In July of 2014, HP Labs did a study of 10 popular IoT devices and found security was shockingly bad. The researchers studied 10 devices, looking at end-to-end security capabilities including privacy protection, authorization, encryption, user interface protection, and code security. They found 70% of the devices had at least one major vulnerability. At the end of their study, researchers identified over 250 vulnerabilities, an average of 25 per device. Security was clearly an afterthought or not considered at all. That’s bad enough for an engineer to deal with, but much worse for the unprepared consumer.
An average consumer, or even a security savvy consumer, has little ability to know which brand of IoT device has better security or any at all, leaving the primary responsibility for securing their devices squarely with the OEM. A compromised consumer device may have little impact on the device’s performance and the consumer may not even realize their device was hacked. Should the OEM care?
Absolutely! On the surface, the hacked device may seem benign. But a device, like a smart refrigerator, may reveal WiFi credentials to a hacker giving them a beachhead from which they can then attack other more critical devices on the network. So, it’s about more than just protecting the device itself.
It seems moments after a solution against digital invasion is in place, someone finds a way to circumvent it. Security is in many ways an ongoing, never ending arms race and hackers are adept at finding ways to exploit security vulnerabilities. The key is to add appropriate levels of security making it more expensive for the hacker (in terms of time and computing resources) to exploit a device or system. Hackers usually go after the easy exploits, and avoid the challenges offering little financial or ego benefit.
The first step for the OEM is to evaluate their device’s vulnerabilities, decide what to protect against, and determine how the economics of the device is impacted.
Vulnerabilities in IoT devices
Design vulnerabilities are weaknesses resulting from a failure to include proper security measures when developing the IoT device. Examples of design vulnerabilities in HP’s study include use of hard-coded passwords, control interfaces with no user authentication, and use of communication protocols sending passwords and other sensitive information in the clear. Other, less glaring examples include devices without secure boot or allowing unauthenticated remote firmware updates.
Adding a few basic security capabilities can make IoT devices dramatically more secure, and greatly reduce the risk of falling victim to a cyber-attack including:
- Secure boot
- Secure remote firmware update
- Secure communication
- Data protection
- User authentication
Secure boot utilizes cryptographic code signing techniques ensuring the device only executes code produced by the device OEM or other trusted party. Use of secure boot technology prevents hackers from replacing the firmware with malicious versions, thereby blocking a wide range of attacks.
Secure Firmware Update
Secure firmware updates ensure device firmware can be updated, but only with firmware from the device OEM or other trusted party. Like secure boot, secure firmware updates ensure the device is always running trusted code and blocks any attacks attempting to exploit the device’s firmware update process.
Utilization of security protocols like TLS, DTLS, and IPSec adds authentication and data-in-motion protection to IoT devices. By eliminating sending data in the clear, it is much more difficult for hackers to eavesdrop on communications and discover passwords, device configuration, or other sensitive information.
Security protocols provide protection for data while it is transmitted across networks, but does not protect the data while it is stored on the device. Large data breaches often result from data recovered from stolen or discarded equipment. Encryption of all sensitive data stored on the device provides protection should the device be discarded, stolen, or accessed by an unauthorized party. For instance, most office, business, and personal printers have an integrated drive inside storing tens of thousands of documents.
Weak or non-existent user authentication recently resulted in thousands of IP cameras with well-publicized default passwords being enlisted in a high-profile Denial of Service attack. A strong user authentication method is a clear requirement for device security.
On an individual level, there is less we can do. If a company produces an insecure product the consumer can either live with it or not buy it. For those products with built-in security, users must enable appropriate levels of security, change default passwords, and use strong passwords.
The cameras used as bots in the Mirai botnet infestation could have been protected from attack. Secure boot, firewall, or intrusion detection each could have individually avoided the takeover of the cameras enabling the attack. These have the benefit of not requiring the user to remember passwords or unique logins. For as little as 1% of the price for the device, this public disaster could have been avoided.
Security is a requirement for all consumer IoT devices, no matter how small or seemingly insignificant. By adding a few basic capabilities, the security of any device can be significantly increased. These solutions, including Icon Labs Floodgate Security Framework, are effective in blocking cyber-attacks and can be utilized in very resource limited IoT devices.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the IoT Security Foundation.