IoT devices are now the norm, rather than a novelty. The average U.S. household has more than ten connected devices, and there are currently about ten billion IoT devices worldwide. And the global IoT market is only getting bigger. Business Insider estimates that it’s on course to grow to 41 billion connected devices and $2.4 trillion by 2027.
Unfortunately, IoT security is not keeping up with this rapid expansion. Attacks on IoT devices are more than doubling year-over-year. This is hardly surprising given their glaring security flaws and the difficulties in retroactively patching deployed devices.
To help device manufacturers and distributors more clearly understand what attack vectors need to be shut down, OWASP has created a list of the top 10 IoT device security vulnerabilities. OWASP is a non-profit organization contributed to by tens of thousands of development and security experts, focused on improving software and IoT security.
Let’s take a closer look at their guidance on the biggest IoT device security vulnerabilities as well as some mitigation strategies.
OWASP Top 10 IoT device security vulnerabilities
1. Weak, guessable, or hardcoded passwords
Passwords authenticate a valid user, giving access to a device’s security settings, administrative powers, and private data. Poor password creation or management is a critical, ongoing security issue, especially as many device owners do not change the default password.
Hardcoding makes it easier for developers or engineers to sort problems out on remote devices but they can easily be used for unauthorized access. It also means that if a hacker manages to get one password, they can use it to break into every similar device. Manufacturers should remove any such backdoors and make sure that every device is provisioned with a unique set of credentials. Devices should come with strong default passwords and disallow setting of weak passwords.
2. Insecure network services
Insecure connectivity features such as open ports or unneeded services increase the attack surface of an IoT device, leading to the possibility of data leaks or remote code execution. Device manufacturers can address these vulnerabilities by restricting connective services to the necessary minimum and using secure transmission protocols at all times.
3. Insecure ecosystem interfaces
The interfaces that an IoT device interacts with can also be affected by serious security flaws. Web, mobile, backend API, or cloud interfaces offer hackers access to significant information about a device’s software, functions, and data. Weak authentication allows hackers to gain unauthorized access through a device’s interface, while poor encryption or input and output filters put the data the device sends and receives at risk.
4. Lack of secure update mechanism
Updates are a key weapon in tackling IoT device security vulnerabilities, as developers use them to eliminate bugs and close off security flaws. Without secure update mechanisms however, software and firmware updates can actually put devices at risk. Updates can be subject to tampering, either at source or in transit. To prevent this, updates should be digitally signed, delivered over secure channels, and the signature verified before applying. In addition, IoT manufacturers should include mechanisms that stop hackers from rolling back updates and users should be informed of any time-urgent security updates.
5. Use of insecure or outdated components
Legacy technology that is compromised or can no longer be updated poses an enormous threat to IoT device security. Insecure components can effectively build-in flaws that hackers can use to gain access across a whole range of unrelated devices. A recent example is the speculative execution attacks affecting Intel, ARM, and AMD processors. The best defense is to not use legacy technology and replace as quickly as possible. In the case of legacy devices that have not been provisioned with secure identities, manufacturers can build in security after deployment using specialized PKI services that use a white-box cryptographic solution to securely deliver keys.
6. Insufficient privacy protection
Privacy protection is not just good corporate behavior; it’s also a major compliance risk. Legislation such as GDPR defines expected privacy protections for all tech-involved companies, including IoT device manufacturers. For IoT devices, privacy protection can be a security vulnerability due to insecure local data storage or even the unauthorized collection and storage of personal data.
7. Insecure data transfer and storage
Staying with data issues, the next entry on the OWASP list of IoT device security vulnerabilities focuses on poor data encryption and lack of authentication mechanisms. Data can be exposed at various phases: at rest, in transmission, or during processing. This gives hackers multiple opportunities to steal and understand data. Weak encryption, along with poor or absent access controls, makes a device’s data a soft target.
8. Lack of device management
Tracking devices once they have been deployed is vital to ensure a secure environment. Without adequate asset management, it becomes impossible to monitor and defend IoT networks effectively through processes such as update management, secure decommissioning, and certificate revocation for compromised devices in a public key infrastructure. Without a complete picture of what is happening with all the IoT devices on a network, it becomes impossible to manage defenses and threat responses, making all devices more vulnerable.
9. Insecure default settings
Default settings should always be applied with the safety of the final user and the device’s long-term security in mind. Often, however, the default settings represent a “bare-minimum” approach or may even introduce vulnerabilities, for example hardcoded passwords or exposed services running with root permissions. Manufacturers should give device admins the ability to cure these as well as set and enforce permissions to restrict users from modifying configurations without proper approval.
10. Lack of physical hardening
It’s important not to neglect physical hardening of the device against attacks that extract sensitive information which could be used in a remote attack or to gain control of the device. Some measures that can be taken to physically harden a device include disabling or isolating debug ports, using secure boot to validate firmware, and not storing sensitive information on a removable memory card.
Building a more secure IoT device
Minimizing and mitigating IoT device security vulnerabilities is essential for manufacturers and distributors. The security, reliability, and efficiency of an entire IoT ecosystem is compromised if IoT devices and the data they gather and transmit cannot be trusted. OWASP’s IoT Top 10 list is an important starting point.
To learn more about securing IoT devices and building a trusted IoT ecosystem, read our in-depth whitepaper here.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.