IoT Insecurity: Pinpointing the Problems

The Internet of Things today faces many challenges and obstacles as it matures, including concerns around security and privacy.

Internet Connected and Insecure   

The IoT fridge threat is not theoretical. In fact, it was last year when researchers uncovered a flaw in Samsung’s RF28HMELBSR smart fridge that attackers could exploit to carry out a man-in-the-middle (MitM) attack and access homeowner credentials used for the social media accounts accessible via the fridge’s touchscreen display.

The vulnerability was tied to Samsung’s implementation of SSL, used to secure the refrigerator’s Wi-Fi enabled touchscreen control panel used for web browsing and app access. It turned out the smart fridge failed to validate SSL certificates, giving attackers the ability to pull off a MitM attack.

Lack of encryption was to blame for IoT features that went awry in Nissan Leaf automobiles earlier this year. It allowed hackers to remotely access the car’s climate controls, battery status and GPS logs which included dates, times and distances the car traveled.

Researcher Troy Hunt blamed insecure APIs used by Nissan for the automobile’s vulnerability. He found that APIs on the server that the Leaf’s smartphone app NissanConnect EV connected to were not authenticating the user. That allowed anyone who had the VIN number of a Nissan Leaf to use the app to anonymously send requests for a specific Leaf to turn on its climate control.

HP’s Fortify estimates three-quarters of IoT devices do not encrypt communications to the internet and local network. As part of the study it also tested device web interfaces. In those tests it found six of the ten IoT devices it tested had cross-site scripting issues, poor session management and weak default credentials.

HP_IoT_Research

“In the rush to connect everything to the internet, no one has stopped to think if it should be connected to the internet.  Security is taking a backseat to convenience and ease of access,” Conrad said. Does it make sense to be able to check your Gmail account on your fridge? Or does a building’s HVAC system really need to be linked to the internet?

Without proper investment in secure protocols, website interfaces, and APIs, the risks associated with IoT seldom outweigh the benefits.

Lack of Standards

Few industries stand to be impacted more than healthcare when it comes to connected devices. Mobile medical applications or wearable devices allow patient data to be collected. Health events can be captured or monitored and data connected to a private or public cloud.

But as more as more healthcare devices become network-aware, it becomes challenging for IoT companies to agree on common interoperability protocols and standards for sharing and protecting data, and for the hardware sensors that collect that data.

For example, if an IoT arterial blood gas monitor is infected with malware and being used for data exfiltration of patient records and can’t communicate with systems to warn of an impending patient health event, what’s the point of it being network connected?

Security experts compare the lack of standards to the wild days of the web of the ’90s. Today competing standards, vendor lock-in, proprietary devices and private networks make it hard for devices to share a common security protocol.

To that end, healthcare is a microcosm of the larger security challenges that face IoT. A lack of loyalty to one IoT common standard for connected devices in other business environments is one of a number of barriers that is holding back mass adoption broad IoT security protection, say security experts.

That’s not to say there aren’t IoT standardization efforts afoot. Samsung, Intel and Cisco back the Open Interconnect Consortium. There is the Linux Foundation’s AllSeen Alliance backed by the likes of LG, Microsoft and Qualcomm; the Google-sponsored Thread Group alliance, a U.K.-based Hypercat standard and another IoT protocol named Zigbee.

European carrier Orange, solution provider Atos and Telefonica said they are collaborating to create Fiware, an IoT platform for creating smart cities. The Wireless IoT Forum (WIoTF) says it aims to drive the standardization and deployment of connected devices.

There are even more unifying efforts in the works that are industry specific. But even if a common networking protocol can be agreed upon, experts say, there’s also the battle of software standards to contend with.

Gartner argues it’s the sheer number of IoT use cases that contribute to a wildly divergent number of approaches to solve IoT problems, which creates interoperability challenges and, ultimately, security gaps.

Suggested articles