Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/24/2021
10:00 AM
Grigorii Markov
Grigorii Markov
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Security Flaws in Smart Devices & IoT That Need Fixing

The scope and danger of unsecured, Internet-connected hardware will only continue to deepen.

Rapid changes in how Internet of Things (IoT) devices around us interact with each other have created a landscape defined by unprecedented security vulnerabilities. There are three main security concerns with them and some possible fixes.

In December 2020, Forescout identified 33 vulnerabilities impacting four open source TCP/IP stacks. These are used by millions of devices around the world. They allow attackers to target a smart home or an automated industrial environment and use nearly any device as an entry point into the network.

Related Content:

Rethinking IoT Security: It's Not About the Devices

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

According to IBM, the average cost of a data breach is just under $4 million, and it takes organizations an average of 280 days to identify and contain a breach. Meanwhile, the destructive potential of botnets has grown over the past few years. They propagate malware, mount distributed denial-of-service (DDoS) attacks, and spread disinformation on social media.

Problem 1: Unsecured API Connections
Application programming interfaces are widely used for devices to communicate with one another but are rarely built with robust security. For instance, when a data analyst directly accesses a database, most security systems will log that user's name and role. But an external user may not have to offer those credentials. So, two log entries can be as such:

John_Smith: Data Analyst – 172.20.118.97

●  App_User: Service Account – 172.20.0.159

Only one of these gives you useful information about the user's identity. If your smart devices and IoT equipment don't collect useful data, you lack edge-to-end network visibility.

Cybercriminals scour the Internet for exposed API tokens. It's one of the easiest ways to quickly create and leverage an enormous botnet made up of zombie IoT devices.

How to Solve API Connection Issues
Security engineers and enterprise IT teams should treat apps and APIs like data gateways. This means reviewing API connections to make security-oriented changes.

If an IoT device has any external connection capacity, it should be configured to securely categorize incoming user requests and block unauthorized ones. Developers need to inform security professionals about "shadow APIs" that might go unnoticed. Teams must work together to identify deprecated and outdated APIs.

Restricting and monitoring API access is arguably important. Use of the OAuth industry standard is an ideal approach. It includes a Device Grant Type parameter that accommodates devices with limited input capabilities, like most IoT devices.

Problem 2: Obsolete Firmware Updating Mechanisms
IoT presents an ability to compromise a single device to move laterally through an entire network. These devices typically receive firmware updates wirelessly, making them more compelling and easier targets.

But it isn't just mass-produced consumer hardware that is at risk. Infrastructural and heavy industrial tools are subject malicious firmware. The 2015 cyberattack on a major Ukrainian power station involved malicious firmware.

If IoT devices continue to proliferate, new security measures will need to be taken to secure them from malicious firmware updates. These types of attacks will become increasingly frequent as everyone continues to invest in remotely managed tools that handle their own firmware updates.

How to Solve Firmware Security Holes
Anyone who wants to secure IoT firmware updates immediately runs into a fundamental challenge. How do you protect a device that doesn't have user/password credentials?

One can use a secure cryptoprocessor designed solely for user authentication. It uses a public-private key framework to authenticate incoming requests, including firmware updates.

Government agencies, enterprise organizations, and manufacturing can set conditions. Such large organizations have the power to dictate what devices they do and do not use. They can even modify consumer retail devices to suit security needs.

Furthermore, enterprises command the resources to develop and deploy secure IoT frameworks that can self-authenticate without revealing internal data. There are available frameworks to make authentication and secure updates possible with less cost.

Problem 3: Insufficient Privacy Protection
Privacy protection and compliance is quickly becoming the norm for jurisdictions around the world. Europe has GDPR. California has CCPA. These regulations have changed the way consumer-facing tech companies operate in fundamental ways.

Data maintenance analysts must report breaches to supervisors, and affected individuals must be informed. It's easy to see how this works on a social media platform, but how would it work in a hospital? Unlike other devices, security breaches associated with medical IoT devices can have immediate life-or-death consequences.

In the US, HIPAA and HITECH regulate the way healthcare data is used. But these rules only apply to devices and companies that work with official healthcare entities, and not consumer devices.

Enterprises and industrial organizations run into similar problems when developing IoT systems. Devices on a network contain sensitive data about employees. This data needs to be protected. Not doing so increases the risk of identity theft and financial fraud.

How to Solve Data Privacy Issues
When it comes to personally identifiable data, the bottom line is to secure it according to industry-standard regulations. This is even if regulators don't require your company to maintain HIPAA compliance.

Solving this problem requires a cultural shift in attitude toward the inherent value of user privacy. Not everyone likes sharing tracking data with social media giants. Not every employee wants their productivity scores shared, either.

Organizations that have a robust cybersecurity policy in place will be better positioned to respond to personal security concerns. There are few organizations that uphold stringent data privacy standards. Even fewer place an inherent value on user privacy independent of its ROI. Those that do might become the trendsetters of tomorrow’s IoT security landscape.

Start Thinking Beyond Today's Threats
We live in an era when mobile phones, washing machines, home thermostats, and even solar panels can be press-ganged into botnet service. They can be used to perform devastating DDoS attacks on any organization in the world.

As medical IoT devices become a reality, the scope and danger of unsecured, Internet-connected hardware only deepens. There are plenty of devices requiring security experts now. Future devices, like medical IoT, also require them to start thinking about threats of tomorrow now.

Grigorii Markov is a software engineer and the founder of Cerber Tech Inc. He studied software engineering and graduated with a master's degree in computer science in 1998. Since then, he has been working in the software development, network security and IT management fields, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34812
PUBLISHED: 2021-06-18
Use of hard-coded credentials vulnerability in php component in Synology Calendar before 2.4.0-0761 allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2021-34808
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attackers to access intranet resources via unspecified vectors.
CVE-2021-34809
PUBLISHED: 2021-06-18
Improper neutralization of special elements used in a command ('Command Injection') vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34810
PUBLISHED: 2021-06-18
Improper privilege management vulnerability in cgi component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to execute arbitrary code via unspecified vectors.
CVE-2021-34811
PUBLISHED: 2021-06-18
Server-Side Request Forgery (SSRF) vulnerability in task management component in Synology Download Station before 3.8.16-3566 allows remote authenticated users to access intranet resources via unspecified vectors.