Tag Archives: IoT Security

IoT Security Issues Costing Enterprises Millions

One of my favorite quotes from a past life:  There is never time to do it right.  But there is always time to do it again.

IoT is like that.

As businesses rush at breakneck speed to do something cool with IoT, they are repeating past mistakes and not considering security.  Given that the “S”in IoT stands for Secure,  think back to the early days of Windows 95 or maybe even Windows 3.1 .  That is where we are in terms of IoT security.

According to a Digicert report:

Among companies surveyed that are struggling the most with IoT security, 25 percent reported IoT security-related losses of at least $34 million in the last two years.

People who responded to the survey were broken into three categories:

 

  • Top-tier: Enterprises experiencing fewer problems and demonstrating a degree of mastery mitigating specific aspects of IoT security.
  • Middle-tier: Enterprises scoring in the middle range in terms of their IoT security results.
  • Bottom-tier: Enterprises experiencing more problems that were much more likely to report difficulties mastering IoT security.

Every single bottom tier enterprise encountered an IoT security related incident in the last two years.

In general, those bottom tier folks were:

  • More than six times as likely to have experienced IoT-based Denial of Service attacks
  • More than six times as likely to have experienced Unauthorized Access to IoT Devices
  • Nearly six times as likely to have experienced IoT-based Data Breaches
  • 4.5 times as likely to have experienced IoT-based Malware or Ransomware attacks.

The reasons for those $34 million in costs?

  • Monetary damages
  • Lost productivity
  • Legal/compliance penalties
  • Lost reputation
  • Stock price.

So, given this, what should you be doing?

Make sure that any device that you connect is being actively supported by the vendor with security patches and will be for as long as you plan to own the device.

Encrypt all data, but especially sensitive data.

Use micro-segmentation when designing the network.  Isolate IoT devices from each other and from the rest of the network.

Since updates are likely done over the air via WiFi,  make sure that it is done securely.  Aruba, for example, was outed this week for using the same password to update the firmware on every device they shipped of a particular set of models.

Always authenticate actions.  Don’t assume the bad guys won’t find you.

Design to scale up for what you think you might do in the future.  It is much easier to design that way now then redesign it later.

These are just a few things to consider;  there are many more, but do consider the matter before you deploy the devices.

Information for this post came from Help Net Security.

 

 

80% of IoT Apps for Your Phone Contain Vulnerabilities

The Internet of Things is the newest fad.  Today I heard about Internet connected sneakers.  Apparently, you can change the design at will.

Given that and the lack of any liability of the part of the software developer no matter what happens (when was the last time a software developer was sued for writing a buggy app?), there is not a lot of motivation to write good software.

Pradeo labs studied a hundred apps that control everything from your baby monitor to your garage door and found some unsettling but not surprising facts:

  • 80% of the apps had vulnerabilities
  • 15% were vulnerable to being taken over
  • 8% get connected to uncertified networks, including domains that have expired and which could be purchased by hackers
  • 90% (yes, that is not a typo) leak application data such as application content, device information, video, audio and location.

Information from this post came from Pradeo Security.

Given this, what should a user do.

Unfortunately, there is no easy answer.

First, and this one is hard, don’t be the first on your block to install an app.  Let others debug the software.

Second, look for app reviews and especially security info in reviews.

Third, ask the vendor (and not the retailer) about security.  If you get blown off or get some fluffy answer, you get the message – security is irrelevant.

Fourth, make distinctions between apps that secure, say, your house and apps that open the blinds.   You may not care if your blinds are opened accidentally, but you probably care if a hacker unlocks your house or is watching you and your baby.

And last, be willing to forgo the newest gee-whiz app if you don’t have a good feeling about it.

More IoT Webcams Hackable – Trivially

Researchers at Bitdefender say that they have uncovered two vulnerabilities in low cost Chinese cameras.

One of the cameras is used in the iDoorbell – which represents a software supply chain issue on top of it.  The cameras come from Shenzen Neo Electronics.  Researchers suspect that other cameras are affected as well.

Using the search engine Shodan, researchers found over 100,000 vulnerable cameras, but researchers suspect the number is larger because other camera models may be affected.

One of the two exploits doesn’t even require the user to be able to login;  they compromised the login process itself.

The low cost of the camera ($39) means that there are likely a lot of them out there.

The low cost of the camera also probably explains why the manufacturer did not respond to the researchers notification of the problem.

Now that the vulnerability has been disclosed, any hacker that was not aware of the problem before is aware of it now.

Since the vulnerabilities allow a hacker to run arbitrary code, the hacker could compromise any network that the camera is attached to.  That is pretty scary.

There is some hope on the horizon.  Maybe.

Senators Cory Gardner (R-CO) and Mark Warner (D-VA) have introduced a bill that could make things a little bit better.

The bill, IF PASSED AND SIGNED BY THE PRESIDENT, establishes certain requirements for any IoT device that a vendor wants to SELL TO THE FEDERAL GOVERNMENT.  This represents a small but meaningful subset of IoT devices and likely vendors will advertise the fact that they are more secure, which could force those vendors who have not implemented the federal government standard to do so for competitive reasons.  IF the bill passes.

Here are the bill’s requirements as of today:

  • The devices must be patchable (seems logical but have you tried to patch your refrigerator lately).
  • The devices must not contain known vulnerabilities.  That means that the cameras at the beginning of the article could not be sold to the government.  If the vendor identifies vulnerabilities later, they must disclose that to the government, explain why it is still secure and what compensating controls might exist.  After that, the agency’s CIO can issue a waiver. Most likely, CIOs would not want their signature on that waiver unless it was absolutely critical to the agency’s mission.
  • That the devices rely on standard protocols.  No secret, proprietary (and hence untested for security) protocols allowed.
  • Agencies can ask the OMB for a waiver to buy a non compliant device if they can show that there are compensating controls, but who is going to ask for that?  If that device were to be hacked after the fact, there would be hell to pay.
  • The OMB, working with NIST, would be required to create security standards for the government to deploy those devices.  Of course businesses could use those standards too.
  • Agencies could have their own security standards for IoT devices – as long as they were more rigorous than the standard.
  • Vulnerabilities found must be patched or devices replaced in a timely manner (whatever that means – full employment for lawyers, I suppose).
  • It also protects researchers from being prosecuted under the Digital Millennium Copyright Act (DMCA) for hacking into the device to find and report vulnerabilities.

We shall see if the bill gets passed, but it might be and that would be very good.  Stay tuned.  If it does get signed into law, I will let readers know.

Information on this post came from ZDNet and Senator Warner’s web site.