All's not well with IoT

BANGALORE, INDIA: Symantec has  recently analyzed 50 smart home devices that are available today and took a look at how they measure up when it comes to security.

Smart home devices may use a back-end cloud service to monitor usage or allow users to remotely control these systems. Users can access this data or control their device through a mobile application or web portal.

The research found that many of the IoT devices and services had several basic security issues. None of the devices used mutual authentication or enforced strong passwords. Even worse, some hindered the user from setting up a strong password on the cloud interface by restricting the authentication to a simple four-number PIN code. Combine this with no support for two-factor authentication (2FA) and no password brute-force attack mitigation, and you have an easy target for attackers.

Web vulnerabilities

In addition to weak authentication, many smart home web interfaces suffer from well-known web application vulnerabilities. A quick test with 15 IoT cloud interfaces revealed some severe vulnerabilities and this check only scratched the surface.

Local attacks

Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas allows an attacker, with the ability to sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.

Potential for attacks

Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream.

Mitigation

Unfortunately, it’s difficult for a user to secure their IoT devices themselves, as most devices don’t provide a secure mode of operation. Nonetheless, users should adhere to the following advice to ensure that they reduce the risk of a potential attack:

• Use strong and unique passwords for device accounts and Wi-Fi networks
• Change default passwords
• Use a stronger encryption method when setting up Wi-Fi networks, such as WPA2
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Use devices on a separate home network when possible
• Be careful when buying used IoT devices, as they may have been tampered with
• Research the vendor’s device security measures
• Modify the privacy and security settings of the device to your needs
• Disable features that aren’t needed
• Install updates when they become available
• Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
• Verify if the smart features are really required or if a normal device would be sufficient

Vendors should consider the following five fundamental tenets when developing new devices:

• Strong trust model for IoT–e.g. device authentication through SSL
• Protecting the code that drives IoT–e.g. digital code signing
• Effective host-based protection for IoT–e.g. endpoint protection and system hardening
• Safe and effective management for IoT–e.g. configuration and over-the-air updates
• Security analytics to address new and advanced threats−e.g. anomaly detection