Greenwave’s security expert recently contributed a lengthy article to embedded.com providing context for high-profile cyber attacks and security breaches relating to IoT. We’ve truncated his research into this brief IoT security primer.
Most IoT security threats arise during well-understood processes, such as when commissioning a gateway to a service, adding users and devices, or during device operation. Attackers tend to exploit simple and well-documented flaws in these processes in poor products.
Figure 1: IoT Device Lifecycle (Source: Greenwave)
Passwords and IoT Botnet Security Threats
Recent large-scale “IoT botnet” attacks exploited problems like commissioning using a well-known password. From this well-documented process flaw, botnet malware spread like wildfire and enormous distributed denial of service (DDoS) attacks were launched.
Default use of a well-known password is the problem and “secure commissioning” is the cure that protects IoT devices with a properly constructed secret password or similar strong authenticator to device login. Secure commissioning is now widely practiced by all but a few vendors still dumping poorly-designed products onto the market.
Adding Users and Assigning Privileges
The obvious lesson from the Mirai botnet is that network products such as cameras and home routers must restrict access. But IoT services are more complex and have multiple user roles and privilege levels beyond the single “admin.” For example, all family members may be allowed to check the battery levels of devices such as door locks, but only Mom can change the door-lock code.
Uniting multiple IoT interfaces into one is done via a semantic gateway embedded in an IoT hub, residential gateway, or other network devices.
Figure 2: Semantic Interoperability between IoT Products (Source: Greenwave)
Trouble can arise in the mapping of users and privileges between fairly basic devices and richer interfaces, such as smartphone apps with more complex privilege levels and options—the risk of “privilege escalation” arises.
Security researchers demonstrated privilege escalation in one commercial IoT platform in a lab using an ordinary Android app. Often, there’s no single fix to privilege escalation as it can arise from a bug in the design, in a standard or a single implementation. Prevention is key. Vulnerability analysis is needed to catch issues before release and secure development processes prevent problems before IoT security threats are introduced into software or hardware.
Because many IoT devices and networks are optimized for efficiency and not functional richness, security processes differ on each, and some are not secure.
Newer systems like Apple Homekit, Z-Wave S2, and ZigBee/Thread use elliptic-curve cryptography and user-based commissioning (instead of pre-shared secrets). They are secure, but the majority of legacy IoT products on the market are not.
The poster child for unsafe data handling is a baby-cam that sends plaintext video on unencrypted networks like open Wi-Fi. All network data needs to be encrypted. Network encryption is necessary but not sufficient for solid IoT security threat protection. Gateways, routers, and hubs often expose data between encrypted connections. Good security practice must move to end-to-end message-level encryption to plug the hole.
Meeting a Minimal Standard and Raising the Bar for IoT Security
Unlike other services, IoT includes specialized edge devices that run on low-powered and lossy networks, and often lack screens or rich user interfaces, which can make secure commissioning more challenging. Nonetheless, there is well-documented guidance available to any vendor who cares to look.
Several recent IoT-related security attacks exploited flaws in substandard products. These problems need not occur and should be addressed by regulation, liability laws, or industry self-policing. Sadly, whatever the solutions to today’s problems, we can expect that IoT security attacks will become more sophisticated as defenses become more effective.