The buzz word in IT and business at the moment-IoT. For the commoners IoT may be defined as everyday objects or gadgets with inbuilt computing devices that are capable of sending and receive data over the internet, much like we humans, across a chat room, for the only difference in their scenario is the fact that gadgets taking part in the frivolous chit chat among themselves, happens on a daily basis over the internet, to be explained to grandma like that.
Well with a kaleidoscope of applications, the IoT has been designed to make life easier and simpler and more meaningful. Think of engineers, able to access a device, perform remote diagnosis and solve a wide plethora of issues. All this is after the device has informed the engineering team of an impending issue before it spins out of proportion. Another simplistic example, being able to turn the lights on in your house or heating before coming home using your smartphone or for that matter turning the heat of your car well before you sit on seats that may be -30 degrees cold or colder even. What bliss! Grateful IoT.
And as volumes of this data exchanged over the internet comes with its sinister security issues. Top 4 issues and IoT risks and how to mitigate them.
1.WWW. (Weak Wide Web)
The first concern and you have security related issues staring at you in the face, with the web interfaces built into IoT devices in such a way that allows a user to interact with the device, but at the same time could allow an attacker to gain unauthorised access into the device, and low and behold you have a smart device with little or no control over it. The specific security issues that could lead to this kind of a scenario could include, Account Enumeration, could involve cases of weak default credentials or worse even credentials being exposed over the internet, cross-site Scripting (XSS) depending on the portal you are maintained, SQL-Injection to an extent of altering sensitive system programs, as basic as may be session management as it sounds but the ramifications are many to common as a weak account lockout settings being compromised.
Solution
Some of the countermeasures one can take to protect against the threats of a weak web interface in the above case could range from setting default passwords and ideally default usernames and to remember to change them during initial setup. One could also consider password recovery mechanisms as they are robust and do not supply an attacker with information indicating a valid account. Do ensuring web interface is not susceptible to XSS, SQL.i or CSRF at any given time. One should also make sure that any credentials are not exposed in internal or external network traffic. Simple measures of enabling lockout after 3 initial login attempts could be just a few, but the peace they may provide, worth the efforts.
2. Privacy Concerns
These concerns are generated when there is a collection of personal data in addition to that, proper protection of the data is also to be seen. They are easy to discover i.e. by simply reviewing the data that is being collected as the user sets up and activates the device. Automated tools can also be used to look for specific patterns within a data set that may indicate the collection of personal data or other sensitive data. What could lead to such a situation is the collection of unnecessary personal information.
Solution
You can protect yourself against such threats by ensuring that only data critical to the functioning of the device is collected and that it is less sensitive in nature, de-identified, and properly protected with encryption. One can also ensure the t smart device and all it working components protect the user against any theft of personal information, and that only authorised individuals to have access to collected personal information. You could also consider that retention limits are set for the data that has been collected.
3. Poor Physical Security
Only when a hacker can disassemble a device to easily access the storage medium and any data stored on that medium does poor physical security exhibit itself. Weak links are also present when USB ports or other external ports can be used to access the device using features intended for configuration or maintenance purpose only, leading to easy unauthorised access to the device or the data held within. Scenarios when such an occurrence take place a generally when there is access to the software via USB Ports, or removal of a storage area,
Solutions
Some of the countermeasures could involve one ensuring that the data storage medium cannot be easily removed and that the data stored is encrypted at the least. You could also make sure that the USB ports or other external ports are rendered useless when it comes to somebody maliciously trying to access the device and that the device also limits administrative capabilities.
4. Weak Software /Firmware /Malware
The inability of a device to be updated periodically poses a security weakness of its own kind. Devices should have the necessary capability to be updated or self-update when vulnerabilities are discovered. The software/firmware updates can be rendered ineffective and deemed insecure when the updated files and the network connection they are delivered on are not protected. They can also be insecure if they contain hardcoded sensitive data such as credentials. The inability of software/firmware being updated means that the devices remain vulnerable indefinitely to the security issue that an update was meant to address and fix. Furthermore, if the devices have on them some or any form of hardcoded sensitive credentials, and if these credentials see the light of day, they then obviously remain insecure for an indefinite period of time, till they are updated once again. The scenario that leads to such an occurrence could be as simple as that encryption not used to fetch updates, or perhaps the update was not verified before uploading the same. In some cases, you could also have firmware containing sensitive information leading to a weak front.
Solutions
When faced with weak front issues, one can strengthen the same by ensuring that the device has the ability to update, which is of critical importance. You should always ensure that the update file is encrypted using acceptable encryption methods only. An encrypted connection to transmit an updated file also goes a long way in securing oneself against such threats and that the update file does not expose sensitive data and also that the update is signed and verified before allowing the update to be uploaded and applied to the smart device or its components, doing all this through an updated secure server cloud or otherwise.
As for IoT, it has just arrived with all the fanfare and is certainly here to stay. Gartner predicts, that by 2020, the Internet of Things will be made up of 26 billion “units.” And while having said that all the countermeasure or control and mitigation mechanisms will amount to nothing if the manufactures of IoT devices do not take them into consideration while designing of installing their wares. While dealing with IoT a few things like conducting a periodic security review of your devices to determine any vulnerabilities or weak links in the system and document the implementation of the minimum security standards for all devices and one can never understate the vitality of ensuring security right as an integral part in the process of product development right at its drawing board stage so that security is embedded at the heart of all technologies developed henceforth.
