IoT devices, with their smart connectivity, offer numerous avenues to enhance processes and boost efficiency. They're useful in places like factories, hospitals, cars, homes, and cities. However, they also have security issues that can make networks vulnerable to cyberattacks, posing a significant risk to industries and the economy.
Impact of IoT device vulnerabilities
IoT devices are mainly at risk due to inadequate in-built security measures to fend off threats. This vulnerability arises from their restricted settings and their limited processing power. Given that IoT devices typically operate on low power, they have limited functionalities. Consequently, their security measures often fall short.
Vulnerabilities in IoT devices may allow cyber criminals to hijack them and launch attacks against critical systems.
Cyber criminals often target and exploit recognized weak points in IoT devices, converting them into compromised networks known as IoT botnets. In 2016, an attack from the Mirai botnet disrupted major websites and services after taking control of thousands of vulnerable household IoT devices. These vulnerabilities in IoT devices also lead to numerous privacy breaches, resulting in significant legal fines for breaking regulations like GDPR, CCPA, HIPAA, and PCI DSS.
The IoT Cybersecurity Improvement Act of 2020
To combat the growing range of threats and reduce the risk of federal agencies and services due to IoT device vulnerabilities, the U.S. government enacted the IoT Cybersecurity Improvement Act of 2020. This law directs NIST to establish cybersecurity guidelines for connected devices acquired and deployed by federal entities.
According to the Act, NIST will develop and publish “standards and guidelines on the appropriate use and management” of IoT devices “owned or controlled” by federal agencies which are connected to federal networks. These guidelines also include “minimum security requirements for managing cybersecurity risks” inherent with these devices.
Moreover, the Act mandates that federal agencies avoid “procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device” if it doesn't adhere to the standards set by NIST.
In response to the IoT Cybersecurity Improvement Act, NIST released four new publications:
- SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
- NISTIR 8259B, IoT Non-technical Supporting Capability Core Baseline
- NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, and
- NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government
The aim of these four documents is to create a unified cybersecurity framework between the government and IoT device makers for devices purchased and used by federal agencies.
What are IoT vulnerabilities?
The Open Web Application Security Project (OWASP), a non-profit foundation for improving software, has published the IoT Top 10 vulnerabilities, which is a great resource for manufacturers and users alike.
1. Weak, guessable, or hardcoded passwords
“Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.”
Weak, default, and hardcoded passwords are the easiest way for attackers to compromise IoT devices and launch large-scale botnets, and other malware. Managing passwords in a distributed IoT ecosystem is a time-consuming and difficult responsibility, especially since IoT devices are managed over-the-air.
2. Insecure network services
“Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.”
Adversaries are seeking to exploit weaknesses in the communication protocol and services running on IoT devices to compromise and breach sensitive or confidential information exchanged between the device and a server. Man-in-the-Middle (MITM) attacks aim to exploit these vulnerabilities in order to capture credentials used to authenticate endpoints and leverage credentials to launch broader attacks. It is therefore imperative to secure IoT communications with industry best practices.
3. Insecure ecosystem interfaces
“Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.”
A strong authentication and authorization mechanism needs to be in place here. Several solutions have been developed to safeguard the identity of IoT devices. With the use of an effective device identity mechanism, whenever a server communicates with an IoT device, the server will be able to differentiate between a valid endpoint and a rogue one by forcing the endpoint to authenticate itself.
4. Lack of secure update mechanism
“Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.”
Unauthorized software and firmware updates are a major threat vector for launching attacks against IoT devices. Sectors like healthcare or energy are particularly vulnerable. To secure the firmware and software updates, we need to secure access to the updates and verify the source and the integrity of the updates.
5. Use of insecure or outdated components
“Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”
The security of the IoT ecosystem may be compromised by vulnerabilities in software dependencies or legacy systems. The use of open-source components by manufacturers to build their IoT devices creates a complex supply chain that is difficult to track. These components might inherit vulnerabilities known to the attackers, creating an expanded threat landscape waiting to be exploited.
6. Insufficient privacy protection
“User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.”
Many deployed IoT devices collect personal data that needs to be securely stored and processed to maintain compliance with the various privacy regulations, such as GDPR or CCPA. This personal data might be anything from medical information to power consumption and driving behavior. Lack of appropriate controls will jeopardize users’ privacy and will have legal consequences.
7. Insecure data transfer and storage
“Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”
The protection of IoT data—either at rest or in transit—is of great importance to the reliability and integrity of IoT applications. This data is used in automated decision-making processes and controls that can have serious repercussions.
8. Lack of device management
“Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”
One of the most important tasks and one of the most significant security challenges in the IoT ecosystem is managing all devices throughout their lifecycle. If unauthorized devices are introduced in the IoT ecosystem, they will be able to gain access and surveil corporate networks and intercept traffic and information. The key concerns of IoT device management are the provisioning, operation and updating of devices. The discovery and identification of IoT devices is a necessary first step in the monitoring and protection of these devices.
9. Insecure default settings
“Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”
Once these settings are compromised, adversaries can go after hardcoded default passwords, hidden backdoors and vulnerabilities in the device firmware. At the same time, these settings are difficult for a user to change. Having a deep understanding of these settings and the security gaps they introduce is a first step to implementing the appropriate controls for hardening these devices.
10. Lack of physical hardening
“Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”
IoT devices are deployed in dispersed and remote environments. An attacker may disrupt the services offered by IoT devices by gaining access and tampering with the physical layer. Such actions could prevent, for example, sensors from detecting risks like fire, flood, and unexpected motion. We should ensure that the hardware is safe from tampering, physical access, manipulation, and sabotage.
How do IoT Device Vulnerabilities Affect Users?
IoT devices provide a rich attack surface for cybercriminals who avidly search for vulnerabilities to use as a springboard for distributed denial of service (DDoS) and other attacks. But attacks don’t have to be dramatic to inflict significant damage. Here are some of the main ways that IoT vulnerabilities can affect your organization or end users:
1. Lateral movement
Cybercriminals can use the initial breach of a vulnerable IoT device to explore an infected network, escalate access privilege and find weak spots. They can then move laterally from a device to an application, ultimately reaching the goal of valuable data and spreading malware through a network.
2. IoT botnets
Cyber criminals use botnets, where they harness large systems of devices to launch attacks. After gathering a pool multiple infected devices, botnets manage malicious activity, such as distributed denial of service (DDoS) attacks, from a command-and-control (C&C) server. As botnets evolve, they can more sophisticated attacks, such as using peer-to-peer (P2P) file-sharing technologies to connect devices without requiring a central server. This insidious technique makes prevention near-impossible.
3. Security issues in existing devices
Cybercriminals can target IoT devices with weak security to access internal networks. Known existing issues in IoT devices can unintentionally make it easy for cybercriminals to infiltrate personal, sensitive information and exfiltrate data from networks and devices connected to home or corporate networks.
4. Vulnerable household devices
With IoT increasingly permeating the home, service vulnerabilities in IoT may create entry points into other devices connected to home networks, such as laptops and computers. If the impacted devices are used to connect to corporate networks, cybercriminals may expose employees to malware and attacks that could slip into a company’s network.
Certificates as a solution for secure IoT devices
Digital certificates managed by PKI can address many of the vulnerabilities mentioned earlier. The foundation of securing the growing number of IoT devices is the ability to identify them accurately. Digital certificates excel at establishing machine identities and verifying the expansive IoT network. Many IoT makers and enterprises are already tapping into the advantages of digital certificates for device identification, authentication, and encryption. But managing a vast number of digital certificates throughout a company's IoT environment can be daunting without a solution that supports automation and can scale up.
A machine identity management system can aid organizations in safeguarding their IoT network by providing distinct, robust identities, setting and upholding security norms, enhancing security measures, and ensuring potent security that doesn't hinder the functionality of limited IoT devices.
With the expansion of IoT, companies cannot ignore the immense security threats linked to potential system vulnerabilities. While digital PKI certificates with automated oversight won't solve every security concern, they remain a crucial aspect to consider and adapt to an organization's specific needs.
(This post has been updated. It was originally published on March 15, 2021.)