Smart and connected IoT devices introduce several ways of improving processes and productivity. While the benefits of IoT devices can be observed in factories, hospitals, cars, homes and cities, their inherent vulnerabilities do create new security risks and challenges. These vulnerabilities leave networks open to cyberattacks, which can disrupt industries and economies in a dangerous way.
Impact of IoT Device Vulnerabilities
IoT devices are vulnerable mostly because they lack the necessary built-in security controls to defend against threats. The key reason is the constrained environment and the limited computational capacity of these devices. IoT devices are usually low-power devices and this limits what functions to be executed. As a result, security controls often come up short.
Vulnerabilities in IoT device may allow cyber criminals to hijack them and launch attacks against critical systems.
Cyber criminals are keen on exploiting known IoT device vulnerabilities and turning them into zombies, or IoT botnets. In 2016, the Mirai botnet attack took down high-profile sites and services (following a DDoS campaign) by hijacking thousands of compromised household IoT devices. IoT vulnerabilities are also the root cause for many privacy breaches, entailing huge legislative penalties for the violation of regulations such as the GDPR, CCPA, HIPAA and PCI DSS.
The IoT Cybersecurity Improvement Act of 2020
To address the expanded threat landscape and to limit the exposure of federal agencies and services to the vulnerabilities of IoT devices, the U.S. government signed into law the IoT Cybersecurity Improvement Act of 2020. The Act mandates NIST to create cybersecurity standards for connected devices purchased and used by federal agencies.
According to the Act, NIST will develop and publish “standards and guidelines on the appropriate use and management” of IoT devices “owned or controlled” by federal agencies which are connected to federal networks. These guidelines also include “minimum security requirements for managing cybersecurity risks” inherent with these devices.
Additionally, the Act dictates that federal agencies refrain from “procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device” if the device is not compliant with the guidelines issued by NIST.
In response to the IoT Cybersecurity Improvement Act, NIST released four new publications:
- SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
- NISTIR 8259B, IoT Non-technical Supporting Capability Core Baseline
- NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, and
- NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government
The objective of these four documents is to establish a common cybersecurity framework between the government and IoT device manufacturers for IoT devices procured and used by federal agencies.
What Are IoT Vulnerabilities?
The Open Web Application Security Project (OWASP), a non-profit foundation for improving software, has published the IoT Top 10 vulnerabilities, which is great resource for manufacturers and users alike.
1. Weak, Guessable, or Hardcoded Passwords
“Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.”
Weak, default, and hardcoded passwords are the easiest way for attackers to compromise IoT devices and launch large-scale botnets, and other malware. Managing passwords in a distributed IoT ecosystem is a time-consuming and difficult responsibility, especially since IoT devices are managed over-the-air.
2. Insecure Network Services
“Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.”
Adversaries are seeking to exploit weaknesses in the communication protocol and services running on IoT devices to compromise and breach sensitive or confidential information exchanged between the device and a server. Man-in-the-Middle (MITM) attacks aim to exploit these vulnerabilities in order to capture credentials used to authenticate endpoints and leverage credentials to launch broader attacks. It is therefore imperative to secure IoT communications with industry best practices.
3. Insecure Ecosystem Interfaces
“Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.”
A strong authentication and authorization mechanism needs to be in place here. Several solutions have been developed to safeguard the identity of IoT devices. With the use of an effective device identity mechanism, whenever a server communicates with an IoT device, the server will be able to differentiate between a valid endpoint and a rogue one by forcing the endpoint to authenticate itself.
4. Lack of Secure Update Mechanism
“Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”
Unauthorized software and firmware updates are a major threat vector for launching attacks against IoT devices. Sectors like healthcare or energy are particularly vulnerable. To secure the firmware and software updates, we need to secure access to the updates and verify the source and the integrity of the updates.
5. Use of Insecure or Outdated Components
“Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”
The security of IoT ecosystem may be compromised by vulnerabilities in software dependencies or legacy systems. The use of open-source components by manufacturers to build their IoT devices creates a complex supply chain that is difficult to track. These components might inherit vulnerabilities known to the attackers, creating an expanded threat landscape waiting to be exploited.
6. Insufficient Privacy Protection
“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.”
Many deployed IoT devices collect personal data that needs to be securely stored and processed to maintain compliance with the various privacy regulations, such as GDPR or CCPA. This personal data might be anything from medical information to power consumption and driving behavior. Lack of appropriate controls will jeopardize users’ privacy and will have legal consequences.
7. Insecure Data Transfer and Storage
“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”
The protection of IoT data—either at rest or in transit—is of great importance to the reliability and integrity of IoT applications. This data is used in automated decision-making processes and controls that can have serious repercussions.
8. Lack of Device Management
“Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”
One of the most important tasks and one of the most significant security challenges in the IoT ecosystem is managing all devices throughout their lifecycle. If unauthorized devices are introduced in the IoT ecosystem, they will be able to gain access and surveil corporate networks and intercept traffic and information. The key concerns of IoT device management are the provisioning, operation and updating of devices. The discovery and identification of IoT devices is a necessary first step in the monitoring and protection of these devices.
9. Insecure Default Settings
“Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”
Once these settings are compromised, adversaries can go after hardcoded default passwords, hidden backdoors and vulnerabilities in the device firmware. At the same time, these settings are difficult for a user to change. Having a deep understanding of these settings and the security gaps they introduce is a first step to implementing the appropriate controls for hardening these devices.
10. Lack of Physical Hardening
“Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”
IoT devices are deployed in dispersed and remote environments. An attacker may disrupt the services offered by IoT devices by gaining access and tampering with the physical layer. Such actions could prevent, for example, sensors from detecting risks like fire, flood, and unexpected motion. We should ensure that the hardware is safe from tampering, physical access, manipulation, and sabotage.
Certificates as a Solution for Secure IoT devices
PKI-managed digital certificates can help organizations address many of the aforementioned vulnerabilities.
The key to securing the proliferation of IoT devices is being able to identify them. Digital certificates are great for the provisioning of machine identities and for authenticating the distributed IoT ecosystem. Many IoT manufacturers and organizations are already leveraging the benefits of digital certificates for device identity, authentication, and encryption. However, issuing and managing the thousands of digital certificates across the entire corporate IoT ecosystem can be challenging if the solution for certificate management does not allow for automation and scalability.
A machine identity management solution will help organizations secure their IoT ecosystem by provisioning unique, strong identities, defining and enforcing security policies and standards, scaling security, and maintaining robust and effective security without jeopardizing the efficiency and operation of constrained IoT devices.
As IoT expands, no company can discount the tremendous security risks associated with having a multitude of possible infrastructure weaknesses. Digital PKI certificates with automated management will not resolve all security problems, but they are an important part of the equation that you need to assess and tailor to your organizational needs.
(This post has been updated. It was originally published on March 15, 2021.)