Identifying security weaknessesFollowing are some of the different methods that hackers use to gain control over the IoT devices, along with the associated protection capability provided by libsecurity:
Default passwordsIt’s often easy for a hacker to guess the password of a device. In many cases, the device’s default password hasn’t been changed. Manufacturers often use default passwords that are simple, such as 1234. And even when the default password is changed, it’s often to another password that is easy to guess. The IBM libsecurity library provides a mechanism to force changing of the default password. The idea is that the default password expires after a single login. To make it more difficult for hackers, the library provides a method to force the user to set strong passwords; for example, use at least 8 characters with at least 1 lower case letter, 1 capital letter, 1 digit and one special character. For additional security, by default libsecurity adds salt to the password (salt is a mechanism that makes building a dictionary with all the encrypted passwords ineffective).
Password guessingTo guess passwords, hackers use two main methods:
- Brute force attack: attempts to reveal the password by trying every possible combination.
- Dictionary attack: a type of brute force attack that uses an educated guess, which is based on a precompiled list of more likely options rather than any possible option.
LockoutHackers can harm systems by locking them up. Account lockout can either last for a pre-configured duration of time or until an administrator performs a manual unlock. Libsecurity provides the option to use constant or increasing delay that will not harm significantly the user experience, but will solve the account lockout attack.
And that’s not all …Feeling vulnerable yet? It should be clear by now that if you’re not taking steps to protect your systems, you’re playing a dangerous game. In my next post, I’ll go over a few more ways that hackers can wreak havoc with your systems, and how libsecurity can help protect you from attack.
Note: Dov Murik and Shmulik Regev, IBM security experts and libsecurity project developers who provided content for this post, are presenting at IBM Interconnect 2016! Check the conference site for more details.