IoT devices make up 30% of all network-connected endpoints (not including mobile devices), making many companies the primary targets for cybercriminals.
IoT vulnerabilities provide cybercriminals with a baseline to bypass firewalls, gain access to private networks, and steal sensitive information as it travels across connected device environments. The risk involved with these compromised devices also allows cyber-attacks to spread to other networked systems.
OWASP Top 10 IoT outlines ten vulnerabilities that have caused the most impact and damage in the design, implementation, and handling of IoT systems over the last few years.
This blog further examines each vulnerability’s details, how to protect your company, your employees, and your customers from the potential threats and risks involved.
Table of contents
Lack of a Secure Update Mechanism
“Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”
It is necessary to consider how these updates will take place and how to make them more secure. For example, when designing a device like a smartwatch or a sensor, you’ll need to consider building in an update mechanism for timely updates.
Companies often struggle to keep their IoT systems up-to-date because many device manufacturers rarely provide updated security patches. Some devices may have reached the end of life date, while others never offered the ability to update in the first place.
The ability of the device to receive Over-the-Air (OTA) updates is critical to addressing this vulnerability. OTA updates allow you to update your latest hardware, software, and firmware security patches over a wireless network, including 2G, 3G, 4G, 5G, Wi-FI, and CDMA connections.
Regular updates minimize the number of attack vectors in operating systems, firmware, and applications.
If updates are available, some devices may not notify the user that an update is available. Conversely, while other devices might install updates automatically, it may require a hardware reboot before the update takes effect. This reboot leaves systems vulnerable and unavailable while applying the update.
It is essential to check each update’s origin and integrity and only use legitimate vendors’ legitimate applications.
Some available update mechanisms lack integrity guarantees, making them vulnerable to MITM attacks and modification attacks. The IoT device can also use machine-to-machine authentication methods to authenticate an upgrade server before downloading a new firmware image, adding a layer of protection.
This ensures device updates come from only the device OEM or another trusted source.
Implementing X.509 digital certificates with OTA updates ensures an unchanged update from the verified source. By using the secure boot, the cryptographically secure hash validation ensures integrity by checking the patch before storing it on the device.
Lack of Device Management
“Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”
One of IoT’s most significant safety risks and challenges is managing all of our devices and closing the perimeter.
However, rogue devices or counterfeit malicious IoT devices are installed in secure networks without authorization. A rogue device replaces or integrates the original device as a group member to collect or alter sensitive information. These devices are breaking the perimeter of the network.
Device management is like other IT asset management systems: the primary concerns are the provisioning, operation, and updating of devices. These concerns apply to all devices, including gateways.
The discovery and identification of IoT devices is a necessary first step in the monitoring and protection of these devices. Large IoT networks, comprising many almost identical devices, are attractive targets for cyber attackers.
However, it is costly and slow to recover from compromises by conventional means, primarily if they distribute the devices over a large geographical area where network administrators or operators would have to travel to the devices to recover them manually.
An outdated, static inventory of IoT assets controls the box but is far from efficient security management. Identification of devices using traditional features of IT devices, such as IP addresses and underlying operating systems, does not work for IoT. Only by identifying a specific device can an organization accurately plan its network access requirements, deployment tactics, security strategy optimization, and operational plans.
Once device identities are determined, security systems can track device behavior in an organization’s workflow context rather than view it as dynamic IP addresses of an unknown device type.
IoT security solutions enable organizations to discover and identify IoT devices on their networks. Despite the significant growth in the number of IoT assets, most organizations are unaware of device vulnerabilities and do not manage their safety postures or risk profiles.
Intelligent device scanning and profiling allow IT security teams to have visibility of their networked IoT devices, their risk profiles, and their network behavior when interacting with other devices on the network. Today’s most advanced IoT security solutions use machine learning to identify IoT devices that have never been seen before and to recognize malicious network communication patterns before they cause damage.
Insecure Data Transfer and Storage
“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”
The network and communication layers play a central role in all IoT applications and implementations, facilitating sharing information between different layers and generating value through real-time interaction between IoT devices.
One of IoT applications’ key features is transferring information between IoT devices, networks, networks and networks, and high-level information processing infrastructures (e.g., clouds, data centers, etc.).
However, the potential for compromising data collected by a smart device moving across the network, or storing in a new location, is increasing. For example, MITM attacks exploit poor key exchange practices and allow a malicious device to intercept all information passed through the ecosystem.
Most IT teams design their network dynamically on-board IT devices using network access control protocol but do not extend this capability to IoT assets.
As cloud-based communications and data storage continues to grow, more data is flowing to cloud and IoT computers. Customers expect their data to be secure during transit.
Today, IoT data transfer and storage best practices call for secure public-key cryptography via the DTLS protocol for encrypted IoT device communication across public networks. Public Key Cryptography is a robust encryption method that relies on private and public encryption keys rather than hard-coded secrets.
Several IoT security solutions offer integration with DTLS, PKI, and next-generation hardware security to manage device identities, permissions, and risk profiles.
Data-in-motion communication security is achieved by a chain of trust model used in the typical PKI. PKI certificates have the most common encryption and authentication and are most commonly used in the HTTPS Internet Protocol.
The certificate authority that certifies the complete validation of the certified party’s identity shall issue each digital certificate. Data tokenization can protect sensitive encrypted data that only authorized devices can decode.
Weak, Guessable, or Default Passwords
“Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.”
A common and pervasive vulnerability in IoT systems today stems from weak or unchanged default passwords. Poor management of device credentials places IoT devices at greater risk of becoming targets of a brute force attack.
Inconsistent management practices allow for password-oriented attacks. For example, your employees’ passwords might not align with your IT’s more advanced password management policies.
In 2018, California’s SB-327 IoT law passed to prohibit the use of default certificates. This law finally aims to solve the use of weak password vulnerabilities.
Until IoT manufacturers fully realize the need for these changes, IoT‘s security equipment rests with users, IoT service providers, and IT services.
The immediate step to securing these systems is for IT administrators to set up new login policies that require users and administrators to change default device passwords. This policy means adding layers of special and complex character combinations before redeploying them to live environments.
Insecure Network Services
“Unnecessary or unsafe network services that run on the devices, particularly those that are exposed to the internet, jeopardize the availability of confidentiality, integrity / authenticity of information, and open the risk of unauthorized remote control of IoT devices.”
IoT devices are integrated into the network infrastructure and can transmit, retrieve, and interpret data from linked smart devices, such as smoke alarms, proximity sensors, or optical devices. The system’s communication mechanisms will vary but may include network protocols ranging from BLE and ZigBee to WiFi, cellular data, and Ethernet.
The ability for smart technologies to make choices without human interference makes them unique. This level of device autonomy creates challenges to ensure consumer-grade mobility and interoperability without compromising the safety of IoT devices.
To function correctly, any Internet-connected service requires opening specific ports. Leaving open ports and services that provide access to devices or other machines is a typical security error. A joint study between BitSight and Advisen showed that 60 percent of the breached organizations had ten or more vulnerable, open ports.
Exploited service vulnerabilities in IoT devices may allow for stealthy malware services such as viruses, spyware, ransomware, and Trojans. Cybercriminals may use these open-port services to access sensitive data, listen to private communications, or execute Denial-of-Service (DoS) and Man-in-the-Middle (MITM) attacks.
However, there is a lack of automated security options available to address this network layer vulnerability despite serious security threats. With over 65,000 TCP ports and a corresponding number of UDP ports, there is no simple way to open and close ports.
Port maintenance requires an administrator who knows which ports should remain open to connect essential services to the network. If the port is open and not connected to any crucial network services, the port should be closed immediately.
A small network with relatively few IP addresses should not take a long time to close vulnerable ports. However, monitoring and managing open ports can be time-consuming on enterprise networks with a constant adding new devices.
System administrators must scan and close unneeded open ports and services which exchange information on their networks.
Insecure Ecosystem Interfaces
“Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.”
Many companies often overlook IoT system security policies and procedures when connecting to backend APIs. It is crucial to understand all the devices and sensors in the ecosystem and all the devices that interface.
IoT systems transmit and receive large amounts of information and secure the data transfer between devices/sensors, gateway devices, and back-end databases through REST-based APIs.
Although APIs provide powerful extensibility, these same APIs provide a new entrance for an attacker to connect and access data to your IoT devices. Hackers can breach a router or device’s web interface if not correctly secured. Authentication, encryption, and Public Key Infrastructure (PKI) help ensure APIs communicate only with other pre-validated devices and applications.
Another common problem is routers connected to remote web interfaces, a feature known as remote management or remote management. Administrators can test a router’s availability for remote management by checking the open ports 80 (HTTP) and 443 (HTTPS). This allows them to deactivate this feature safely.
The network that connects IoT devices to back-end systems must also be secure.
Network security is more challenging with IoT applications because of the wide variety of standards, devices, and communication protocols. IoT network security requires close attention during design and deployment.
Developers need to design more secure IoT applications without assuming the devices themselves are protected. Firewalls, anti-virus, and intrusion detection and prevention systems should provide a secure IoT network.
IoT devices must authenticate each other to verify the device’s identity to which they intend to connect. If the machine carries out identity validation on multiple devices, a central certificate authority may be beneficial.
It is also essential for well-trained administrators to regularly update packages and detect and delete outdated services and packages.
Use of Insecure or Outdated Components
“Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”
Potential issues may arise from vulnerabilities in software dependencies or legacy systems.
A significant vulnerability that affects millions of IoT smart devices is the use of outdated or unsecured software, including third-party components, libraries, and frameworks used by manufacturers to build IoT devices. This software is difficult to track and is vulnerable to cyber-attacks if it is not correctly known or managed.
Legacy systems using traditional software update protocols for IoT devices place users’ burden to locate and patch security holes. These protocols run on firewall devices without interacting with other systems or devices. As a result, cybersecurity systems see IoT devices as unknown endpoints; therefore, they do not know its specific device type, risk profile, and expected behavior.
This differs from traditional network-based cybersecurity systems that have visibility across all network-connected endpoints but can not scale well enough to identify, track, and secure IoT enterprise environments.
More robust risk management practices are needed for IoT assets to prevent the execution of these distinct threats. PKI and digital certificates are more critical than ever to secure connections both behind and outside the corporate firewall. Each person, machine, and application must have an identity that can be verified and trusted.
As modern cloud-based security infrastructures replace traditional network perimeters, it is crucial to remain aware of any outdated firmware or software on your legacy security systems.
Insufficient Privacy Protection
“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.”
When individuals request personal data deletion, the provider must ensure that all third parties delete the data.
Unlike websites, many IoT devices do not provide easy access to view privacy policies. They are often included separately from the device manual. Sometimes they are only available after opening and installing the system, or there may be a notice somewhere in the documentation directing the user to visit the manufacturer’s website.
IoT applications are also vulnerable to data leak vulnerabilities. When researchers analyzed 230 SmartThings applications, they found 138 of the applications exposed at least one piece of sensitive data via the Internet or messaging services. The authors also showed that half of the analyzed applications leak at least three different sensitive data sources, such as device information, device status, user input, Internet, or messaging services.
Insecure Settings by Default
“Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”
Device onboard occurs when a new device is added to the restricted IoT ecosystem. Eavesdropping may take place during the onboard step of a new device where the hacker can intercept secret keys that are used to establish communications within a constrained network.
Hackers can start from the deepest layer of the IoT device, the physical motherboard. The hardware debug port or communication port, e.g., JTAG UART, I2C, and SPI, can be found there. From there, they can search for hard-coded passwords, hidden backdoors, and vulnerabilities in their dumped firmware.
To set up applications on devices, review the permissions they require and restrict access to these apps. Settings, credential, firmware versions, and recent patches should be noted. This step can help assess which security measures should be taken by users and identify which devices should be replaced or updated.
Enabling a firewall router, disabling WPS, enabling the WPA2 security protocol, and using a strong Wi-Fi password are just some of these practices. It is also now possible to encrypt all traffic through your ISP by installing Virtual Private Networking (VPN) on your router.
Lack of Physical Hardening
“Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”
Because of the ubiquity of IoT computing, devices are usually not kept in a secure location but must be exposed in the field to perform their tasks. In the absence of surveillance, this could easily allow malicious actors to tamper with or access devices.
In particular, IoT devices are vulnerable because they lack the necessary built-in security to counter threats. Unlike our phones, laptops, and personal computers, many IoT devices operate unattended, making it easier for criminals to tamper with the devices and go undetected.
Security protocols protect data while transmitted across networks but do not protect data while stored on the device. Massive data breaches resulted from data recovered from stolen or discarded equipment.
Lack of encryption allows hackers to change each device’s file system. Engineers should have any sensitive data stored on the device.
A significant hardware vulnerability exists in both consumer and industrial control systems with unrestricted access to the universal asynchronous receiver transmitter (UART), allowing them to change the device boot sequences. By modifying the boot sequences, hackers can gain low-level access to the device and extract log-in information.
A single attacker can stop the system’s IT and OT elements from interacting with each other. The jamming and tampering of the physical layer could prevent sensors from detecting risks such as fire, flood, and unexpected motion.
Ensure that the hardware is safe from tampering, physical access, manipulation, and sabotage.
One way to achieve strong IoT hardware security is to store keys in Trusted Platform Modules (TPMs) and Trusted Execution Environments (TEE). TPM is essentially a chip installed on an IoT device near the CPU. It's mainly used for cryptographic operations that create a security key, save it, store data, and other related operations. They can ensure the integrity of the disk encryption and password protection platform.
Make sure you have a strong understanding of each of these IoT vulnerabilities. You may have the proper security tools to monitor your environment, or you need to look into a better way to secure your IoT devices.
Early intrusion detection has always been one of the best ways to avoid the worst security incidents, which remains true in the IoT era.