Why Do IOT Devices Struggle With Security: The devices that make up the internet of things are widely known to be insecure. There are certainly vendors that offer devices designed with security in mind, but the talk of the town predominantly focuses on those that aren’t secure.
But why does it seem like IoT devices struggle with security? Well, a major contributor to the problem is in the limitations in the hardware of many devices and how much computational power the devices have to do their job but also execute security functions.
IoT devices tend to be rather small and not have the physical space for its hardware to contain the needed resources for security functions on top of its primary functions. Think about it, home assistants and smart thermostats come in sizes rivaling hockey pucks.
RELATED: DISRUPTING DEMOCRACY THROUGH THE INTERNET OF THINGS
A smart appliance is large, but its real estate is still mostly taken up by the appliance part. An automated vacuum splits the difference in size but still needs to designate a lot of room to its engine and vacuum bag.
Lacking computational resources for security tools is only one reason for vulnerability, however. A more problematic reason why IoT devices lack security is some vendors decide that getting their product to market quickly is much more important than ensuring there is some form of security keeping their customers’ data safe.
In fact, it isn’t just the customers’ data that’s at risk, it’s also all of the other information on the insecure device’s network. Think of it as black death coming to a small medieval town and infecting the residents who did not sufficiently protect themselves.
And then there is the issue of the startup who made the IoT device you bought going under. They would no longer be able to patch the device to protect it from security risks.
Here’s hoping that the device was an impulse purchase that you lose interest in quickly, remove any information on it that you can, and throw in the nearest dumpster like it’s a haunted doll one of your kids brought home after finding it in a different dumpster.
So how do you protect yourself
To start, avoid those impulse purchases and do some research into the device and the vendor who makes and sells it. If they have documentation on how they approach securing their devices, read it. That will be easier if you have technical literacy, which I am sure you do if you are listening to me right now.
If you’re not familiar with the language used in the documentation, use the technique I was taught in college when given hard-to-read academic papers. First read through the whole section you are interested in while noting the terms that confuse you.
Then head to your preferred search engine to find out what those terms mean. Then return to the document with your knowledge.
I understand if you swore to leave homework back in the last school you attended, but this is worth it. F-Secure, a cybersecurity company, released a report in 2019 that showed that attack traffic on its honeypot servers grew from 813 million events in the second half of 2018 to 2.9 billion in the first half of 2019.
2.1 billion of those events were on TCP ports, which the report states are rarely used outside of IoT devices. This shows that IoT devices are being disproportionately targeted. A subsequent report from F-Secure in April 2020 stated attacks on its honeypots decreased to 2.8 billion. Despite the reduction, that is still a massive number of attacks compared to just a year before.
The reason why IoT devices are targeted so much is because of how easy it is to get access to most IoT devices. The Mirai malware has been around for a few years and continues to be a popular method of hacking into IoT devices. The way it works is an infected device will scan the internet for other connected IoT devices.
From there it enters known default username and password combinations used for IoT devices. A lot of the time it works because those defaults are not changed. Default credentials are typically administrative credentials that are used to access configuration settings for initial setup of a device or account.
Too often, people involved do not think to change them after setup. Default credentials are easy for hackers to guess and may even already be known.
Once the malware creates a large enough botnet, the hacker who has compromised all of those devices can use them to execute a distributed denial of service attack, also known as a DDoS attack. Targeted organizations will have their online services rendered inaccessible.
First, use sufficiently complex passwords. Some password managers can create these for you, or let you know when you have made a good enough password on your own.
A password manager also comes in handy when you have to keep track of each unique password you have for every account. With unique passwords, if one account is hacked into, the hacker cannot use the same password to get into other accounts you have.
This is particularly important with credentials for accessing and controlling IoT devices because it removes a very popular avenue to compromising the device.
To further complicate a hacker’s life, use two-factor authentication to access your IoT devices when possible. Two-factor authentication means that to log in, a user must provide two pieces of proof that it is actually them. A password is usually still used, which is something you know.
Something you have, such as your phone, can also be used in the form of you receiving a single-use code to enter before being logged in. Something you are is a third form of proof, which is seen with biometrics such as your fingerprint.
Two-factor, or more broadly, multi-factor authentication is a key aspect of preventing Mirai malware from infecting a device.
Steps device manufacturers can take include having security functions integrated into the IoT device, regularly updating the software to better protect the device, and utilizing encryption for user data at all times.
Both integrating security functions and regularly patching the device can benefit from a DevSecOps approach. DevSecOps is a form of DevOps, which is the combination of developers and operations personnel at an organization into a series of smaller teams in charge of portions of an application or service.
DevSecOps involves bringing in IT security personnel to the teams.
The IT security personnel are able to inform and work with the developers so security functions can be integrated as code, which also reduces the real-estate the security functions take up because the device doesn’t need a dedicated security hardware in addition to the hardware running the essential functions.
Keeping the software updates secure is also key
Updates should be encrypted and not sent in plain-text. Additionally, anti-rollback mechanisms should be used. These mechanisms prevent a hacker from reverting a device to an older and less-secure version. Users should also be notified about the update and told why it is important they implement it.
Encrypting data while it is stored, sent, or processed are all basic and necessary components to cybersecurity. Without encryption, once the device’s system is hacked, there is nothing to stand between the hacker and the sensitive information the user has provided and generated.
The supply chain through which the vendor gets its hardware can be a source of issues if the hardware has been compromised before it even gets to whoever is assembling the device’s parts.
All of these threats have existed for some time, and it doesn’t seem like IoT vendors are learning.
For example, issues around sacrificing security to be quick to market, size and power constraints, the channels for commanding and controlling devices, and non-security focused operating systems and firmware are all reported in a survey conducted by the SANS Institute in 2013.
A significant cause for why current problems are old problems is because the standards bodies and the IoT industry have struggled to standardize pretty much every aspect of IoT technology.
However, some best practices have been put forth from organizations like the National Institute of Standards and Technology, or NIST, as well as the European Union Agency for Cybersecurity.
One of the few governments to pass a law explicitly outlining security requirements for manufacturers of IoT devices is the state of California. The United Kingdom’s government has a Code of Practice for Consumer IoT Security for manufacturers. But it is not a law with mandatory compliance.
What NIST has done is develop six recommendations for IoT device manufacturers as guidance on how the manufacturers can reduce cybersecurity risks. A full rundown of these recommendations can be found in “What are the IoT Security Best Practices.”
The European Union Agency for Cybersecurity published a study in 2017 titled “Baseline Security Recommendations for IoT.” Again, these are more guidelines than actual rules.
The security measures and best practices the study puts forth include device policies, technical measures, and measures for the organization, its people, and the processes they use. The agency emphasizes making security and privacy part of the design process.
The California law deals with information privacy associated with connected devices. In the bill’s language, a connected device is quote, “any device, or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address,” end quote.
The law mandates that security features for a connected device must be appropriate to the device and what it does; appropriate to the information the device collects, contains, or transmits; and be designed to protect the device and its information from unauthorized access and interference.
In short, how an IoT device secures the data it works with must fit the kind of data and the device must ensure only authorized entities can access the data.
Compliant vendors will design IoT devices with preprogrammed passwords that are unique to each device or require users to change credentials before they access the device the first time.
