Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

10/19/2017
12:00 AM
Michal Salát
Michal Salát
News Analysis-Security Now
50%
50%

Can the IoT Be More Secure?

The IoT has lots of insecurity built in – but here are some ways to make it more secure.

In today's digital world, we are literally surrounded by "smart" devices, or Internet of Things (IoT) devices. Making devices smart is a trend to be applauded, but there is one very important thing that is frequently an afterthought: security.

Manufacturers of common things, like toys, furniture, cars and medical devices are "enhancing" their products by adding "smart" features to make them more attractive; even water bottle manufacturers are starting to produce connected bottles. Why does it seem so hard to make them secure -- and why does it even matter?

Why IoT devices are so unsecure
IoT device manufacturers are pressured to produce smart devices and deliver them to market quickly and at an affordable price. This causes them to often neglect security. For example, a toaster manufacturer who may now be producing smart toasters never had to think about securing toasters from hackers before, which is another reason why security is sometimes weak or incomplete.

Moreover, there are no industry requirements that manufacturers have to comply with when it comes to security of smart devices. Instead they are left to create their own proprietary standards for communication, where security is not always a top priority. Smart devices that don't include the basic principles of modern security are therefore shipped out to the world.

How hackable are IoT devices?
Since smart devices lack security, they can be hacked using a wide range of existing methods, from pretty easy ones -- like brute forcing login credentials -- to more sophisticated methods such as using various exploit techniques, or reverse-engineering firmware or operating systems and looking for zero-day vulnerabilities. Services and exploits that can be used to hack IoT devices are sold on the darknet, giving more and more people the power to take control of them.

Hackers are also constantly trying to infiltrate new types of networks and forms of communication used by IoT devices, in order to hack them.

How difficult is it to hack an IoT device?
The simplest way to hack a smart device is to brute-force passwords or try to gain access to a device by using the device's default login credentials. Botnets, which can be rented on the darknet, make this script kiddie-method easy to use to infect thousands of devices at once. Many manufacturers use the same default login credentials for all the devices they produce to save on costs, rather than creating a unique password for each device.

One of the biggest IoT threats of last year was the Mirai botnet, which infected thousands of smart devices, by using default login credentials, to perform massive DDoS attacks. Since Mirai's source code was published, pretty much anyone can run their own IoT botnet or rewrite the code and therefore, many mutations of Mirai have appeared.

Other ways to infect an IoT device are much more complex, expensive to purchase and therefore not as common. Reverse-engineering firmware or an operating system, for example, requires advanced technical knowledge and takes time. Zero-day exploits that take advantage of vulnerabilities cost thousands of dollars.

A recipe for better IoT security
A possible and effective way to dramatically improve IoT security is to give consumers the possibility to easily change the login credentials of their smart devices. To encourage consumers to change their IoT devices' login credentials, manufacturers can, for example, make creating a unique and strong password a mandatory requirement when setting up a device for the first time.

This, of course, cannot be applied to all scenarios, but simply changing default login credentials would greatly reduce the number of "unsecured" devices and make it harder for script kiddies, "wannabe" hackers, and simple search bots to gain access to IoT devices. Alternatively, IoT device manufacturers could give each device a unique and random password and send this along with the devices to their customers.

Issuing software updates to patch vulnerabilities, on the other hand, would help secure smart devices from exploits. Manufacturers currently often use outdated versions of various libraries and operating systems for which plenty of powerful exploits exist, leaving devices vulnerable to attack. There are many devices where it is impossible to update the device's firmware, so if a hacker were to exploit a vulnerability, there would essentially be no other option left than to disconnect the device from the network, permanently, and to replace it with a more secure device.

Securing smart devices will not only protect people's privacy and help prevent DDoS attacks, but can also prevent much worse things from happening. There have been proof-of-concept attacks that show how entire IoT networks can be infected by targeting a single device, such as a light bulb or traffic sensor.

These proof-of-concept attacks demonstrate what a massive problem vulnerable smart devices can be and the damage that can be caused if they are controlled by the wrong people. Imagine hackers controlling traffic flow or turning off lights in an entire city. Smart device manufacturers should collaborate with security experts to ensure a security layer is included in their devices and pen-test their products on a regular basis.

Related posts:

— Michal Salát is the threat intelligence director at Avast, driving research projects to discover security vulnerabilities in computer, mobile and IoT platforms.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...