In my last post, I discussed the shared responsibility model of cloud computing, and why organizations must take steps to protect the applications and data that they move to public cloud platforms. Cloud providers are only responsible for securing their infrastructure — not what’s stored there.
The Internet of Things (IoT) poses a similar sort of conundrum. Organizations are deploying IoT devices with the presumption that those devices are secure. However, many IoT devices weren’t really designed to be connected to the open Internet and have only the most rudimentary security controls.
The OWASP Internet of Things Project has listed 10 of the most significant vulnerabilities found in IoT devices:
- Insecure web interfaces, insecure cloud interfaces and insecure mobile interfaces do not lock out accounts after X number of failed login attempts, and may reveal account information when the wrong credentials are entered. They may also be vulnerable to cross-site scripting and SQL injection attacks.
- Insufficient authentication/authorization mechanisms may not require strong passwords, and may transmit credentials in clear text when password resets are requested.
- Insecure network services expose ports to the Internet, and leave open unnecessary ports. This makes the devices susceptible to buffer overflow and denial of service (DoS) attacks.
- Lack of transport encryption allows IoT data to be viewed in clear text as it travels across the Internet.
- Privacy concerns are also related to unavailable or misconfigured encryption. Sensitive data is often collected and transmitted by IoT devices and may be exposed if not encrypted. IoT devices generally lack mechanisms for anonymizing data or giving users control over what data is collected.
- Insufficient security configurability limits the user’s ability to alter the device’s security controls such as setting password policies, logging security events and setting up event notifications.
- Insecure software/firmware results when there is no mechanism for installing updates when vulnerabilities are discovered. Software/firmware may also be insecure if user credentials are hardcoded.
- Poor physical security allows an attacker to disassemble the device or to access external ports or removable storage media.
Researchers with HP tested some of the most commonly used IoT devices against the OWASP vulnerability list. Seventy percent contained vulnerabilities, with an average of 25 vulnerabilities per device.
Most of these vulnerabilities must be addressed by device manufacturers — there’s little end-users can do to remediate them. IDC expects that, by 2019, more than 75 percent of IoT device manufacturers will improve their security and privacy capabilities. In the meantime, organizations must assume IoT devices are insecure and take what steps they can to reduce the risk.
The key is to follow basic security best practices. Select devices that have the strongest security controls. Change the default username and password on the device. Use strong passwords. Implement robust encryption for data at rest in storage and in flight across the network.
It’s critical that security controls be implemented in the early stages of an IoT initiative. Given the sheer size, complexity and rapid growth of the IoT, remediating vulnerabilities reactively or retroactively is simply not feasible.
Many organizations are racing to tap the operational benefits of the IoT, and to gain business insight from the vast amounts of data collected by IoT devices. However, security is critical to the success of any IoT initiative. Until IoT device security becomes more robust, organizations must ensure that the IoT does not leave them vulnerable to attack.
By John Flores, Vice President of Marketing, Pivot Technology Solutions