While we are getting excited about the Internet of Things (IoT) becoming the future of everything, with all kinds of technology driven services, there has been an uneasy sense of anxiety with the security pros among'st us.
These concerns are many like Data Privacy Issues, Network & Critical Infrastructure Security issues, DDoS attacks, Targeted Attacks on Individuals, etc.
After the recent security incidents related to security of IoT devices, these concerns have bubbled up to the top because attackers have begun to exploit the "sloppy security" in the IoT eco-system!
So what are the reasons why IoT is becoming everybody's favorite target?
Based on what we have been seeing in many cases lately, the following are the top areas within IoT that needs attention:
1. Passwords and Access
The use of weak passwords is a security issue that has repeatedly been seen and exploited in IoT devices. Similarly, traditional security issues like SSL/TLS implementation, Collection & Storage of Private information, insecure web interface, Hardcoded Credentials in Firmware are found on most of the IoT devices. Also loopholes related to hardware hacking like gaining privileged shell access directly from on-board UART must be checked.
2. Huge and Complex Attack Surface
With the exponential growth seen in the number of IoT devices, along with the level of complexity with each device (given the Custom OS, Memory, Hardware, Protocols etc combinations), the attack surface is very large. Whereas the traditional security appliances are designed to handle standard devices, therefore the need for innovative ways to do security management.
3. Lack of Processing Resources
Most of the IoT devices are running on a small embedded system with processing power limited as per the application need. Hence these devices have very limited resources in terms of CPU, and Memory to protect themselves against a large onslaught of requests. Also, security mechanisms seen on traditional OS like DEP, ASLR are difficult to implement on these devices due to the limited resources.
4. Patch Management Issues
With very limited processing resources available, these devices are not designed keeping ease of updates (software and hardware) in mind. Various incidents of IoT devices being vulnerable to decades old exploits in Linux are coming up to the surface. Also, in case of IIoT most of the devices are legacy devices and no proper replica environments are available to test patches before deploying on production environments.
5. Lack of Data Security Standards
Different IoT devices transmit data autonomously among'st themselves, as well as to other devices via various communication channels. Inter-operability is one of the basic pillars of IoT functioning. Therefore data transmitted by a single device may not breach someone’s privacy, but a collection of fragmented data transmitted by various devices on the network can lead to privacy issues.
6. 24*7 Connectivity
Devices which are mission critical are connected and live 24*7, which can be huge boon for a hacker in case of a botnet. These devices could also be target specific and in case of medical applications of IoT it can have dire consequences on an individual or organization.
As we know from past experiences, Security is a moving window - we continuously need to adapt to the threat landscape, and now is the time to take IoT security seriously. We don't want our technology innovations to fail due to a humble security glitch.
Check out other articles related to Digital and IoT Security from our Blog
If you are interested to know more about Aujas and how we can help you with your Digital and IoT Security, Please check out more about our digital security practice here