By Rushabh Vyas
More and more devices connected to the Internet of Things are being used across the world every day. Why? They’re more available than they were before, and the hardware and applications involved in networking devices are inexpensive. Also, people want convenience. I mean who wouldn’t want to be able to feed or watch their pets from work, or even your child’s soccer game?
As with anything, the convenience factor offered by IoT devices can also come with a sacrifice in security. Often times, engineers or developers of IoT devices are not trained in security or secure coding. Additionally, manufacturers of many of these devices do not have systems in place to deploy software updates or patching paths. Once they have realized the revenue from the sale of a device, there is no incentive for them to continue to monitor and fix security issues identified within their devices. Given the lack of technical expertise of most end users, updates and proper location identification of IoT devices is a major concern.
End users typically just want to plug a device in and go—without understanding the implications of how and where they install the device. Although, some of these devices do have auto-updates, most do not. If a device is left unpatched for a long period of time, a greater percentage of vulnerabilities will be identified. Placing an unsecured IoT device on the same subnetwork as an end-user’s home PC and mobile devices can allow an attacker to easily pivot to attacking these more valuable assets.
Another reason hackers may want to target IoT devices is because if they find a vulnerability in one device, it will very likely apply to many other devices. Some IoT devices are just like small Linux computers. For example, a hacker could use them to conduct DoS attacks.
Some of the common problems I’ve seen with IoT devices are:
- Hardcoded passwords
- Code injection
- Unsecure API
- Web application vulnerabilities (see OWASP)
- Lack of encryption in communication
There are some guidelines to securing IoT devices. For example, the OWASP guidelines for IoT aim to “enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies.” If you are designing a web application, OWASP also has information related to that on their website. For engineers and developers, learning secure coding also helps. You should also keep in mind the attacker's point of view. Think about the ways that someone could abuse the device’s functionality. And work to close those doors.
Rushabh Vyas is a Security Analyst at Rook Security, a global IT security solutions provider.