If not redirected, please click here https://www.thesecuritybuddy.com/iot-security/iot-security-concerns-and-solutions/
IoT technology is growing at a dangerously fast pace. Digitally connected devices are touching every aspect of our lives, including our homes, offices or cars. But, as with every good thing, there is a downside of IoT also.
IoT technology is growing at a dangerously fast pace. Digitally connected devices are touching every aspect of our lives, including our homes, offices or cars. But, as with every good thing, there is a downside of IoT also.
With the
increase in the number of digitally connected devices, more and more
data is being collected. And, that in turn is increasing the attack
vectors. Attackers are exploiting vulnerabilities in IoT devices to
steal our sensitive data and invade our privacy.
But, can we
prevent that? Can we ensure the security of the sensitive data
collected from us by the IoT devices?
Let’s
understand in more detail what the security concerns of IoT devices
are and how best we can address them.
Security Concerns of IoT Devices
Cybercriminals
can attack the IoT devices in a number of ways. They can exploit
vulnerabilities of insecure web interfaces, cloud interfaces, lack of
encryption or they can take advantage of weak authentication
mechanism to enumerate user accounts and steal sensitive data or make
DoS attacks.
Let’s
understand each of them in more detail.
Insecure Authentication
If the
authentication mechanism is not secure enough, attackers can exploit
that to gain unauthorized access of user accounts and steal sensitive
data. There are a number of ways that can happen. For example,
-
If default usernames and passwords are not changed properly, attackers can take advantage of that to gain unauthorized access of user accounts.
-
Attackers can take advantage of weak passwords to gain unauthorized access of the devices.
-
If the collected user credentials are not encrypted properly, attackers can take advantage of that and capture them for malicious purposes.
-
Attackers can enumerate user accounts to access the IoT devices.
No doubt,
this can lead to data loss or data corruption. It can even result in
denial of access or complete device takeover.
Prevention
We can take
a couple of steps to prevent this type of attacks:
-
Make sure to change default credentials at the time of initial setup of the devices.
-
Passwords need to be kept sufficiently strong. Users should not be allowed to set weak passwords.
-
Credentials, whenever they are collected from users, should be encrypted using sufficiently strong encryption algorithm. Plaintext credentials should never be transmitted across the network.
-
Account lockout should be implemented, so that user account gets locked immediately after a certain number of failed login attempts.
-
We need to make sure password recovery mechanisms are made secure.
-
We need to make sure, when a device is plugged into the network, it authenticates itself before it starts sending or receiving data.
Vulnerable Web Interfaces, Mobile Interfaces and Cloud Interfaces
Attackers
can exploit insecure web interfaces, mobile interfaces and cloud
interfaces to steal sensitive data in a number of ways:
-
Attackers can exploit security vulnerabilities in the mobile, web or cloud interfaces to perpetrate SQL Injection, Cross Site Scripting or CSRF attacks and steal sensitive user data.
-
If the web interface does not properly implement HTTPS, attackers can exploit that to steal transmitted unencrypted sensitive data.
-
Attackers can exploit vulnerabilities in the mobile app, cloud interfaces or web interfaces to enumerate user accounts and gain unauthorized access of the devices.
-
Attackers can use the insecure mobile, web or cloud interfaces to gain unauthorized access to user accounts exploiting weak passwords or default credentials.
Prevention
Couple of
steps can be takes to prevent this:
-
Web, Cloud and mobile interfaces should be properly tested so that they do not contain any SQL Injection, XSS or CSRF vulnerabilities.
-
Web interfaces should implement HTTPS wherever possible.
-
Web Application Firewalls should be used to protect the web interfaces.
-
Web, cloud and mobile interfaces should make sure weak passwords are not allowed and default credentials are changed during the initial setup.
-
Web, cloud and mobile interfaces should also implement account lockout mechanism so that it creates much difficulty for the attackers to enumerate user accounts.
-
2 Factor Authentication should be implemented wherever possible.
-
Web, mobile or cloud interfaces should use proper transport encryption for transmitted data.
-
It is always better to implement firewalls and IPS.
Vulnerable Network Services
Attackers
can exploit vulnerable network services in the following way:
-
Attackers can exploit security vulnerabilities in the network services to perpetrate attacks like buffer overflow or DoS attacks.
-
Attackers can take advantage of open ports to collect information on the devices, so that they can plan for more attacks.
-
Attackers can even exploit open ports via UPnP or exploit UDP services.
Prevention
We can
prevent this type of attacks in a number of ways:
-
We need to ensure only the necessary ports are open and exposed outside.
-
We need to make sure network ports or services are not exposed to the internet via UpnP.
-
A number of automated tools can be used to make sure the vulnerabilities in the network services are detected and mitigated.
Lack of Transport Encryption
If the data
in transit are not encrypted properly, attackers can take advantage
of that to steal sensitive data.
-
Usually, local network traffic does not get exposed outside the network. But, if the wireless network is not configured properly, it can make the traffic visible to anyone within the range of the wireless network. And, that can lead to complete compromise of the devices or user accounts.
-
If proper encryption protocols like SSL/TLS are not used, attackers can easily capture the data in transit and exploit that for malicious purposes.
Prevention
-
We need to make sure communications between the devices and the internet are encrypted using proper encryption protocols like SSL/TLS.
-
It is always better to use accepted encryption standards and avoid proprietary encryption protocols.
-
It is always better to use firewalls with the devices.
Privacy Concerns
Due to lack
of proper protection of data, attackers can capture sensitive and
personal data collected by the devices, which no doubt raises privacy
concerns. To prevent this, we can take a couple of steps:
-
We need to identify all the data types that are being collected by the devices, mobile app, web interfaces or cloud interfaces. We need to make sure to only collect data that is necessary.
-
Collected data should be properly protected using encryption while at rest or in transit.
-
Only authorized individuals should have access to personal data.
-
We need to make sure proper data retention policy is in place and individuals are given a choice to collect data beyond what is necessary for the operation of the devices.
Insufficient Security Configurability
This
vulnerability exists if the devices have limited or no ability to
alter security controls or the web interfaces have no options for
creating granular user permissions and cannot enforce use of strong
passwords. Attackers can take advantage of this to exploit the
vulnerabilities in the devices to steal sensitive data or make more
attacks.
Prevention
We can take
a couple of steps to address this.
-
We need make sure normal users are separated from administrative users and principle of least privileges is enforced. Password security options should be made available.
-
Encryption options should be made available to encrypt sensitive data collected by the devices.
-
We should enable logging of security events.
-
Users should be notified about security events.
Insecure Software/Firmware
IoT devices
should have the ability to be updated when vulnerabilities are
discovered. But, if the update files are not protected, they can be
captured by attackers and exploited for malicious purposes. Attackers
can capture unencrypted update files or can perform their own
malicious updates via DNS Hijacking.
This type
of attacks can happen because of a number of reasons, like:
-
update files are not encrypted
-
updates are not verified before they are applied
-
firmware contains sensitive information like hardcoded credentials
-
there is no proper update functionality
Prevention
We can
prevent this in a number of ways:
-
All the devices should have the ability to be updated.
-
Update files should be encrypted.
-
Update files should not contain any sensitive data.
-
We need to make sure updates are signed and verified before they are applied.
-
We should ensure the update server is secure.
-
We need to make sure, when power is first introduced to the devices, the authenticity and integrity of the software on the devices are verified using cryptographically generated digital signatures.
Poor Physical Security
Attackers
can exploit physical access of the system also to perpetrate attacks.
They can use USB ports, SD cards or other storage means to access the
Operating Systems and data stored in the devices and exploit that for
malicious purposes.
Prevention
We can make
sure the following:
-
We need to make sure data storage medium cannot be easily removed.
-
Only the external ports and USB ports that are necessary should be used.
No doubt,
with sufficient efforts we can address these security concerns and
make our devices more secure. So, be aware of various security
concerns and prevention mechanisms, so that devices and collected
data are protected in a better way. And, stay safe, stay secured.
Read More
What is IoT Botnet and how is it used to make DDoS attacks ?
How can Fog Computing improve security and privacy of IoT ?
How to create a strong password that can be remembered easily ?
What is an Intrusion Detection System and how does it work ?
Infographic : Do's and Don'ts of Passwords
What are the security concerns of Cloud Computing ?
How does Web Application Firewall work ?
How to prevent DoS and DDoS attacks ?
What is Blockchain and how can it be used in IoT ?
Read More
What is IoT Botnet and how is it used to make DDoS attacks ?
How can Fog Computing improve security and privacy of IoT ?
How to create a strong password that can be remembered easily ?
What is an Intrusion Detection System and how does it work ?
Infographic : Do's and Don'ts of Passwords
What are the security concerns of Cloud Computing ?
How does Web Application Firewall work ?
How to prevent DoS and DDoS attacks ?
What is Blockchain and how can it be used in IoT ?