The advent of interconnected Internet-enabled household appliances is poised to invade all aspects of our lives. Collectively known as the Internet-of-Things, these devices harness exponential amounts of data to produce levels of technological convenience unbeknownst until now. Consequently, the web-like nature of the IoT generates entirely new attack vectors for hackers, making it very important to understand the potential security risks that can easily be overlooked.
According to a report compiled by HP Security Research, a few security concerns on a single device can quickly escalate into 50 or 60 concerns. The report scrutinized 10 of the most common household IoT devices (TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales, and garage openers) and discovered rampant security concerns such as weak password requirements, gaping vulnerabilities to denial of service attacks, cross-site scripting, and even unpatched Heartbleed bugs.
The unifying aspect across all the devices tested in the study was their reliance on mobile applications for remote control. Given that each of the items collected personal information, such as name, address, birthdate, and credit card number, and transmit it unencrypted across the home network to the corresponding smartphone, it’s easy to see how a misconfigured wireless router can potentially expose all this data to an outside entity
Lack of data encryption
The HP Security Research study found that 70% of the IoT devices tested did not encrypt communications to the internet and local network. Given that the devices rely on mobile applications for remote control, personal data is constantly transmitted back and forth between the device and the corresponding smartphone. As a result, the data is overtly exposed to any entities capable of intercepting it. Factor in a misconfigured router, and the security flaws are further compounded.
Weak password requirements
Another startling revelation discovered was that 80% of the IoT devices lacked password requirements of sufficient length and complexity. The majority of the devices – matching app or cloud service – accepted passwords as simple as “1234” and “123456.”
Web interface vulnerabilities
It was also revealed that six of the ten devices possessed inherent security flaws in their web interface, making them vulnerable to cross-site scripting, poor session management, and weak default credentials. Attackers can determine valid user accounts using the password-reset features. Insecure web interfaces can result in data loss and corruption, denial of access, and even complete device takeover. While this attack vector may be easily exploited, it can also be easily secured by encrypting internal and external network traffic, changing the default password and username, and ensuring that the web interface is not susceptible from the onset to vulnerabilities such as cross-site scripting, SQL injection, or cross-site request forgery.
Lack of end-to-end encryption
The research observed that 60% of the devices tested did not authenticate, or verify the digital signature, of their firmware updates. Without such a crucial level of defense in place, there’s nothing to prevent hackers from injecting malicious packets in place of the intended firmware. To a great extent, this can be thwarted through the use of an authentication system that verifies the digital signature of the content to ensure it’s the real-deal. Authentication is performed using public key cryptography which necessitates a rather simple form of key management.
The lack of authentication is a rampant issue amongst early adopters of the IoT and is precisely how the security researcher Michael Jordon was able to inject a new firmware into an Internet-connected Canon Pixma printer, causing it to run the PC game Doom on its miniature LCD display.
To further inflate security and prevent hackers from intercepting, analyzing, and reverse-engineering firmware updates – a technique that’s used to fool authentication systems – design engineers may opt to encrypt the firmware updates themselves. Combining an authentication system with firmware encryption will provide a much more robust level of security that’s nearly impermeable to attacks that target firmware; however, encryption requires secret key management, which is a far more complex task than public key management that can easily backfire if mishandled.
Component level security
The issues outlined above are end-product related and can be rectified by conducting a security review of the network traffic, authentication and authorization techniques, and the interactions between the device and its corresponding mobile app and/or cloud service. Nonetheless, abiding by the highest security standards also requires that subject is considered from as early as the component-level.
Component-level security protects designs from more sophisticated malware injections that occur on the embedded level. A properly secured boot process can counter these attacks, permitting only authorized software to run on a given device. This can be implemented with the addition of a secure microcontroller such as the MAXQ1050 , which provides accurate authentication of the firmware using asymmetric cryptographic algorithms to compute strong digital signatures. Visit Maxim Integrated’s secure microcontroller page to view a broader selection of solutions offering the highest level of protection against side-channel attacks, physical tampering, and reverse engineering.
Bear in mind that one overlooked flaw is enough to establish a cascading effect that may grant malicious entities access to data transferred across your network or worse, your entire network. Even if secure boot/update mechanisms are in place, software weakness can still present vulnerabilities. Protecting trade secrets and personal information is a matter of adopting best practices, selecting components to use which target the right level of security, and ensuring that all loopholes are closed on the software side. As it stands, the technology to secure the Internet-of-Things already exists, but it’s up to design engineers to embrace it as the number of IoT devices continues to grow.
Advertisement
Learn more about Maxim Integrated
