Datafloq

Data and Technology Insights

5 Security Vulnerabilities Looming for the Internet of Things

/ 8 min read.
Datafloq AI Score
floq.to/If0PN

Almost three years ago, I wrote in my IoT blog the posts Are you prepared to answer M2M/IoT security questions of your customers ?. and There is no consensus how best to implement security in IoT given the importance that Security has to fulfil the promise of the Internet of Things (IoT).

Now, I have been sharing my opinion about the key role of IoT Security with other international experts in articles such as What is the danger of taking M2M communications to the Internet of Things? and at different events (Cycon , IoT Global Innovation Forum 2016).

Security Has Always Been a Trade-off Between Cost and Benefit

I am honest when I say that I do not known how McKinsey calculates the total impact of IoT on the world economy in 2025, even in one of the specific sectors, and if they took into account the challenge of security, but it hardly matters: The opportunities generated by IoT far outweigh the risks.

With increased IoT opportunities coms increased security risks and a flourishing IoT Security Market (According to Zion Research the IoT Security Market will growth to USD 464 million in 2020).

A Decade of Breaches and the Biggest Attack is Still Looming

We all know the negative impact that news on cyber-attacks has in the society and enterprises. In less than a decade, and according to Data Source: ICS- CERT (US), we have gone from 39 incidents in 2010 to 295 incidents in 2015. A survey published by ATT revealed that the company logged a 458% increase in vulnerability scans of IoT devices in the last 2 years.

It is a challenge for hackers to test their skills in connected objects, whether connected cars or smart homes appliances. But Im afraid they will go a lot further by attacking smart factories, smart transportation infrastructure or smart grids.

With the millions of unprotected devices out there, the multitude of IoT networks, IoT Platforms, and developers with lack of security I am one more that believes the biggest attack target yet is looming.

New Threats

With the Internet of Things, we should be prepared for new attacks and we must design new essential defences.

The complex IoT Security Threat Map from Beecham Research provides an overlayed summary of the full set of threat and vulnerability analyses that is used to help clients shape their strategies. This Threat Map summarizes many of the top 5 features from each of those analyses.

  1. External threats and the top internal vulnerabilities of IoT applications;
  2. The needs for robust authentication & authorisation & confidentiality;
  3. The features and interactions between multiple networks used together in IoT;
  4. The complexities of combining Service Sector optimised capabilities of differing Service Enablement Platforms;
  5. The implementation and defences of edge device operating systems, chip integration and the associated Root of Trust.

5 New Vulnerabilities Looming for the Internet of Things

The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.

The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities. The Subex white paper presents their IoT solution with some added real examples of top IoT vulnerabilities.

1. Insecure Web Interface

To exploit this vulnerability, attacker uses weak credentials or captures plain text credentials to access web interface. The impact results in data loss, denial of service and can lead to complete device take over. An insecure web interface was exploited by hackers to compromise Asus routers in 2014 that were shipped with default admin user name and password.

2. Insufficient Authentication/Authorization

Exploitation of this vulnerability involves the attacker brute forcing weak passwords or poorly protected credentials to access a particular interface. The impact from this kind of attack is usually denial of service and can also lead to compromise of device. This vulnerability was exploited by ethical hackers to access the head unit of Jeep Cherokee via WiFi-connectivity. The WiFi password for Jeep Cherokee unit is generated automatically based upon the time when car and head unit is started up. By guessing the time and using brute force techniques, the hackers were able to gain access to the head unit.

3. Insecure Network Services

Attackers use vulnerable network services to attack the device itself or bounce attacks off the device. Attackers can then use the compromised devices to facilitate attacks on other devices. This vulnerability was exploited by hackers that used 900 CCTV cameras globally to DoS attack a cloud platform service.

4. Lack of Transport Encryption

A lack of transport encryption allows 3rd parties to view data transmitted over the network. The impact of this kind of attack can lead to compromise a device or user accounts depending upon the data exposed. This weakness was exhibited by Toy Talks server domain which was susceptible to POODLE attack. Toy Talk helps Hello Barbie doll to talk to a child by uploading the words of a child to server and provide appropriate response after processing it. Though there was no reported hack on this, such a vulnerability could easily lead to one.

Interested in what the future will bring? Download our 2023 Technology Trends eBook for free.

Consent

5. Privacy Concerns

Hackers use different vectors to view and/or collect personal data which is not properly protected. The impact of this attack is collection of personal user data. This vulnerability was exemplified by the VTech hack wherein in hackers were able to steal personal data of parents as well as children using VTechs tablet.

Who Owns the Problem?

With the IoT we are creating a very complicated supply chain with lots of stakeholders, so its not always clear who owns the problem. As an illustration, here is an example with a simple home application and not Super Installers: if you buy a central heating system and controller which requires you to push a button to increase the temperature then if it stops working you contact the company who supplied it. But if you buy a central heating boiler from one company, a wireless temperature controller from another, download a mobile App from another and have a weather station from another supplier then whose job is it to make sure its secure and reliable? The simple cop-out is to say the homeowner bought the bits and connected them together therefore its their responsibility well Im sorry but that isnt good enough!

Manufacturers cant simply divest themselves of responsibility simply because the home owner bought several component parts from different retailers. As a manufacturer you have a responsibility to ensure that your product is secure and reliable when used in any of the possible scenarios and use cases, which means that manufacturers need to work together to ensure interoperability we all own the problem!

This might come as a shock to some companies/industries but at some level even competitors have to work together to agree and implement architectures and connectivity that is secure and reliable. Standardization is a good example of this, if you look at the companies actively working together in ISO, ETSI, Bluetooth SIG etc. They are often fierce competitors but they all recognize the need to work together to define common, secure and reliable platforms around which they can build interoperable products.

If Cybersecurity is already top of mind for many organizations, is the alarm of lack of security in IoT justified?

In this three last years of evangelization of IoT, there has been no event or article that does not pose questions or comments on IoT Security and Privacy. The good news is that according to the ATT State of IoT Security survey 2015, 85% of global organizations are considering exploring or implementing an IoT strategy. However, the bad news is that only 10% are fully confident that their connected devices are secure.

And if we consider the report of Auth0, it scares me that only 10% of developers believe that most IoT devices on the market right now have the necessary security in place.

In a publication from EY titled Cybersecurity and the IoT, the company defined three Stages to classify the current status of organizations in the implementation of IoT Security.

Stage 1: Activate

Organizations need to have a solid foundation of cybersecurity. This comprises a comprehensive set of information security measures, which will provide basic (but not good) defence against cyber-attacks. At this stage, organizations establish their fundamentals i.e., they activate their cybersecurity.

Stage 2: Adapt

Organizations change whether for survival or for growth. Threats also change. Therefore, the foundation of information security measures must adapt to keep pace and match the changing business requirements and dynamics. Otherwise they will become less and less effective over time. At this stage, organizations work to keep their cybersecurity up-to-date; i.e., they adapt to changing requirements.

Stage 3: Anticipate

Organizations need to develop tactics to detect and detract potential cyber-attacks. They must know exactly what they need to protect their most valuable assets, and rehearse appropriate responses to likely attack/incident scenarios: this requires a mature cyber threat intelligence capability, a robust risk assessment methodology, an experienced incident response mechanism and an informed organization. At this stage, organizations are more confident about their ability to handle more predictable threats and unexpected attacks; i.e., they anticipate cyber-attacks.

What Enterprises Needs To Do

If you are thinking only of the benefits of IoT, without considering the Security as a key component in your strategy, you will probably regret it very soon. Here below some recommendations either before start your IoT journey or if you are already started:

  • Adopt a comprehensive framework and strategy for IoT end to end security;
  • Prioritize security as a key IoT technology element;
  • Conduct a full audit and likely risks within IoT initiatives;
  • Prioritize opportunities ad risks deploying IoT;
  • Bake security into devices and processes early;
  • Embedded device testing, firmware, protocols, cloud, applications security assessment;
  • Mobilize the larger workforce around IoT security;
  • Bring partners up to rigorous security standards;
  • Evaluate 3rd party partners with expertise;
  • Rethink the role of IT and OT.

Thanks in advance for your Likes and Shares

Thoughts ? Comments ?

About Francisco Maroto

Francisco Maroto is CEO and founder at OIES Consulting, an IoT Consulting and Business Development company.

Business/technology executive with rigorous cross functional leadership experience in driving solutions for Telco, IoT, Edge Computing and AI.
Deep functional expertise in strategy development, product management, business development, alliances and partnerships.

Key Business Skills -- Creative problem solving | Self-Control and willingness to resist vacillation | Excellent Communication

Globally recognised as one of the top IoT and Telco advisor and leading voices on the state of the IoT market.

Prior to starting my own IoT Advisory firm, I lead the Telecoms industry working for leading companies like Microsoft, Oracle, Amdocs, SAP, HP, Vodafone and Indra.

Driven to advice technology vendors, enterprise customers and Startups in:
- How to leverage emerging technologies and solutions to drive business and digital transformation initiatives
- Business Development and Defining Go-To-Market Strategy
- Establishing key partnerships
- Develop new products and services with IoT, Edge Computing, AI, Blockchain, Cloud, Mobile and Data Analytics.
- Working with key customers

I regularly speaks at industry trade shows, conferences, and seminars and I write regular columns on IoT.