In my previous post, I talked about the growing wave of security threats facing any individual or organization who is engaged and active on the Internet of Things. In other words, just about everybody needs to worry about security. Security lock That post should have gotten your alarm bells ringing about the need for a better security solution in IoT devices. In this post and a follow-up, I want to describe a solution: IBM’s libsecurity, an accessible and easy-to-use library intended for non-experts, which can be used to incorporate security into your IoT design. As I described, hackers try to gain control of IoT devices to use them for malicious purposes, such as sending misleading data or penetrating a user’s network and from there, gaining access to the cloud.

Identifying security weaknesses

Following are some of the different methods that hackers use to gain control over the IoT devices, along with the associated protection capability provided by libsecurity:

Default passwords

It’s often easy for a hacker to guess the password of a device. In many cases, the device’s default password hasn’t been changed. Manufacturers often use default passwords that are simple, such as 1234. And even when the default password is changed, it’s often to another password that is easy to guess. The IBM libsecurity library provides a mechanism to force changing of the default password. The idea is that the default password expires after a single login. To make it more difficult for hackers, the library provides a method to force the user to set strong passwords; for example, use at least 8 characters with at least 1 lower case letter, 1 capital letter, 1 digit and one special character. For additional security, by default libsecurity adds salt to the password (salt is a mechanism that makes building a dictionary with all the encrypted passwords ineffective).

Password guessing

To guess passwords, hackers use two main methods:
  • Brute force attack: attempts to reveal the password by trying every possible combination.
  • Dictionary attack: a type of brute force attack that uses an educated guess, which is based on a precompiled list of more likely options rather than any possible option.
It is important to note that even good passwords that use weak encryption schemes (for example, MD5) can be detected with brute force attacks. Libsecurity forces users to use strong passwords, strengthens them further with salt (to avoid dictionary attacks) and uses strong encryption schemes (for example, SHA256). Another method used to mitigate password guessing or brute force attacks is by locking out accounts after a defined number of incorrect password attempts, or by adding a constant or increasing delay between unsuccessful attempts. For a human user, a one-second delay between two unsuccessful attempts is a minor inconvenience, but for brute force or dictionary attacks it is catastrophic. Libsecurity provides the flexibility to choose the type of lockout: temporal lockout, manual release of lockout, or increasing delays (known as throttling).

Lockout

Hackers can harm systems by locking them up. Account lockout can either last for a pre-configured duration of time or until an administrator performs a manual unlock. Libsecurity provides the option to use constant or increasing delay that will not harm significantly the user experience, but will solve the account lockout attack.

And that’s not all …

Feeling vulnerable yet? It should be clear by now that if you’re not taking steps to protect your systems, you’re playing a dangerous game. In my next post, I’ll go over a few more ways that hackers can wreak havoc with your systems, and how libsecurity can help protect you from attack.
Note: Dov Murik and Shmulik Regev, IBM security experts and libsecurity project developers who provided content for this post, are presenting at IBM Interconnect 2016! Check the conference site for more details.

1 comment on"Internet of Things security: Meeting the challenge, pt. 1"

  1. […] jQuery( '.sharedaddy' ).detach() ); } ); libsecurity   |   More libsecurity posts < Previous   / […]

Join The Discussion

Your email address will not be published. Required fields are marked *