control of the car’s brake and steering system.
Since IoT devices are set up once and then forgotten, most users will not bother to change the administrative credentials that allow access to devices’ settings interfaces. The most dangerous one is web interfaces, which can be accessed from practically any point that is physically connected to the device.
Employing simple measures such as making sure administrative passwords are changed during the initial setup or using two-factor authentication methods can go a long way to preventing IoT hacks.
A lot of IoT devices are using non-encrypted protocols or outdated and flawed encryption methods when sending their data over to the cloud. This can lead to data theft, or worse, the theft of credentials and hijacking of device identities. New and updated TLS and SSL protocols should be implemented on all devices. The point here is to understand that IoT devices are no different from websites: Not taking data transfer security seriously can lead to a host of dangerous attacks.
Of course, like the Heartbleed bug, we might later find out that the current protocols need to be patched. Again, the patching mechanisms themselves need to be checked for security holes.