When directed to manage an IoT device or router using a browser, all communications – including passwords – are typically passed over an unencrypted connection.
Whitepaper Published by IoT Security Foundation
Release Date: August 04, 2021
The Internet of Things Security Foundation (IoTSF) has published a whitepaper today titled: “Router and IoT Vulnerabilities: Insecure by Design”
This Whitepaper seeks to raise awareness of a fundamental design flaw that has received little attention to date and yet affects many IoT devices and standard Internet routers.
Typically, when a user wants to provision or manage an IoT device or router using a browser, their user name, password and all communications are passed over an unencrypted connection. This is a very serious problem; it is pervasive, affecting most domestic installations, and it represents a huge security exposure, leaking both passwords and activity to anyone who is listening.
This problem cannot be mitigated by implementing cybersecurity best practice as it is due to a fundamental design flaw.
About the Whitepaper
The whitepaper goes into greater detail about the problem, design flaw and explores potential solutions.
Download the Whitepaper for free from the IoT Security Foundation website
The whitepaper is aimed at organisations and professionals from across the Internet of Things (IoT) ecosystem e.g. manufacturers, Internet and communication service providers, standards bodies, government agencies, browser/software/solution companies, Certificate Authorities, IoT industry end users and consultants.
The whitepaper has been produced by IoTSF’s ManySecured Special Interest Group (SIG) which has been formed as part of the ManySecured Project.
The aim of the ManySecured project and SIG is to protect consumers, organisations and industry from the risks posed by IoT devices by utilising the unique position of the IoT gateway/router to implement security best practice through:
- security collaboration: resources, standards and sharing data
- innovation: helping to create reference (Open Source) solution implementations to monitor, detect threats and manage (at scale) IoT networks and devices
This project and the work of the SIG supports IoTSF’s mission to help secure the Internet of Things.
If you would like to learn more and are interested in joining the ManySecured SIG, please contact us: https://manysecured.net/contact/
About the Internet of Things Security Foundation (IoTSF)
The IoTSF is an international, collaborative and vendor-neutral not-for-profit membership association, formed as a response to existing and emerging threats in the Internet of Things applications. The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and best practice to those who specify, make and use IoT products and systems.
IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.
For more information, news and further announcements, visit the official website at: http://www.iotsecurityfoundation.org
Collaboration is essential to ensure ‘Interoperable Security’, no one company can do it alone. To facilitate this collaboration, the IoT Security Foundation has created the ManySecured Special Interest Working Group (SIG) and we are looking for organisations and professionals from the IoT ecosystem value/supply chain to help:
- Produce Best Practice recommendations in the areas of Gateway Foundations, Secure Comms, Update Management, Network Isolation
- Develop and publish Problem Statements, Whitepapers, Requirements and Solutions
- Define methods and algorithms to monitor, detect threats and suspicious activity in IoT devices and networks
- Share datasets for: test purposes, malware trace data, fingerprints and patterns, sample network traffic of vulnerable and compromised devices
- Create reference (Open Source) solution implementations
- Develop a ManySecured Certification Program
For more information, news and further announcements, visit the official website at: https://manysecured.net/
John Moor, Managing Director of the IoT Security Foundation, said:
“IoT security is a wicked challenge as it has so many variables to consider. The IoT gateway/router offers a unique place to provision network and device security for both legacy and new products and this is why IoTSF has formed a Special Interest Group. The specific issue addressed in this white paper is an important part of delivering better security and could eliminate the need for manufacturers to deploy proprietary product apps.”
Nick Allot, CEO nquiringminds and Co-Chair of the ManySecured SIG, said:
“The Internet of Things sector is growing fast. The potential benefits are enormous; so too are the risks. With this piece of work we are drawing attention to some fundamental security design issues, that impact core browser capabilities. Ensuring that browsers can securely interact with IoT and getaway devices, is crucial to ensuring the IoT ecosystem is both secure and embodies the open principles of the Internet.”
Jan Geertsma, Whitepaper lead author, Signify, said:
“Within the ManySecured project we are building upon the brilliant initiatives by the CA/Browser Forum, IETF and FIDO. By sharing the experiences and listing the ingredients, we can address pain points and technical complexities. This push will make IoT better, scalable, more secure by default and easier to deploy and use. In the end customers deserve tech that is around them to make lives better. It is exciting to contribute to the security foundation of future generations of IoT devices”