Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/24/2021
10:00 AM
Grigorii Markov
Grigorii Markov
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Security Flaws in Smart Devices & IoT That Need Fixing

The scope and danger of unsecured, Internet-connected hardware will only continue to deepen.

Rapid changes in how Internet of Things (IoT) devices around us interact with each other have created a landscape defined by unprecedented security vulnerabilities. There are three main security concerns with them and some possible fixes.

In December 2020, Forescout identified 33 vulnerabilities impacting four open source TCP/IP stacks. These are used by millions of devices around the world. They allow attackers to target a smart home or an automated industrial environment and use nearly any device as an entry point into the network.

Related Content:

Rethinking IoT Security: It's Not About the Devices

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

According to IBM, the average cost of a data breach is just under $4 million, and it takes organizations an average of 280 days to identify and contain a breach. Meanwhile, the destructive potential of botnets has grown over the past few years. They propagate malware, mount distributed denial-of-service (DDoS) attacks, and spread disinformation on social media.

Problem 1: Unsecured API Connections
Application programming interfaces are widely used for devices to communicate with one another but are rarely built with robust security. For instance, when a data analyst directly accesses a database, most security systems will log that user's name and role. But an external user may not have to offer those credentials. So, two log entries can be as such:

John_Smith: Data Analyst – 172.20.118.97

●  App_User: Service Account – 172.20.0.159

Only one of these gives you useful information about the user's identity. If your smart devices and IoT equipment don't collect useful data, you lack edge-to-end network visibility.

Cybercriminals scour the Internet for exposed API tokens. It's one of the easiest ways to quickly create and leverage an enormous botnet made up of zombie IoT devices.

How to Solve API Connection Issues
Security engineers and enterprise IT teams should treat apps and APIs like data gateways. This means reviewing API connections to make security-oriented changes.

If an IoT device has any external connection capacity, it should be configured to securely categorize incoming user requests and block unauthorized ones. Developers need to inform security professionals about "shadow APIs" that might go unnoticed. Teams must work together to identify deprecated and outdated APIs.

Restricting and monitoring API access is arguably important. Use of the OAuth industry standard is an ideal approach. It includes a Device Grant Type parameter that accommodates devices with limited input capabilities, like most IoT devices.

Problem 2: Obsolete Firmware Updating Mechanisms
IoT presents an ability to compromise a single device to move laterally through an entire network. These devices typically receive firmware updates wirelessly, making them more compelling and easier targets.

But it isn't just mass-produced consumer hardware that is at risk. Infrastructural and heavy industrial tools are subject malicious firmware. The 2015 cyberattack on a major Ukrainian power station involved malicious firmware.

If IoT devices continue to proliferate, new security measures will need to be taken to secure them from malicious firmware updates. These types of attacks will become increasingly frequent as everyone continues to invest in remotely managed tools that handle their own firmware updates.

How to Solve Firmware Security Holes
Anyone who wants to secure IoT firmware updates immediately runs into a fundamental challenge. How do you protect a device that doesn't have user/password credentials?

One can use a secure cryptoprocessor designed solely for user authentication. It uses a public-private key framework to authenticate incoming requests, including firmware updates.

Government agencies, enterprise organizations, and manufacturing can set conditions. Such large organizations have the power to dictate what devices they do and do not use. They can even modify consumer retail devices to suit security needs.

Furthermore, enterprises command the resources to develop and deploy secure IoT frameworks that can self-authenticate without revealing internal data. There are available frameworks to make authentication and secure updates possible with less cost.

Problem 3: Insufficient Privacy Protection
Privacy protection and compliance is quickly becoming the norm for jurisdictions around the world. Europe has GDPR. California has CCPA. These regulations have changed the way consumer-facing tech companies operate in fundamental ways.

Data maintenance analysts must report breaches to supervisors, and affected individuals must be informed. It's easy to see how this works on a social media platform, but how would it work in a hospital? Unlike other devices, security breaches associated with medical IoT devices can have immediate life-or-death consequences.

In the US, HIPAA and HITECH regulate the way healthcare data is used. But these rules only apply to devices and companies that work with official healthcare entities, and not consumer devices.

Enterprises and industrial organizations run into similar problems when developing IoT systems. Devices on a network contain sensitive data about employees. This data needs to be protected. Not doing so increases the risk of identity theft and financial fraud.

How to Solve Data Privacy Issues
When it comes to personally identifiable data, the bottom line is to secure it according to industry-standard regulations. This is even if regulators don't require your company to maintain HIPAA compliance.

Solving this problem requires a cultural shift in attitude toward the inherent value of user privacy. Not everyone likes sharing tracking data with social media giants. Not every employee wants their productivity scores shared, either.

Organizations that have a robust cybersecurity policy in place will be better positioned to respond to personal security concerns. There are few organizations that uphold stringent data privacy standards. Even fewer place an inherent value on user privacy independent of its ROI. Those that do might become the trendsetters of tomorrow’s IoT security landscape.

Start Thinking Beyond Today's Threats
We live in an era when mobile phones, washing machines, home thermostats, and even solar panels can be press-ganged into botnet service. They can be used to perform devastating DDoS attacks on any organization in the world.

As medical IoT devices become a reality, the scope and danger of unsecured, Internet-connected hardware only deepens. There are plenty of devices requiring security experts now. Future devices, like medical IoT, also require them to start thinking about threats of tomorrow now.

Grigorii Markov is a software engineer and the founder of Cerber Tech Inc. He studied software engineering and graduated with a master's degree in computer science in 1998. Since then, he has been working in the software development, network security and IT management fields, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...