Part
01
of three
Part
01
IoT Compromisation Risks-Part 1
Two of the most talked-about common vulnerabilities or security risks for Internet of Things (IoT) devices are factory set or hardcoded passwords and the lack of security update mechanisms.
1. Factory Set or Hardcoded Passwords
- OWASP (The Open Web Application Security Project), named factory set or hardcoded passwords the biggest problem for IoT device security in their 2018 list.
- OWASP defined this problem as the "use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems."
- Factory set, weak, or hardcoded passwords consistently appeared as the most commonly mentioned problem for IoT devices across sources and industry opinions.
- Despite the problem seeming obvious, it still remains a common problem among IoT manufacturers.
- Because consumers often expect a smart device to run like an appliance, there is not the same consumer understanding of the need for cybersecurity or password maintenance, as there is with more traditional IT devices, like computers.
- Many of the most destructive and well-known DDoS (distributed denial of service) attacks on IoT devices are carried out by the Mirai botnet, which primarily exploits the widespread usage of default passwords.
- Just as obvious as the problem is the solution. Most importantly, manufacturers must stop sending out devices with hardcoded passwords or simple default passwords. Consumers should be educated about the need to change passwords when they buy an IoT device.
2. Lack of Security Update Mechanisms
- Another commonly cited security risk is the lack of security update mechanisms present on IoT devices.
- OWASP defines this as: "[The] lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (unencrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates."
- Because IoT devices are a new and rapidly expanding market, many companies race to create IoT devices that are then quickly abandoned in service of a newer IoT device. Thus, many manufacturers only provide firmware improvements for a short time period designed specifically to end at the very moment that they start working on the next exciting and new gadget.
- Stated simply, IoT devices, which were secure upon release to consumers, run the risk of rapidly and increasingly becoming insecure or vulnerable to attacks as time passes.
- As well, consumers typically do not expect that IoT devices will be regularly unavailable due to maintenance. As the NIST (The National Institute of Standards and Technology) states: "Operational requirements for performance, reliability, resilience and safety [of IoT devices] may be at odds with common cybersecurity and privacy practices for conventional IT devices."
- There are many ways in which the update mechanisms of an IoT device are potentially vulnerable. According to the OWASP's IoT Vulnerabilities Project, common update mechanism problems include updates sent with no encryption, updates to writable locations, few manual update mechanisms and missing update mechanisms.
- To combat this, manufacturers must commit to providing continued updates and ways in which consumers may manually update (and check for updates) on devices. Forbes states: "Address this [updates and maintenance] with redundant backup devices, planned maintenance windows or a concerted education campaign that aligns user expectations with security necessities."
METHODOLOGY
In order to determine the best or top current vulnerabilities or security risks of Internet of Things (IoT) devices, we searched through trusted news media sites, industry publications, and government and academic reports. From these gathered sources, we analyzed each article or report, and searched for the most commonly mentioned problems across all reports. We chose those vulnerabilities that were overwhelmingly mentioned in a variety of reports.