Lack of Security in IoT Devices Explained. What Can We Do About It?

• IoT security problems are not evident to regular users
• Top ten IoT security issues
• Exploring the most simple solutions

Notions of IoT vulnerabilities can be fuzzy. An infographic from The Open Web Application Security Project (OWASP), however, clearly shows why smart devices are vulnerable and why IoT security should not be taken lightly.

People always hear how unsafe and full of vulnerabilities IoT devices really are, but regular users don't always clearly understand how those problems manifest in their day-to-day lives. Unfortunately for consumers, the vast array of issues goes way beyond vulnerabilities that would let attackers compromise and use IoT devices in DDoS attacks, for example. As is often the case, the online services that accompany these devices are just as vulnerable.

While people can't do much about the quality and features of online services, they can make sure their IoT devices are as secure as possible. Keeping them up to date with the latest patches and firmware is one way, but people should also be paying more attention when choosing their ISP. It turns out that ISPs have a lot of power in this regard, but many don't exert it in any way.

Top 10 IoT security problems:

• Weak, guessable or hardcoded passwords are the bane of IoT security. Many attacks on the infrastructure would not be possible if not for this simple fact. Brute-forcing devices becomes trivial when most of them still have the default user names and passwords.
• Insecure network services are another big issue. Network services running on devices such as Telnet represent a huge security issue that manufacturers don't usually address, and that continues to present significant problems to users and companies alike.
• Insecure ecosystem interfaces: the web, backend API, cloud and mobile interfaces are not always secured, and they often let attackers gain access through vulnerabilities at this level.
• A lack of a secure update mechanism: so many issues are related to this problem that it’s actually difficult to list them all, but they range from missing automatic updates as a feature to missing notifications of security changes.
• The use of insecure or outdated components is a reality, particularly with off-brand devices. Old parts and insecure software components help some manufactures build cheaper IoT devices, but they also bring vulnerabilities to people's homes.
• Companies do little to protect the privacy and data of users, not to mention that some organizations use personal data without the users' consent.
• The lack of encryption or access control to sensitive data, whether on the device itself or in transfer, is a serious security risk that few companies choose to mitigate.
• Another problem is the lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.
• Many IoT devices ship with insecure default settings, which then often remain unchanged after the consumers set them up in their homes.
• Finally, the lack of physical hardening is another security issue affecting IoT devices. If devices allow it, either through open ports or physical interfaces, attackers can insert code, dump the memory or even rewrite the firmware.

Fixing IoT security from all directions:

People have to know what the problem is before trying to fix it, and the IoT ecosystem has more than one issue. Consumers can resolve some security concerns, but others could be much better covered by the Internet Service Provider, even if it might not seem like an intuitive solution.

Many Internet users have a router provided by the ISP that, most of the time, serves only one purpose. But the same router could run the Bitdefender IoT Security Platform and provide several protections that would otherwise be impossible for regular users.

For example, one of the security platform features is brute force protection, which is explicitly designed to deal with attackers who attempt to log in by repeatedly entering passwords in an effort to guess the right credentials.

No ISP wants vulnerable devices in its network, so an embedded security platform would protect both the customers and their own hardware. As more and more IoT devices become part of our daily lives, service providers will have to seriously consider providing both security and Internet access in the same package.

[Interested? Get in touch]