No surprise, IoT devices are insecure

One might assume past mistakes regarding the security of networked devices would be addressed when building the Internet of Things. And one would be wrong.

Image: HP

It appears there is a touch of insanity running in companies designing and building digital devices meant for the Internet of Things (IoT). Security pundits started warning, in earnest, about this during the past year. Case in point, my article: Internet of Things botnet may include TVs and a fridge. It was around then that HP started the OWASP Internet of Things Top 10 Project trying to decide what kind of security developers baked into IoT devices.

As part of the OWASP project, HP's security research group took a long hard look at ten different IoT products. The title of their press release announcing the research says it all: HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack.

The main thrust of the study was to determine how close real-world devices compared to the guidelines suggested by the OWASP project. To that end, HP researchers, led by account manager Craig Smith, tested ten IoT devices, all meeting the following requirements:

● Some form of cloud service

● One or more mobile applications used to access or control the devices

HP would not go into detail as to the device's make and model. However, the final research report did mention the study included, "IoT devices from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage door openers."

What the researchers found

Smith and the researchers found on average 25 weaknesses per device in the following categories:

Privacy concerns: 90 percent of devices collected at least one piece of personal information from the device, the cloud, or the device's mobile app. (OWASP privacy concerns)

Insufficient authorization: 80 percent of the tested devices failed to ask for passwords of sufficient complexity and length. (OWASP insufficient authorization)

Lack of transport encryption: 70 percent of the IoT devices did not use encryption when transmitting sensitive data across the LAN and internet. (OWASP lack of transport encryption)

Insecure web interface: 60 percent of the tested device's web interfaces were vulnerable to cross-site scripting, had poor session management, and weak default credentials. (OWASP insecure web interface)

Insecure software/firmware: 70 percent of the devices with the cloud and mobile app allow attackers to identify users through account enumeration. (OWASP insecure software/firmware)

There is still time

HP concluded their report suggesting there was still time to stop using insecure methodology. HP offered the following as steps that manufacturers should be taking:

● Conduct a security review of your device and all associated components: HP's OWASP website has all the information needed by manufacturers to make sure their devices are secure according to current best practices.

● Implement security standards that all devices must meet before production: HP mentioned that all the security issues they found would be considered "low-hanging fruit," yet easy to remediate at no added inconvenience to the user.

● Ensure that security is a consideration throughout the product lifecycle: This suggestion has been promoted in the industry all along, and is by far the most important.

Three more "not so obvious" concerns

Last January when I was writing my article about the IoT botnet, I ran across a column by Earl Perkins, vice president of research at Gartner. I wasn't sure how to fit his concerns in that article, but it is relevant to what is being discussed in this one. Perkins has three overarching concerns that are being missed. They are:

Concern 1: Perkins wants everyone to realize IoT devices are not like computers. They resemble embedded systems used in factories. Figuring out how to get all the devices to talk and interact in a secure manner is no small feat. Moreover, most current devices have no real method for being updated.

Concern 2: Perkins brings up an interesting point. In many cases, IoT devices are going to be assigned mission-critical tasks. What if bad actors figured out how to create a "denial of power" attack through some manipulation of the device's firmware.

Concern 3: Gartner and others are saying that there will be 26 billion IoT devices by the year 2020. Perkins is wondering if anyone has thought about how all those devices are going to be authenticated or get authorized access? How does one decide which device has access to what network or data? Interesting questions.