IoT devices are now the norm, rather than a novelty. The average household has more than ten connected devices, and there are currently about ten billion IoT devices worldwide. And the global IoT market is only getting bigger. Business Insider estimates that it’s on course to grow to 41 billion connected devices and $2.4 trillion by 2027.
Unfortunately, IoT security is not keeping up with this rapid expansion. Attacks on IoT devices are more than doubling year-over-year. This is hardly surprising given their glaring security flaws and the difficulties in retroactively patching deployed devices.
OWASP has created a list of the top 10 IoT device security vulnerabilities which will hep the IoT vendors to focus on during the manufacturing and production stages.
Weak, guessable, or hardcoded passwords
Passwords authenticate a valid user, giving access to a device’s security settings, administrative powers, and private data. Poor password creation or management is a critical, ongoing security issue, especially as many device owners do not change the default password. Hardcoding makes it easier for developers or engineers to sort problems out on remote devices but they can easily be used for unauthorized access. It also means that if a hacker manages to get one password, they can use it to break into every similar device. Devices should come with strong default passwords and disallow setting of weak passwords.
Insecure network services
Insecure connectivity features such as open ports or unneeded services increase the attack surface of an IoT device, leading to the possibility of data leaks or remote code execution. Device manufacturers can always address these vulnerabilities by restricting connective services to the necessary minimum and using secure transmission protocols.
Insecure ecosystem interfaces
The interfaces that an IoT device interacts with can also be affected by serious security flaws. Web, mobile, backend API, or cloud interfaces offer hackers access to significant information about a device’s software, functions, and data. Weak authentication allows hackers to gain unauthorized access through a device’s interface, while poor encryption or input and output filters put the data the device sends and receives at risk.
Lack of secure update mechanism
Updates are a key in tackling IoT device security vulnerabilities, as developers use them to eliminate bugs and close off security flaws. Without secure update mechanisms, software and firmware updates can put devices at risk. Updates can be subject to tampering, either at source or in transit. To prevent this, updates should be digitally signed, delivered over secure channels, and the signature verified before applying. In addition, IoT manufacturers should include mechanisms that stop hackers from rolling back updates and users should be informed of any time-urgent security updates.
Use of insecure or outdated components
Legacy technology that is compromised or can no longer be updated poses an enormous threat to IoT device security. Insecure components can effectively build-in flaws that hackers can use to gain access across a whole range of unrelated devices. The best defense is to not use legacy technology and replace as quickly as possible. In the case of legacy devices that have not been provisioned with secure identities, manufacturers can build in security after deployment using specialized PKI services that use a white-box cryptographic solution to securely deliver keys.
Insufficient privacy protection
Privacy protection is not just good corporate behaviour; it’s also a major compliance risk. Legislation such as GDPR defines expected privacy protections for all tech-involved companies, including IoT device manufacturers. For IoT devices, privacy protection can be a security vulnerability due to insecure local data storage or even the unauthorized collection and storage of personal data.
Insecure data transfer and storage
Staying with data issues, the next entry on the OWASP list of IoT device security vulnerabilities focuses on poor data encryption and lack of authentication mechanisms. Data can be exposed at various phases: at rest, in transmission, or during processing. This gives hackers multiple opportunities to steal and understand data. Weak encryption, along with poor or absent access controls, makes a device’s data a soft target.
Lack of device management
Tracking devices once they have been deployed is vital to ensure a secure environment. Without adequate asset management, it becomes impossible to monitor and defend IoT networks effectively through processes such as update management, secure decommissioning, and certificate revocation for compromised devices in a public key infrastructure. Without a complete picture of what is happening with all the IoT devices on a network, it becomes impossible to manage defenses and threat responses, making all devices more vulnerable.
Insecure default settings
Default settings should always be applied with the safety of the final user and the device’s long-term security in mind. Often, however, the default settings represent a “bare-minimum” approach or may even introduce vulnerabilities, for example hardcoded passwords or exposed services running with root permissions. Manufacturers should give device admins the ability to cure these as well as set and enforce permissions to restrict users from modifying configurations without proper approval.
Lack of physical hardening
It’s important not to neglect physical hardening of the device against attacks that extract sensitive information which could be used in a remote attack or to gain control of the device. Some measures that can be taken to physically harden a device include disabling or isolating debug ports, using secure boot to validate firmware, and not storing sensitive information on a removable memory card.