Express Computer

Home  »  features  »  IoT devices leave consumers potentially exposed

IoT devices leave consumers potentially exposed

featuresIoTMagazine
By Mohd Ujaley
Siemens, IBM, Watson, MindSphere
0 625

Security is not a word that frequently gets associated with IoT devices, leaving consumers potentially exposed. Symantec in its research found that many of IoT devices and services had several basic security issues

Recently American technology company Symantec analysed 50 smart home devices and found that many of them included several basic security issues, such as weak authentication and common web vulnerabilities.

According to Symantec, The Internet of Things (IoT) market has begun to take off. Consumers can buy connected versions of nearly every household appliance imaginable. Research firm Gartner also predicted that there would be 2.9 billion connected IoT devices in consumer smart home environments in 2015 which not only bring huge opportunities but also many challenges including of security of the connected devices.

Security giants is of the view that despite the public’s increased acceptance of the smart home, recent studies seem to agree that “security” is not a word that frequently gets associated with IoT devices, leaving consumers potentially exposed.

Symantec analysed 50 smart home devices and took a look at how they measure up when it comes to security. The company analysed IoT devices such as Smart thermostats, Smart locks, Smart light bulbs, Smart smoke detectors, Smart energy management devices, Smart hubs.

Company also said that the findings could also apply to other IoT devices and smart home products, such as security alarms, surveillance IP cameras, entertainment systems (smart TV, TV set-top boxes, etc.), broadband routers, network attached storage (NAS) devices.

Smart home devices may use a back-end cloud service to monitor usage or allow users to remotely control these systems. Users can access this data or control their device through a mobile application or web portal.

Research found that many of these devices and services had several basic security issues.

Weak authentication
None of the devices used mutual authentication or enforced strong passwords. Even worse, some hindered the user from setting up a strong password on the cloud interface by restricting the authentication to a simple four-number PIN code. Combine this with no support for two-factor authentication (2FA) and no password brute-force attack mitigation, leaving a hole for an easy target for attackers.

Web vulnerabilities
In addition to weak authentication, many smart home web interfaces suffer from well-known web application vulnerabilities. A quick test with 15 IoT cloud interfaces revealed some severe vulnerabilities and this check only scratched the surface. Symantec found and reported ten vulnerabilities related to path traversal, unrestricted file uploading (remote code execution), remote file inclusion (RFI), and SQL injection. And it is not just only about smart light bulbs; one of the affected devices was a smart door lock, which was opened remotely over the internet without even knowing the password.

Local attacks
Attackers who have gained access to the home network, for example by breaking into a Wi-Fi network with weak encryption, have further attack vectors at their disposal. Symantec looked at devices that locally transmit passwords in clear text or don’t use any authentication at all. The use of unsigned firmware updates is also a common trait among IoT devices. This security faux pas allows an attacker, with the ability to sniff the home network for IoT device passwords. These stolen credentials can then be used to execute other commands and even take over the device completely by updating it with a malicious firmware update.

Potential for attacks
As yet, company says, they haven’t seen any widespread malware attacks targeting smart home devices, apart from computer-related devices such as routers and network-attached storage appliances. Currently, most proposed IoT attacks are proof-of-concepts and have yet to generate any profit for attackers. This doesn’t mean that attackers won’t target IoT devices in the future when the technology becomes more mainstream, points the research.

From the past, it is known that attackers are nothing if not creative and will always conjure up new attack methods. Even if it’s just to misuse the technology, blackmail the user, or have a persistent anchor in a home network, cyber-criminals are always ready and eager to attack any target they can.

The company suggests before one get carried away with new smart home automation projects, one should take a moment to think about how these conveniences may be exposing one and their home to cyber attacks.  Consumer should demand better security from the manufacturers of smart home and IoT devices−only then will things start to improve.

Mitigation
According to the report, it’s difficult for a user to secure their IoT devices themselves, as most devices don’t provide a secure mode of operation. Nonetheless, users should adhere to the following advice to ensure that they reduce the risk of a potential attack:

• Use strong and unique passwords for device accounts and Wi-Fi networks
• Change default passwords
• Use a stronger encryption method when setting up Wi-Fi networks, such as WPA2
• Disable or protect remote access to IoT devices when not needed
• Use wired connections instead of wireless where possible
• Use devices on a separate home network when possible
• Be careful when buying used IoT devices, as they may have been tampered with
• Research the vendor’s device security measures
• Modify the privacy and security settings of the device to your needs
• Disable features that aren’t needed
• Install updates when they become available
• Ensure that an outage, for example due to jamming or a network failure, does not result in a unsecure state of the installation
• Verify if the smart features are really required or if a normal device would be sufficient

Vendors should consider the following five fundamental tenets when developing new devices:

• Strong trust model for IoT–e.g. device authentication through SSL
• Protecting the code that drives IoT–e.g. digital code signing
• Effective host-based protection for IoT–e.g. endpoint protection and system hardening
• Safe and effective management for IoT–e.g. configuration and over-the-air updates
• Security analytics to address new and advanced threats−e.g. anomaly detection

Get real time updates directly on you device, subscribe now.

Mohd Ujaley

Mohd Ujaley is Special Correspondent, Indian Express Group (BPD). He covers technology intervention in government and enterprises. He may be reached at [email protected].

You might also like More from author
Leave A Reply

Your email address will not be published.

LIVE Webinar

Digitize your HR practice with extensions to success factors

Join us for a virtual meeting on how organizations can use these extensions to not just provide a better experience to its’ employees, but also to significantly improve the efficiency of the HR processes
REGISTER NOW 
Powered by Convert Plus
India's Leading e-Governance Summit is here!!! Attend and Know more.
Register Now!
close-image
Attend Webinar & Enhance Your Organisation's Digital Experience.
Register Now
close-image
Enable A Truly Seamless & Secure Workplace.
Register Now
close-image
Attend Inida's Largest BFSI Technology Conclave!
Register Now
close-image
Know how to protect your company in digital era.
Register Now
close-image
Protect Your Critical Assets From Well-Organized Hackers
Register Now
close-image
Find Solutions to Maintain Productivity
Register Now
close-image
Live Webinar : Improve customer experience with Voice Bots
Register Now
close-image
Live Event: Technology Day- Kerala, E- Governance Champions Awards
Register Now
close-image
Virtual Conference : Learn to Automate complex Business Processes
Register Now
close-image