Menu

M2M FEATURE NEWS

How Safe Are You in the IoT?

By Ken Briodagh March 16, 2015

The IoT is not a safe place. It’s exciting, and growing and perhaps the most important area of technological innovation currently developing, but one thing it isn’t is safe. And that’s a problem, because the primary function of most M2M devices for the foreseeable future is data collection. And that data is very useful to companies, sure. And also criminals.

In a recent study, security giant Symantec analyzed 50 smart home devices and discovered that many of them suffer from basic security and privacy faults. This is common stuff that we long ago learned to protect ourselves from on the wider Internet, but haven’t gotten around to on the IoT. Symantec evaluated smart thermostats, locks, light bulbs, smoke detectors, energy management devices and hubs and found that they frequently suffered from many of the same weaknesses. None of the devices it looked at used mutual authentication or enforced strong passwords. What’s worse, some prevented strong authentication protocols by restricting users to a simple four-number PIN. When combined with no support for two-factor authentication and no mitigation of potential brute-force attacks, you’ve got a pretty good recipe for failure. Online, in a survey of 15 different cloud interfaces, Symantec fount 10 different vulnerabilities related to path traversal, unrestricted file uploading, remote file inclusion, and SQL injection. And one of the affected devices was a smart door lock, which, as a result of the improper security, could be opened remotely over the internet without even knowing the password.

If an attacker could get into a home Wi-Fi network, which is not difficult at all, he could do even more damage. Some devices locally transmit passwords in clear text or don’t use any authentication, so hackers can use stolen credentials to take over devices completely.

HP in 2014 did a similar study to Symantec’s, wherein it analyzed IoT devices from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers. A majority of the devices HP tested included some form of cloud service and they all included mobile applications that can be used to access or control the devices remotely. And the results? Eighty percent of the devices raised privacy concerns, six out of 10 that provided user interfaces were vulnerable to a range of attacks, 90 percent used an unencrypted network service and 70 percent of the tested devices, along with their cloud and mobile application components, failed to require passwords of a sufficient complexity and length.

The dangers to homes are real, but not the most worrying. In a March 12 Wired article by Klint Finley, he spoke to Ken Westin, a security analyst at software company TripWire. Finley wrote that the scary vulnerability is in “…those cloud servers with vast databases of personal information gathered from all those connected devices. Today hackers often sell databases full of stolen credit card numbers, social security numbers and passwords. In the future, these databases could include even more personal information gathered from sensors and connected devices.”

Now, we’re really going to keep you up at night. Meet SHODAN. SHODAN is a search engine that lets you find specific computers, routers and servers using a variety of filters. It scans the Internet looking for unsecured, connected devices, many of which are programmed to answer. Included in the 1.5 billion-strong database are cars, heart monitors, baby monitors, power plants traffic lights and building HVAC systems. All vulnerable. A searcher can get 10 results for free, but 10,000 for $20. If you want the whole database, it’ll cost just five figures. Maybe cover your webcam tonight, folks.

And the experts know trouble’s coming. GlobalSign, an identity services vendor for online transactions did a survey of senior IT decision makers in both the U.S. and the United Kingdom in late January 2015 and found that they are very concerned about how they will handle access in the IoT. About two-thirds of IT executives surveyed in the U.S. said identity and network access were a matter of extreme or strong concern.

The British government was so concerned about the coming risks that its Home Office has published a guide designed to teach concerned U.K. residents how to stay safe. Blimy.

Solutions
All is, of course, not lost. One avenue of hope is the gaining momentum behind the movement for a standard set of regulations. On March 3, the National Institute of Standards and Technology (NIST) released a draft of its proposed regulations, asking for public and industry review and comment. The NIST hopes that this “Framework for Cyber-Physical Systems” will set the standard that will allow the building of a massive, but safer, IoT infrastructure. Read the full report for yourselves, but its goals are ambitious: to integrate the needs of cybersecurity and privacy, data interoperability and reference architecture creators in order to develop a unifying framework. We said it was ambitious. This is just the latest, albeit tentative, step toward legislation designed to make M2M more secure. Earlier this year, the FTC issued a report providing guidance for the industry on privacy, security, and consumer protection principles and the Senate Committee on Commerce, Science, and Transportation convened its first hearing on the subject in February.

The private sector is moving, too. TrapX Security Labs on March 6 released a report called “The Internet of Things - The Hidden Danger Exposed,” breaking down the widely reported Nest hack, and issued a series of recommendations for companies investing in M2M and IoT infrastructure and solutions.

  • Do a design review on all components. This, TrapX admits, will be a pain, but it is necessary.
  • Design and evaluate a strategy to rapidly integrate and deploy software and hardware patches to end-users supply chain. If at all possible, do not allow any of your devices to be bootable from a USB port.
  • Sign the software to validate its authenticity.
  • Run security tests to discover vulnerabilities. You should probably use an outside security penetration firm for this.
  • Implement firewalls to resist hacker attacks and only allow specified IP addresses in or out.
  • Protect the project management interface from attackers and only allow limited access to the management server.

The best available strategy is to think about security before you get into deployment. Retrofitting is much more time consuming and costly. There have, as yet, been very few hacks of M2M devices, and none seem to be widespread, but the day is coming when the allure of all that granular consumer data will be too much for the black hats to resist, and you don’t want to be the one who forgot to guard the store.

For more insight into IoT security concerns, check out our webinar on Wednesday, March 18 "Securing the Internet of Things: an Impossible Task?"

 
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
SHARE THIS ARTICLE
Related Articles

Beyond the Closet, Connecting to IoT

By: Gary Audin    11/11/2020

Two challenges arise when considering cable based IoT.

Read More

Banyan Security Enhances Secure Remote Access for Engineering Resources

By: Ken Briodagh    10/27/2020

Banyan's Continuous Authorization Can Grant or Revoke Access to Sensitive Engineering Environments and Applications in Real-time Based on TrustScore

Read More

Senet Eyes RAN Partnerships as Key to Delivering Network Services for Massive IoT

By: Arti Loftus    10/21/2020

To meet the challenges that come with providing network connectivity for IoT solutions, Senet is executing a strategy for massive IoT that will be bui…

Read More

mimik Selected by 5G Open Innovation Lab to Drive Early Adoption of 5G

By: Ken Briodagh    10/15/2020

mimik's patented Hybrid Edge Cloud platform will boost the performance and reduce the cost of 5G Networks

Read More

5G Sets New Standards for Vertical Industries' IoT Connectivity

By: Special Guest    10/13/2020

As 5G rolls out across the world, vertical industries across IoT are working on additional standards to make the technology suitable for their industr…

Read More