The Internet of Things (IoT) expansion, the Big Bang of interconnectivity, continues at breathtaking pace. Tens of billions of sensing and actuating devices are now connected to each other over the internet, and we’re just getting started. IoT includes practically everything we know and use, from wearable fitness bands and smart home appliances to factory control devices, medical devices, and even cars. Gartner research predicts that there will be more than 4 billion connected IoT devices in consumer smart home environments by the end of 2015 and 25 billion by 2020. MIT researchers forecast a slightly more moderate increase, but the direction is clear. Consumers have bought into connected devices, but recent studies of these IoT devices seem to agree that security is not a primary concern, leaving those same consumers and their data potentially exposed. This is the gap that we’re looking to fill with libsecurity, a security package that offers IoT application authors a complete, lightweight implementation of various security-related modules, including secure storage, user and password management, and permissions. So what are the main security issues? Anyone who’s been paying attention will recognize the following IoT vulnerabilities:
  • Weak passwords: The devices often do not have a keyboard, so configuration has to be done remotely. Unfortunately, not all vendors force the user to change the default password.
  • Lack of mutual authentication between the client and the server.
  • Lack of lock-out or delay measures to protect user accounts against brute-force attacks.
  • Rare or even no firmware updates, let alone signed or encrypted ones.
  • Cleartext password and sensitive data storage on the device without encryption or any other protection mechanism.
  • Lack of authorization mechanisms: All users can see/update all the data on the device.
Users must be able to trust that they are contacting authentic devices. Devices can store or generate sensitive information, which should be protected from unauthorized third parties who can maliciously or criminally misuse the data. Without data integrity mechanisms, there’s no way to ensure that the data has not been tampered with or corrupted, and connected devices can also provide an entry point for attackers to target home networks. There’s been a lot of discussion regarding the hacking of devices and systems to obtain information and data. But just as critical are cyber-attacks against the device itself, attacks that take control of the device and cause it to operate in dangerous and insecure ways. Fortunately, most potential IoT attacks are still at the proof-of-concept stage — they have yet to generate any profit for attackers. But this doesn’t mean that attackers won’t target IoT devices in the future. In fact, you can pretty much bank on it. The hacking community’s time and attention is driven by two primary motivators:
  1. The ability to monetize the results of the hack
  2. The intrinsically interesting nature of the hack itself
As IoT applications with economic utility are deployed — for example, smart grid or Near Field Communications (NFC) payments — they will inevitably attract interest from financially motivated attackers. Hacking IoT is also a great way to generate headlines, and a lot of hackers crave headlines. Attacks are only going to increase, a fact of life that IoT developers have to accept.

Current state of IoT security

Where are we with IoT device security? A few observations:
  • A study by Hewlett Packard revealed that “70 percent of Internet of Things devices are vulnerable to attacks.”
  • Veracode looked specifically at always-on consumer IoT devices and found that security and privacy are not a design priority for manufacturers of these products.
  • The Open Web Application Security Project (OWASP) defined the following problems with poor security mechanisms implemented in devices:
    • Insecure Web Interface: Vulnerabilities include account enumeration, weak default credentials, credentials exposed in network traffic, cross-site scripting (XSS), session management, and account lockout.
    • Insufficient Authentication/Authorization: Vulnerabilities include lack of password complexity, poorly protected credentials, lack of two-factor authentication, insecure password recovery, privilege escalation, and lack of role-based access control.
No one should assume that their IoT devices are too small to be noticed, the “security by obscurity” mindset. As the Internet of Things continues to gain traction and more connected devices come to market, security becomes everybody’s concern. Developers have no choice: they must incorporate security thinking into their designs using tools like libsecurity.

What do we need to do?

We need to take action — now. Companies that design IoT devices hire employees with expertise in usability and design, but rarely include a security expert. This behavior is especially true for startups, which often have limited cash to hire a full roster of talent. There are two important steps that need to happen immediately to change this state of affairs:
  1. Raise the level of awareness. Companies and decision-makers need to understand the critical role of security in the design of the new IoT devices. The issue of security should be part of any press article, discussion, or plan for IoT-based devices.
  2. Establish accessible security. Non-experts need accessible and easy-to-use means for handling security issues. These means would allow them to make security and privacy “a priority from the onset of product development and be addressed holistically,” as the IoT Draft Trust Framework stresses.
The current situation leaves too many businesses and organizations vulnerable to attack. Fortunately, there’s a tool available to combat multiple threats facing today’s connected world. In my next post, I’ll discuss how vulnerabilities can be addressed using libsecurity.
Note: Dov Murik and Shmulik Regev, IBM security experts and libsecurity project developers who provided content for this post, are presenting at IBM InterConnect 2016! Check the conference site for more details.

Join The Discussion

Your email address will not be published. Required fields are marked *