IoT Security: An Avalanche of Problems

There are not one but many areas of IoT device security weaknesses. Did you see the "Die Hard" movie where the evil hacker was able to control the traffic lights of Washington, D.C.? Well, it could really happen. The IT industry has paid attention to many forms of IT

There are not one but many areas of IoT device security weaknesses.

Did you see the "Die Hard" movie where the evil hacker was able to control the traffic lights of Washington, D.C.? Well, it could really happen. The IT industry has paid attention to many forms of IT hacking and malware, protecting resources. We need to pay more attention to the many devices that are being connected to the Internet that are not traditional IT devices.

By Gary Audin

The Internet of Things (IoT) is leading up to a point where we are looking at billions of devices being connected to the Internet. IoT endpoints can be grouped into four categories: those for consumers (most common are for home automation, security, and safety), business, city, and state. Advances in wireless technologies, miniaturization, lower cost computing with more powerful chips, and large low cost memory all foster the proliferation of attractive IoT devices.

Where Are We with IoT?

Graduate students at the New Jersey Institute of Technology (NJIT) produced an infographic on preparing for the future. The infographic provides a collection of information and statistics that illustrate the vulnerabilities of IoT.

Related: 8 Ways Small Businesses are Getting IT Security Wrong

Two examples of successful IoT use that I know of are:

  1. A shipping company in Africa transports medical supplies, perishable goods and other products. They have to contend with poor roads, varying traffic conditions, and even hijacking. By placing wireless sensors in their containers, they can track them and monitor their locations and status such as temperature and humidity. The collected data allowed the shipping company to select the best routes and times to ship the containers and also reduce the likely hood of hijacking.

  2. The London underground uses IoT sensors and actuators to measure pedestrian traffic, change the direction of escalators, predict escalator maintenance, and inform passengers of status changes and the best alternative routes to follow.

Related: Security Machine Learning Methods Needed to Adapt to Evolving Threats

The infographic sites three additional examples I found worth sharing:

  • The city of Cincinnati applied IoT data to implement a pay-as-you-throw policy for waste, resulting in a 17% reduction in residential waste and a 49% increase in recycling volume.

  • FedEx plans to use IoT sensors to more efficiently schedule loading docks; anticipated savings are $9 million a year.

  • Dubai Aluminum added sensors and controls to their gas turbines, thereby lowering cost by 1.5% and increasing the turbine output.

Related: 10 Ways Virtualization Can Improve Security

The Security Challenges

There are not one but many areas of IoT device security weaknesses. There is not one solution; each will require some unique protection. The students collecting and surveying IoT security data were able to determine that:

  • About 70% of the devices studied have security vulnerabilities. The 10 devices studied included TVs, webcams, thermostats, remote power outlets, sprinkler controllers, door locks, alarms, scales, garage door openers, and multiple devices controllers (hubs). Most of these devices were designed for home automation but could easily be applied to business operations.

  • Roughly 80% of the tested devices had poor or nonexistent privacy controls. This is important to consumers as well as businesses and governments.

  • Web interfaces were weak. An important weakness includes persistent XSS (Cross-site scripting). This vulnerability can be used to bypass access controls such as the same-origin policy. Other Web interface problems include poor session management, credentials sent in clear text, and default credentials used.

  • Software protection is another vulnerability. It cannot be assumed that the IoT device resident software will be static. There will be updates and modifications. Weak software protection means that hackers can download malicious software more easily with 60% of the devices studied.

  • The passwords used are simple and in some cases just "1234." This allows easy authorization for hackers. The passwords are not complex or long and can be easily determined in about 80% of the IoT devices studied.

  • Encrypted transmission was lacking in 70% of the devices studied. The infographic cited an effort by the University of Michigan to hack the smart traffic lights of an unnamed city. They gained access to 100 traffic lights using a laptop and basic radio equipment -- proof that the Die Hard movie scenario can happen.

This is not to say that all IoT devices were this vulnerable. It does say the industry producing these devices needs to focus more on the security vulnerabilities. It also means that those organizations pursuing IoT endpoints must perform multiple forms of security testing and analysis of the IoT endpoints they select. Otherwise they open themselves to big public embarrassments.

comments powered by Disqus

What's New