In my first article in this series, I highlighted just how difficult IoT security can be due to the plethora of hardware and operating systems on which those systems exist. As a penetration tester, I also frequently see organizations that follow stringent security policies and have solid testing and patching procedures in place, still overlooking devices such as phones, printers and cameras. Many people still consider a phone to be an “unsophisticated” device unlike, let’s say, a network server.
However, these “unsophisticated” devices are frequently a hacker’s first target. What’s worse, they will often find them running with the default factory credentials, sometimes years behind on critical updates, with many insecure services, like telnet, open to the network.
It may be obvious why unauthorized access to a camera is a bad thing, but a phone is less obvious. What’s the big deal? In our modern technology environment, a phone is much more than a device used to make calls. If you are using Skype for Business, for example, your phone is likely storing a lot of sensitive information — including your Active Directory credentials.
In addition to credentials, these devices usually run a full operating system that any decent hacker can simply use as a “jump box” into protected network segments. They can also make great nodes on a bot network, as their communication to the cloud is often poorly understood and overlooked.
So, when it comes to IoT devices themselves, what are the biggest challenges? I would prioritize them as follows:
- Default credentials,
- Timely firmware updates, and
- Secure communication to the cloud.
IoT vendors want to facilitate a friendly customer experience, so most devices are shipped with default passwords that can easily be found online within minutes. Vendors encourage users to change these passwords during install, but in an effort to save time, many customers will skip this step and continue running the device with default credentials.
This is why it’s critical to guide a customer through at least a minimal install procedure that will force them to configure a strong password and disable any unused network ports.
Given the current malware landscape, it’s also very important to release timely firmware upgrades. Unfortunately, vendors that provide regular updates typically do so by posting it on their site and leave it up to their customers to download the update and apply to it to all the devices in their network. I think we can all agree that it’s unrealistic to expect such updates to be consistently applied to what might be hundreds or even thousands of phones in a network.
To mitigate this problem, IoT platforms need to have built-in, automatic over-the-air capabilities to receive and install updates to the system and application software automatically during idle times.
Instead of trying to design your own system, it’s a good idea to look at existing frameworks such as the “Android of Things” that already implements all of the aforementioned features. More about the Android of Things here.
In our hyperconnected world, organizations now need to look at hardware security through a different lens. Instead of assuming that a device is unsophisticated, assume that it’s a potential pathway into your organization and mitigate the associated risks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.