Many Off-The-Shelf IoT Devices Failing on Security
Wide range of everyday IoT devices are riddled with security flaws, claim researchers
The wealth of IoT devices currently entering homes and businesses pose a genuine security threat, according to Israeli researchers.
The potential scale of the problem is significant, with more than 20 billion devices expected to be connected to the internet by 2020, while IoT technology will be in 95 per cent of new electronic product designs. However, experts have been warning for some time that without improved security levels the tidal wave of appliances could spell real trouble, and result in bigger, more powerful and more resilient botnets such as Mirai.
A research team from Ben Gurion University in Israel investigated a broad range of devices, from security cameras to doorbells, and uncovered a litany of security failures, some very basic indeed. In an article, titled “Opening Pandora’s Box: Effective Techniques for Reverse Engineering IoT Devices,” the BGU researchers report that “Some web-connected systems lack even basic security protections such as secure password authentication. As a result, thousands of IoT devices have already been infected with malware and enlisted into malicious botnets and many more are left vulnerable to exploitation.”
Ilia Kolochenko, CEO High-Tech Bridge and security expert commented: "Many manufacturers of IoT devices ignore even the fundamentals of security and privacy. Millions of IoT devices which are designed to process or store confidential, or personal, information do not even have a basic password protection option, or have a hardcoded admin password without the possibility of changing it.
“Web interfaces of IoT devices are riddled with critical vulnerabilities that can be exploited to take over the device. Many of them use an open source software component that have not been updated in years and can be exploited in a fully automated mode in a few seconds.”
The Israeli researchers uncovered some embarrassing lapses in basic security procedures such as password management, with similar products under different brands sharing the same default passwords, which the team were able to hunt down online within 30 minutes- in some cases by simply searching for the brand on Google.
In a deeper analysis, Oren analysed the security level of 16 popular IoT appliances from both high-end and low-end manufacturers, uncovering fault injection-based techniques that bypassed password protection, as well as “several common design flaws which lead to previously unknown vulnerabilities”. The researchers finally “demonstrated the effectiveness of our approach by modifying a laboratory version of the Mirai botnet to automatically include these appliances.” They also found that in some cases devices stored Wi-Fi passwords locally, allowing attackers to compromise the IoT device and then gain access to the network.
A recent Ponemon Institute study found that 94 per cent of risk management professionals believe a security incident resulting from unsecured IoT devices "could be catastrophic."
Kolochenko downplayed some of these fears, however, pointing out that: “However, the CPU capacities of IoT appliances are not comparable to modern user machines, for example. Therefore, IoT will probably not attract too many attackers in the near future. On the other side, if you breach an IoT device, you can use it as long as it is operating, as virtually no one monitors security of installed IoT devices."
Only weeks ago, the UK government issued non-binding advisory guidelines for manufacturers and service providers working in the IoT space. While some experts criticised the lack of enforcement ability in the guidelines, their publication indicates the recognition that security must be tightened, and that regulators are watching the space closely. “Poorly secured devices threaten individuals’ online security, privacy, safety, and could be exploited as part of large-scale cyber-attacks. Recent high-profile breaches putting people’s data and security at risk include attacks on smart watches, CCTV cameras and children’s dolls”, began the UK government advice.
As ever, following basic security practices such as password hygiene (both for the manufacturers and end users), implementing DevSecOps principles and correctly deploying encryption will go a long way to mitigating the threat. However, it is certain that the promise of IoT, as well as the associated security challenges will not go away overnight...