[BreachExchange] What Makes IoT Security so Tough?

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jun 13 10:01:15 EDT 2018


https://dzone.com/articles/what-makes-iot-security-so-tough

I went to the very first Internet of Things (IoT) meet-up in New York City
five years ago when the term “digital transformation” was just starting to
become a buzz phrase and IoT devices were appearing everywhere. It was then
that I realized the impact all those interconnected “things” would have on
cybersecurity.

Devices before IoT where just that, devices. They ran on code and were made
to solve a specific purpose. It could have been to program your thermostat,
a garage-door-opener, or an EKG machine. Now, all of these devices are
interconnected. If you want your thermostat to change to a warmer setting,
as you pull your car into your garage, that is now possible. All of our
devices are conveniently connected and able to communicate with each other
either via central control systems or with some consumption device like
your phone or tablet. Getting too hot? Just have your thermostat signal
your blinds to close. Or, speak into your phone and have your front door
unlock. Is your washing machine in need of a check-up? It can request
service by itself through an API call.

Realities of Modern Convenience

Sure, we call this modern consumer convenience, but it is also very
convenient for an attacker. As more and more devices are connected, the
attack surfaces infinitely increase and, therefore, vulnerability potential
increases.

Some consumers may not find this concerning. “What is an attack surface
anyhow?” they might ask. Manufacturers may be more concerned with getting
products out to market before even considering the potential
vulnerabilities that live in their products. Why would someone want to mess
with your thermostat, your blinds, or read your EKG? Whenever we begin to
hear about what it could mean when someone hacks into our devices — maybe
it's your baby monitor that's scaring your family with weird noises and
threats or its someone that's hacked into and turned off your pacemaker —
we will realize the potential.

Why Is Securing IoT Devices so Different?

So, how is securing these devices different than securing other devices
such as desktops, servers, and cell phones? Attackers hacking into devices
with vulnerable code is not new. So, what is different with IoT and why is
it hard to secure these devices?

There are multiple factors at play here, let’s look at some of them:

Failing to Completely Understand the Risks

Manufacturers always want to be first to market, launching the latest
device, but failing to understand the true security risks that these
devices may hold. This means that in a race for functionality, some
security defects may be overlooked. Often consumers do not understand the
security risks of these devices and, thus, do not hold the manufacturers
responsible for these risks. I have heard a personal EKG device
manufacturer say “I don’t think anyone would care to hack our device,” and
a potential consumer in the same setting back them up.

When “things” are attacked, it is difficult to detect the attack and
ultimately place responsibility on the manufacturer. After all, if Windows
crashes, resulting in the loss of a days’ work, it is easy to blame it on
Microsoft. However, if a Wi-Fi router is being used by attackers to mine
Bitcoin, it may be using a bit more electricity, but is likely unnoticeable
to a consumer.

Ease of Set-up and Authentication

Deployment of IoT devices has inherited security flaws as well. Typically,
locking down a device by setting a secure password or installing security
keys for communication requires some work on the consumer side. However,
these devices are designed to be installed as easily as possible, with
minimal to no configuration. Unfortunately, this means that default
passwords are hard-coded into the devices, insecure communication protocols
are used, and the most lax permissions are selected.

Lack of Patch Management

Finally, when vulnerabilities are discovered in servers, desktops, or
phones, they are patched. Patches are distributed and installed on the
affected systems. Patch management, however, becomes more difficult in
embedded devices. Here, patching mechanisms either do not exist or are
poorly implemented. Sometimes patching may not even be possible. While you
can update a Windows machine with some downtime for a reboot, rebooting a
pacemaker is probably not in the best interest of the user.

Working Towards Better Secured IoT Devices

These reasons are the most pressing issues of the IoT world that are
lucrative for attackers and difficult for security practitioners.
Nevertheless, this does not mean that we should just give up. There are
ways of making IoT devices both convenient for the consumer and secure from
attacks. It just requires a little effort and rigor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180613/f933635b/attachment.html>


More information about the BreachExchange mailing list