Re: Unsecured Internet of Things Challenges

schafai · ‎10-05-2017

Unsecured Internet of Things Challenges

Internet of Things includes everything connected to the Internet which basically refer to a broad range of devices from simple sensor with limited capabilities, consumers wearable to smart appliances, home automation devices, manufacturing warehousing and industrial devices.

According to the results of a report published by Gartner Research, in 2020 will have more than 26 billions of connected objects, huge number of devices than anything the current identity management can handle at the moment.

No doubt that IoT will improve customer experience, where connected objects think on our behalf, automate boring activities, make our lives better more comfortable and healthier which means access to more and more information and control devices remotely.

I would not mind if someone would check status of my smart meter but would be concerned if someone could remotely control connected devices performing malicious activities. Monitoring home doors or fences, get access to home network, personal computer, laptop through smart bulb, smart teddy bear that could be hijacked, taking car control by hacking systems remotely, sauna stoves which can be controlled (started) by sending SMS message, power grid knocked off line by accessing Industrial control systems,

IoT implementation could be found in several areas such as logistics, farming, industry, home automation but its restriction become obvious as we are connecting systems from different vendors, standards communicating with a lot of different protocols most of them are not HTTP adding application development in IoT more complexity and the” plug and play” mindset where many vendors by simply adding connectivity to devices introducing security holes in the way connected object are communicated, authenticated or managed. As usual, in the rush to launch the new smart system, car, wearable medical device; information security stills an after-thought. Apart from adapting communication protocols and addressing security issues an overarching security framework is crucial for growing IoT. There is no overall framework driving the IoT Security

Your security is as strong as your weakest link / device !

Your light switch might have one level of encryption and your remote home appliance another. One may use Zigbee protocol, another Bluetooth, and yet another WiFi. Bridges to connect across them will abound. Even if independent systems are secure, we will cobble together systems, and the chain will only be as strong as the weakest link.

The last headlines on security breaches related to IoT have highlighted many security issues not really addressed and challenges faced by large organizations or states

Access Control & Authentication

The common known challenge is that while device most likely have an identity whether it can be an IP address, MAC address, serial number, device certificate, who controls the access to or to the information the device sends out?

Unauthorized persons might exploit security vulnerabilities and can put lives at risk and harm consumers, there are a lot of examples of connected insulin pumps hacked where settings have been changed to make them no longer delivered medicine, car Hacking and remote control of the vehicle’s engine and braking.

Strong and multiple factor authentication may not be applicable with IoT for instance 2FA (two factor authentication) such biometry “something you are” and password “something you know” cannot be implemented in objects authentication context therefore objects have to provide some sort of token or certificate. The Public key Infrastructure can sort out these authentication weaknesses by using certificates and provide the flexibility needed when changing requirements a cross-platform with multiprotocol approach.

At the opposite of traditional forms of authentication, PKI can provide the scalability, billions of IoT devices and systems can be provisioned with digital certificates, providing a unique private key to each device, a secure digital channel can be set which only authorized data flows, encrypted and secured from the view of hackers or intruders.

Vulnerabilities & Patch Management

Probably the most important issue as many IoT devices are shipped from the factory not only with these vulnerabilities exposed, but also without any effective way to fix them, they are still un-patchable, leaving consumers with unsupported or vulnerable devices shortly after purchase, huge number of devices rely on weak and simple password 1234, hardcoded password, backdoors, insecure protocols.

There are situations where it’s impossible to patch the software or upgrade the components to the last version. Sometimes the complete source code is not available as many of the device drivers and other components are just “binary blobs” no source code at all which make in these cases the patching process technically not applicable.

Regulation and enforcing mechanisms need to be found to make embedded system vendors to design their systems better. We need standards, open-source driver software and no more binary blobs. Third parties vendors and ISPs can provide security tools and software updates for as long as the device is in use.

Accountability

There is a lack of accountability for devices security, for many consumer devices, there is not a clear ownership on who owns the security. Manufacturer post firmware updates on their websites, it’s up to the consumers or users to download and update products some come with obscure instruction

Security by Design and Full Lifecycle Requirements

To properly address the challenges of the IoT software update problem, it is essential to consider the full lifecycle of the IoT device. This begins during the design and manufacturing when the security credentials must be generated, allocated, and provisioned into the devices in a secure manner. It also incorporates the lifecycle of the device vendor who might be bought out or go bankrupt – we need to consider how to continue patching essential devices when the original manufacturer no longer exists. Finally, it ends with addressing various end-of-life scenarios such as how to decommission and recycle those devices that no longer can or should be supported.

A compromised IoT device could be used to launch a denial of service attack. The more devices compromised by the attacker the more effective and destructive will be.

The last DYN DDOS attacks were made possible through thousands on unsecure IoT devices such as home routers, IP camera compromised by infected malicious code generating a massive amounts of bogus traffic to the targeted Dyn servers; the use of default passwords on these devices enable hackers to gain access and launch the attack.

Anonymous attacker in October said to have only used 100,000 devices; imagine what could be done with one billion devices creating network of insecure connections. The least IOT manufacturer must do is to put controls to detect these threats, disable IoT devices once an attack spreading and commit to communicate on the risks.

Legal considerations

IoT development does not have been followed by legal framework to support and regulate IoT and protect consumer’s privacy, security, ownership of data (including the use of aggregated data), responsibility and legal liability.

Sofiane Chafai

Managing Director

CISSP, CISA, ISO 27001 LI, ISO 27001 LA, Prince2

Caute_cautim · ‎10-30-2017

A good breakdown on IoT. It appears that the various industries particularly electronics is in a dilemma.

Is IoT an Operations Technology issue?

Is IoT a manufacturer issue, whereby out of the factory or development lab and paying for itself is the chief goal?

Does IoT need legislation to ensure "secure by design" principles are applied?

Is IoT a "Safety" issue which requires compliance with health & safety controls?

Presumably, the debate commences from this point?