7 Serious IoT Vulnerabilities
A growing number of employees have various IoT devices in their homes — where they're also connecting to an enterprise network to do their work. And that means significant threats loom.
August 21, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2846295dc3468805/64f0d556a5678013e30c403c/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
The security of Internet of Things (IoT) devices, especially those intended for consumer use, tends to fall on a spectrum between "serious concern" and "industry joke." Yet the fact is that a growing number of employees have various IoT devices in their homes — where they also could be connecting to an enterprise network to do their work. And that means significant threats loom, both to and through the IoT.
Some threats attack the unique nature of IoT devices. Others take aim at the application ecosystem surrounding them. Still others are the result of configuration errors that stem from user inexperience or system limitation. In any case, each threat can lead to loss of privacy, loss of control, or recruitment of the devices into a network controlled by someone other than the owner.
Industrial IoT devices are subject to the same ills. When considered alongside the IoT systems owned by employees, they represent a second major threat surface.
So how do you protect against this dual front of security risks? Each vulnerability has a particular remediation, but there's one overarching them: Treat IoT devices and systems like the computers they are. When the same expectations and discipline are applied to the IoT as to commercial computing systems, vulnerabilities begin to be closed.
Have you built an IoT system for a residence? How did you secure the devices? Are you dealing with IoT systems at your employees' homes? How much responsibility for security do you take? Share your thoughts in the comments, below.
(Image: metamorworks)
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
You know that default user name and password that comes with the IoT device? So does everyone who can put together a Google search. And that's a real problem for the devices and systems that don't allow for the possibility of changing default settings.
Default user credentials (and, let's be honest, the user who really matters here is named "admin") are the giant, flashing warning signal on IoT security settings, but they're not the only settings that matter. Network parameters that include ports used, setting every user with admin privileges, logging (or not), and event notifications (or not) are among the security-focused settings that should be changeable to meet individual deployment needs.
Beyond allowing for security settings that mesh more completely with an environment's existing security infrastructure, modifications to default settings make the IoT attack surface a more jagged, less welcoming place for intruders. As with many of the other issues in this article, this is not something easily changed by the user. However, defaults that can't be changed do provide another point for additional scrutiny from the security infrastructure that will be overlaid on the IoT deployment.
Few commercial automated systems function without relying on the cloud for some part of their processing power and command knowledge base. That's especially true if voice processing or command translation is in use, whereby the connection to the cloud can become a significant vulnerability.
Think about the types of messages that can go back and forth between an IoT instance and the cloud on which it rests. Simple control packets flow, certainly, but so might recorded voice and video, task lists, calendar events, and instructions to DevOps frameworks and tools. Are those sensitive data streams traveling through encrypted tunnels? Are you sure?
As with so many other aspects of IoT security, the real issue is that, most of the time, users have no say in how the interface to the cloud is secured. Add to that the fact that most users have no idea where the cloud foundation is located, and you're left with a situation that can be a security (and regulatory) nightmare. The lesson here is to understand the capabilities of IoT devices, where they're sending their data, and what you can do with wrappers, firewalls, intrusion-prevention system (IPS) appliances, and other security tools to make up for the holes in a leaky cloud interface.
Finally, when a system designer or developer forgets about security entirely, issues abound. In the case of MQTT, a communications protocol from the world of industrial control, tens of thousands of deployed systems lack even the most fundamental security.
For years, the industrial control security model was simple and twofold: First, the systems were rarely connected to any wider area network. Next, who would want to attack and industrial control system? There's nothing of value there!
Now, of course, the systems depend on the Internet, and all sorts of attackers want to gain access to or control over the IoT devices because of the data they can generate and the launch pad they can provide to other systems. It's important to note that with MQTT and other protocols, vulnerabilities may not lie in the protocols themselves but in the way those protocols are implemented.
The key to securing IoT deployments is knowledge: knowledge of what is actually deployed in the IoT network, knowledge of what those devices are doing on the networks, and knowledge of the data flowing back and forth between local devices and the cloud systems they depend on for data analysis and control.
Finally, when a system designer or developer forgets about security entirely, issues abound. In the case of MQTT, a communications protocol from the world of industrial control, tens of thousands of deployed systems lack even the most fundamental security.
For years, the industrial control security model was simple and twofold: First, the systems were rarely connected to any wider area network. Next, who would want to attack and industrial control system? There's nothing of value there!
Now, of course, the systems depend on the Internet, and all sorts of attackers want to gain access to or control over the IoT devices because of the data they can generate and the launch pad they can provide to other systems. It's important to note that with MQTT and other protocols, vulnerabilities may not lie in the protocols themselves but in the way those protocols are implemented.
The key to securing IoT deployments is knowledge: knowledge of what is actually deployed in the IoT network, knowledge of what those devices are doing on the networks, and knowledge of the data flowing back and forth between local devices and the cloud systems they depend on for data analysis and control.
The security of Internet of Things (IoT) devices, especially those intended for consumer use, tends to fall on a spectrum between "serious concern" and "industry joke." Yet the fact is that a growing number of employees have various IoT devices in their homes — where they also could be connecting to an enterprise network to do their work. And that means significant threats loom, both to and through the IoT.
Some threats attack the unique nature of IoT devices. Others take aim at the application ecosystem surrounding them. Still others are the result of configuration errors that stem from user inexperience or system limitation. In any case, each threat can lead to loss of privacy, loss of control, or recruitment of the devices into a network controlled by someone other than the owner.
Industrial IoT devices are subject to the same ills. When considered alongside the IoT systems owned by employees, they represent a second major threat surface.
So how do you protect against this dual front of security risks? Each vulnerability has a particular remediation, but there's one overarching them: Treat IoT devices and systems like the computers they are. When the same expectations and discipline are applied to the IoT as to commercial computing systems, vulnerabilities begin to be closed.
Have you built an IoT system for a residence? How did you secure the devices? Are you dealing with IoT systems at your employees' homes? How much responsibility for security do you take? Share your thoughts in the comments, below.
(Image: metamorworks)
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024