Counting Down the Top Ten IoT Security Threats
By Juhi Fadia
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software, which will be celebrating its 20th anniversary in 2021. When the organization was established in 2001, the Internet of Things was just emerging, so initial projects focused on the rapid expansion of the World Wide Web, which only became popular to millions of users a few years before the organization was established.
While the Internet itself has been around for well over half a century, the Internet continues to revolutionize the computing and communications world as a world-wide broadcasting platform, a mechanism for information distribution, and a way for people and machines to connect without regard for geographic location. Beginning with the early research in packet switching, the government, industry and academia have worked together to evolve and advance web-based applications, including the now sprawling IoT.
As long as there has been an Internet, there have been people who try to manipulate it, and the bigger the Internet gets the higher risk it becomes for intrusions, phishing, viruses, worms, ransomware and fraud, on a massive scale. In the 1990’s we saw malware emerge, which manifested in the famous AOL phishing attack, allowing hackers to steal usernames and passwords. In the 2000’s, global cybercrime became a trillion-dollar criminal enterprise as more computers and other machines were connected.
Along with tremendous innovations, from smart phones to smart homes, and from smart cars to smart factories, attackers became as sophisticated as developers, and according to Gartner, are now spending 10X more developing software to attack Internet-based systems and data generated by those systems than large enterprises are spending to defend their assets.
Today, one of the most challenging areas to secure is IoT and Industrial IoT devices, equipment, networks, clouds and applications, and the rise of automated systems, including rapid adoption of AI for control systems, is raising the stakes. The OWASP Foundation, with its community-led open source projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, has become an essential source for developers and technologists to secure the IoT.
The OWASP top 10 threats to IOT started as an OWASP project with a goal of helping developers, manufacturers, enterprises, and consumers to make better decisions regarding the creation and use of IoT systems.
Their latest list includes:
1.Weak Guessable, or Hardcoded Passwords
2.Insecure Network Services
3.Insecure Ecosystem Interfaces
4.Lack of Secure Update Mechanism
5.Use of Insecure or Outdated Components
6.Insufficient Privacy Protection
7.Insecure Data Transfer and Storage
8.Lack of Device Management
9.Insecure Default Settings
10.Lack of Physical Hardening
Global cybersecurity expert Moshe Ferber has been focusing on addressing all ten of these threats. A major contributor to various security certifications, research and community initiatives, Ferber is a Member of ISC2 CCSP founding committee, member of the board at Machshava Tova, Chairman of the Cloud Security Alliance, Israeli. Chapter, official lecturer for the Cloud Security Alliance CCSK & ISC2 CCSP, and co-hots of the Silverlining podcast about security engineering.
Most recently, he has contributing to the development of Cloud of Things (based in Boston, MA and TelAviv, Israel), and to the advancement of the company’s DeviceTone products. “When building DeviceTone, we gave considerable amount of attention not only to avoid mistakes that can compromise our devices, but also building an infrastructure that will mitigate the top threats of IOT devices and help others in creating better, protected IOT services,” Ferber said. “A comprehensive security posture means securing every vulnerability up and down the stack, and from edge to cloud,” Ferber explained. “We have focused hard on the device software, for example, which generates a unique, device-only, access key kept in a secure location inside the device, without default credentials. Regarding network services, we made sure our management software enables visibility and enforcement on every network service associated with the device, and continuous security updates to make sure each device is running the latest version.”
Third on OWASP’s list, Insecure Ecosystem Interfaces, applies to insecure web, backend API, cloud, or mobile interfaces outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering “It is essential for developers to build backend applications on the latest protocols, services and standards,” Ferber said. “Look for reviews and approvals by security experts, encrypted traffic, API interfaces authenticated with rotating security keys, and further protection through multifactor authentication when human intervention is required.”
Fourth on the list, Lack of Secure Update Mechanism, can be addressed through over-the-air (OTA) updates and adoption of only download signed firmware on encrypted channel policies. “DeviceTone, for example, validates the signed firmware authenticity before installment, while also enabling the entire lifecycle of rolling and rollback of security updates.” Use of Insecure or Outdated Components incudes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain. “To address this, make sure backend servers are patched periodically, enable OTA updates to devices, and guarantee new devices, as they are installed, have the latest patches and are ready to receive updates securely and simply.”
Insufficient Privacy Protection occurs when a user’s personal information stored on the device or in the ecosystem that is used and is not secured or permissioned. “The best method to avoid hacking of personal information is to not keep that data on the device, rather moving it to the cloud and a secured location, with access permissions based on least-privilege principles. Privileged Access Management, or PAM, separates duties between device administrators and private data administrators, and any IoT platform should ensure that data from different jurisdictions is kept at the relevant locations (in order to follow GDPR guidelines and other regulatory requirements.”
Insecure Data Transfer and Storage is another area of the potential attack surface IoT solution providers must keep in mind; according to the OWASP list, this means lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing. “This is resolved by encryption by default for all traffic between devices and backend servers,” Ferber said. “This will depend on the protocol used, but generally information stored and transmitted should be secure and encrypted by the IoT and the cloud provider, and access to encryption keys should be limited and based on the least principle privilege.”
Lack of Device Management (security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities) has become a huge challenge for the IoT vendor as the number of IoT endpoints continues to explode. “Enterprises should look for management tools that can handle the entire deployment life cycle of devices, including provisioning, de-provisioning, security updates, monitoring, maintenance and more.”
Insecure Default Settings, or devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations, has lead to pivot attacks for many years, an issue Ferber says can be addressed by provisioning unique passwords per device, on devices which are hardened by default. “To be successful in an increasingly sophisticated digital-physical world, it’s important to ensure hardware, firmware, software and networking security is addressed at every level, without slowing down performance, or creating too much complexity,” Ferber summarized. “Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device, creates huge risk, so encrypting as much as possible, and creating robust and automatic update process is the new standard. Addressing all ten of OWASP’s top ten list for IoT security means enterprises can address to the more complex issues of information security.”