The Internet of Things needs to put security first
In 2016, 4 million new “things” will become available to consumers, according to Gartner, and from a security point of view, we could be talking about 4 million digital door keys to private homes. While the Internet of Things is making our homes, healthcare and cars smarter by connecting anything to everything, we also have to keep in mind that every unsecured IoT device can also act as an entry point into our household and online assets.
One big problem with some of the IOT devices is that they’re not always built with security in mind, which is why they make a easy backdoor target for a hacker. E-readers, for example, are easily hackable because they have no antivirus system, no data loss applications. Another example: smoke alarms. There is no real security protection on them, not like you’d find with your typical laptop or smartphone. If someone gets in through that smoke alarm, and you don’t have a wall between where it connects to your computer, the hacker can get right in. Just think about even the wifi light bulbs that you can turn on/off or dim from your iPhone , in your house you could have hundreds of devices that could expose security weaknesses.
For now, security researchers exposed holes in everything from Wi-Fi-enabled Barbie dolls to two-ton Jeep Cherokees. Those demonstrations have yet to manifest in real-world malicious hacks, but it’s always best to be prepared. So here are the six most common weaknesses to look for when considering buying a new IoT device:
- End-to-end encryption
Transmitting data in plain text from the device’s sensors to the cloud is not a good security practice, yet some IoT apps have been found to suffer from faulty SSL implementations, exposing login credentials, tokens, and other sensitive data to traffic sniffing. Think of your smart TV – it asks for your Wi-Fi password, which it often stores in plain text in its memory.
- Unsuitable authentication
Credentials are essential to data security. However, the IoT revolutionizes the way we authenticate, adding biometrics, and sometimes not even asking users to authenticate. But if IoT devices are rapidly pushed to market without strong authentication mechanisms, they can be vulnerable to brute-force attacks, especially since many IoT devices are secured with basic passwords like “1234” or require no passwords at all.
- Vulnerable web interface
Some web interfaces don’t lock users out of their accounts after some failed login attempts. They fail to ensure robust password recovery mechanisms and offer no protection against cross-site scripting attacks and SQL injections. Attackers simply need to trick a user behind the router and firewall to click a link. If the web interface is vulnerable, it will provide the attacker with access to the web management interface.
- Insecure software
Nowadays, consumers want powerful software, and they want it fast. But this can lead to poorly constructed software that is released early and with no care for security. And often, the result is the incapability to perform updates or backdoors that could be exploited by hackers.
Most IoT vulnerabilities are not new to the cyber-security industry. So far, we’ve seen experiments and proofs of concept, but it’s just a matter of time until attackers start mining cryptocurrencies via connected refrigerators or until smart TVs are locked by ransomware. This is why, going forward, security must be a priority for every IoT application.
Photo source: http://www.freedigitalphotos.net/
