Internet of Things creates new set of security headaches

News by Steve Gold

New research claims to show that the Internet of Things (IOT) is riddled with potential security inconsistencies, which make the IP interconnection of electrical devices - a key feature of the IoT - extraordinarily difficult to secure in practice.

According to HP's Fortify security operation, 70 percent of common IoT devices feature vulnerabilities, inadequate passwords or encryption, or lax access restrictions.

The report is one of the first to attempt to analyse the security risks associated with the interconnection of a wide variety of electrical devices, drawing on resources such as the OWASP Internet of Things Top 10 list.

According to the study, few revolutionary technologies have created new value pools, displaced incumbents, changed lives, liquefied industries, and made a trillion dollar economic impact.

"That is, until the Internet of Things (IoT) sprang to life. Today, the next big thing is embedding sensors, actuators and traditional low-power Systems on Chips (SoCs) into physical objects to link them to the digital world," the report notes.

For its review, HP Fortify reviewed ten of the most popular devices in some of the most common IoT niches, revealing a high average number of vulnerabilities per device. Vulnerabilities ranged from Heartbleed, through Denial of Service to weak passwords to cross-site scripting issues.

Devices from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers were reviewed - and the majority of devices were found to include some form of cloud service, as well as mobile applications which can be used to access or control the devices remotely.

Six of the ten devices tested displayed security concerns with their web interface, including persistent cross-site scripting, poor session management and weak default credentials.

The report concluded that, the world of interconnected smart devices is here, albeit it is its early stages, but notes that there is still time to secure devices before consumers are at risk, recommending three main issues that developers need to address:

Conduct a security review of your device and all associated components

Implement security standards that all devices must meet before production

Ensure security is a consideration throughout the product lifecycle

According to Phil Turtle, chief communications officer with the Data Centre Alliance, Gartner has predicted that there will be 26 billion IoT-enabled devices by 2020, whilst ABI puts the number of WiFi-connected devices by the end of the decade at 30 billion,

The vast increase of device numbers, he told, will have a major effect on the demand for data centres in the near future, and that existing units will need to become more efficient, as well as secure. 

"The security concerns voiced by HP are very worrying and clearly need to be addressed before we sleepwalk into problems in the near future," he explained.

Bob Tarzey, an analyst and director with Quocirca, said that the best approach to making the IoT less vulnerable is to restrict the functionality of connected devices and the data stored on them.

"Of course, basic security should be built into every device and vulnerabilities should be checked for. However, there is no need for a TV to store your date of birth or health info, if it does not, then such data cannot be stolen directly from the device," he said.

"If devices are restricted with regard to the information they can send and receive, then they will be of little use as part of botnets  - which already seems to have happened in some cases - or as an entry point to other computers in the home. Techniques like application white-listing and isolation make sense for IoT devices which need to be locked down and capable of completing only a subset of relevant tasks," he added.

Mark Sparshott, EMEA director with Proofpoint, said that in January of this year, his firm discovered hacked Internet connected home devices being enrolled into botnets and used to distribute spam and malicious emails.

Given the explosive growth in IoT devices, he said that Proofpoint believes that the IoT will be the next industrial revolution for cyber-criminals bringing about technological, socio-economic, and cultural changes which deeply concern forward thinking security professionals.

"An almost endless supply of new IP addresses will make the traditional IP reputation systems that many security vendors still rely on, extinct." he said, adding that future IoT botnets will be 100s or 1,000s of times larger exponentially increasing the rotation available.

"It is conceivable that a future IoT bot could send just one phish and never appear on any reputation block list. The IoT and the increasing use of zero-day threats to bypass signature-based security systems means that enterprise security strategies have to evolve to leverage cloud-based dynamic sandboxing and malware analysis as well as focus on reducing the time to remediate the inevitable breach through automated security response," he explained.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews