IoT Insecurity: Pinpointing The Problems

It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems.

Those numbers may be hard to swallow, but recent headlines concerning connected devices, sensors and controls – ranging from SCADA, IoT and M2M – suggests that what might seem like chicken-little opinions about IoT security may not be too far from the reality.

A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues.

“On the IoT continuum we are about 15 percent in,” said Chris Poulin, research strategist, IBM X-Force Security. “A common refrain from the business is ‘I don’t know what I don’t know’ when it comes to IoT security. The industry is evolving. To some extent we are just trying to figure out what’s a real threat and what is fear, uncertainty, and doubt.”

Experts however do find consensus on common IoT security issues centered around lack of standards and protocols, an inability to update device firmware, and lack of security when it comes to data transport encryption and secure web interfaces.

Can’t Update

The problem is we are rushing to deploy insecure products to support business needs, and then deciding that we need security, said Christopher Conrad, practice manager, critical infrastructure at NSS Labs. “These products should have the security baked in, not bolted on,” Conrad said.

Some of the simplest IoT devices (or machine-to-machine) devices lack adequate processing power and storage to host endpoint security software. They are real-time OS’s which do not offer support for a wide variety of endpoint protection products.

The list of IoT products without the ability to have firmware updated with security protection is long. Recent headlines bear that out and range from malware vulnerabilities found on EZCast media streamers, CCTV cameras enlisted for DDoS attacks and web-based SCADA systems vulnerable to man-in-the-middle attacks.

In May, ICS-CERT warned that an industrial IoT device made by Environmental Systems Corporation (ESC) used by the energy sector for environmental monitoring was vulnerable to attacks (CVE-2016-4501 and CVE-2016-4502). Worse, it said that security vulnerabilities couldn’t be fixed because they lacked the ability to be updated.

The vulnerabilities, found by security researcher Maxim Rupp, were tied to ESC’s 8832 Data Controller, a device that “has no available code space to make any additional security patches; so, a firmware update is not possible,” according to ICS-CERT.

IoT security challenges include a lack of industry long-term support and a patching solution for internet-connected devices that need to be updated and maintained for years to come. Example: How long does Samsung support its IoT smart fridge with security updates?

Internet Connected and Insecure

The IoT fridge threat is not theoretical. In fact, it was last year when researchers uncovered a flaw in Samsung’s RF28HMELBSR smart fridge that attackers could exploit to carry out a man-in-the-middle (MitM) attack and access homeowner credentials used for the social media accounts accessible via the fridge’s touchscreen display.

The vulnerability was tied to Samsung’s implementation of SSL, used to secure the refrigerator’s Wi-Fi enabled touchscreen control panel used for web browsing and app access. It turned out the smart fridge failed to validate SSL certificates, giving attackers the ability to pull off a MitM attack.

Lack of encryption was to blame for IoT features that went awry in Nissan Leaf automobiles earlier this year. It allowed hackers to remotely access the car’s climate controls, battery status and GPS logs which included dates, times and distances the car traveled.

Researcher Troy Hunt blamed insecure APIs used by Nissan for the automobile’s vulnerability. He found that APIs on the server that the Leaf’s smartphone app NissanConnect EV connected to were not authenticating the user. That allowed anyone who had the VIN number of a Nissan Leaf to use the app to anonymously send requests for a specific Leaf to turn on its climate control.

HP’s Fortify estimates three-quarters of IoT devices do not encrypt communications to the internet and local network. As part of the study it also tested device web interfaces. In those tests it found six of the ten IoT devices it tested had cross-site scripting issues, poor session management and weak default credentials.

IoT Research

“In the rush to connect everything to the internet, no one has stopped to think if it should be connected to the internet. Security is taking a backseat to convenience and ease of access,” Conrad said. Does it make sense to be able to check your Gmail account on your fridge? Or does a building’s HVAC system really need to be linked to the internet?

Without proper investment in secure protocols, website interfaces, and APIs, the risks associated with IoT seldom outweigh the benefits.

Lack of Standards

Few industries stand to be impacted more than healthcare when it comes to connected devices. Mobile medical applications or wearable devices allow patient data to be collected. Health events can be captured or monitored and data connected to a private or public cloud.

But as more as more healthcare devices become network-aware, it becomes challenging for IoT companies to agree on common interoperability protocols and standards for sharing and protecting data, and for the hardware sensors that collect that data.

For example, if an IoT arterial blood gas monitor is infected with malware and being used for data exfiltration of patient records and can’t communicate with systems to warn of an impending patient health event, what’s the point of it being network connected?

Security experts compare the lack of standards to the wild days of the web of the ’90s. Today competing standards, vendor lock-in, proprietary devices and private networks make it hard for devices to share a common security protocol.

To that end, healthcare is a microcosm of the larger security challenges that face IoT. A lack of loyalty to one IoT common standard for connected devices in other business environments is one of a number of barriers that is holding back mass adoption broad IoT security protection, say security experts.

That’s not to say there aren’t IoT standardization efforts afoot. Samsung, Intel and Cisco back the Open Interconnect Consortium. There is the Linux Foundation’s AllSeen Alliance backed by the likes of LG, Microsoft and Qualcomm; the Google-sponsored Thread Group alliance, a U.K.-based Hypercat standard and another IoT protocol named Zigbee.

European carrier Orange, solution provider Atos and Telefonica said they are collaborating to create Fiware, an IoT platform for creating smart cities. The Wireless IoT Forum (WIoTF) says it aims to drive the standardization and deployment of connected devices.

There are even more unifying efforts in the works that are industry specific. But even if a common networking protocol can be agreed upon, experts say, there’s also the battle of software standards to contend with.

Gartner argues it’s the sheer number of IoT use cases that contribute to a wildly divergent number of approaches to solve IoT problems, which creates interoperability challenges and, ultimately, security gaps.



Threat Post