- Weak passwords: The devices often do not have a keyboard, so configuration has to be done remotely. Unfortunately, not all vendors force the user to change the default password.
- Lack of mutual authentication between the client and the server.
- Lack of lock-out or delay measures to protect user accounts against brute-force attacks.
- Rare or even no firmware updates, let alone signed or encrypted ones.
- Cleartext password and sensitive data storage on the device without encryption or any other protection mechanism.
- Lack of authorization mechanisms: All users can see/update all the data on the device.
- The ability to monetize the results of the hack
- The intrinsically interesting nature of the hack itself
Current state of IoT securityWhere are we with IoT device security? A few observations:
- A study by Hewlett Packard revealed that “70 percent of Internet of Things devices are vulnerable to attacks.”
- Veracode looked specifically at always-on consumer IoT devices and found that security and privacy are not a design priority for manufacturers of these products.
- The Open Web Application Security Project (OWASP) defined the following problems with poor security mechanisms implemented in devices:
- Insecure Web Interface: Vulnerabilities include account enumeration, weak default credentials, credentials exposed in network traffic, cross-site scripting (XSS), session management, and account lockout.
- Insufficient Authentication/Authorization: Vulnerabilities include lack of password complexity, poorly protected credentials, lack of two-factor authentication, insecure password recovery, privilege escalation, and lack of role-based access control.
What do we need to do?We need to take action — now. Companies that design IoT devices hire employees with expertise in usability and design, but rarely include a security expert. This behavior is especially true for startups, which often have limited cash to hire a full roster of talent. There are two important steps that need to happen immediately to change this state of affairs:
- Raise the level of awareness. Companies and decision-makers need to understand the critical role of security in the design of the new IoT devices. The issue of security should be part of any press article, discussion, or plan for IoT-based devices.
- Establish accessible security. Non-experts need accessible and easy-to-use means for handling security issues. These means would allow them to make security and privacy “a priority from the onset of product development and be addressed holistically,” as the IoT Draft Trust Framework stresses.
Note: Dov Murik and Shmulik Regev, IBM security experts and libsecurity project developers who provided content for this post, are presenting at IBM InterConnect 2016! Check the conference site for more details.