{"id":706,"date":"2020-03-03T10:15:00","date_gmt":"2020-03-03T10:15:00","guid":{"rendered":"https:\/\/sectigostore.com\/blog\/?p=706"},"modified":"2020-12-03T15:31:51","modified_gmt":"2020-12-03T15:31:51","slug":"10-iot-security-tips-you-can-use-to-secure-your-iot-devices","status":"publish","type":"post","link":"https:\/\/sectigostore.com\/blog\/10-iot-security-tips-you-can-use-to-secure-your-iot-devices\/","title":{"rendered":"10 IoT Security Tips You Can Use to Secure Your IoT Devices"},"content":{"rendered":"\n

IoT is something of a double-edged sword. While it makes life so much simpler to have a smart home with a smart lock, and a Wi-Fi kettle that boils the water for your morning tea automatically, it comes at a price that may cost you significantly more than what\u2019s on the price tag. In IoT security, there are security trade-offs and, unfortunately, these can do more harm than good, and almost make you miss the days when there was nothing \u201csmart\u201d about your TV! <\/p>\n\n\n\n

Let\u2019s take\na look at some examples to drive home the importance of security before we\nwelcome this technology into our homes, our industries, and our everyday lives.\n<\/p>\n\n\n\n

IoT Security: How Your Connected Devices Leave You\nVulnerable<\/strong><\/h2>\n\n\n\n
\"IoT\"<\/figure><\/div>\n\n\n\n

Hackers can gain a foothold into your network from the most innocuous devices on your network. Nicole Eagan, CEO of Darktrace, a cybersecurity firm, recounts an incident<\/a> at an unnamed casino in North America where attackers were able to access the high-roller database of gamblers. They did so by exploiting a low-risk vulnerability in a smart thermometer that was used to monitor the temperature of an aquarium. <\/p>\n\n\n\n

But this is\njust one example. Let\u2019s take a look at a few more examples of IoT security\nbreaches before moving on to pointers on IoT device security. <\/p>\n\n\n\n

Consumer Smart Devices at Home <\/strong><\/h3>\n\n\n\n

If you’ve read the reports on how security bugs in Alexa and Google Home smart assistants have been exploited to phish<\/a> and eavesdrop on users<\/a>, let’s just say that you’re right to be worried. Despite countermeasures from both Amazon and Google every time, they continue to be thwarted using newer techniques. <\/p>\n\n\n\n

Apart from this, there\u2019s Samsung\u2019s smart refrigerator, whose display is\ndesigned to be integrated with its user\u2019s Gmail calendar so they can see what\ntheir day looks like before heading out of the house. Except that, however\ngreat that sounds, it is not quite as neat. Even though SSL was deployed to\nsecure the Gmail integration, the fridge itself failed to validate the SSL\/TLS certificate,\nleaving the doorway open to hackers for getting on the same network and\nstealing the login credentials. <\/p>\n\n\n\n

To their credit, Samsung fixed the bug in a software update, but it\u2019s quite troubling when credible brands get breached. It sheds light on an almost inescapable fact that, more often than not, functionality takes priority over security, even in companies that should know better. What\u2019s more, in 2015 Samsung also warned us<\/a> about how they intended to collect and use our data in their smart TV<\/a> policy: <\/p>\n\n\n\n

 \u201cPlease\nbe aware that if your spoken words include personal or other sensitive\ninformation, that information will be among the data captured and transmitted\nto a third party through your use of Voice Recognition.\u201d <\/p>\n\n\n\n

Thank God for Apple, though, right? Let\u2019s hold onto that thought a moment. In February 2019, a severe bug was discovered in Apple\u2019s FaceTime app that allowed attackers access to someone\u2019s iPhone camera and microphone<\/a> before<\/em> they accepted or rejected an incoming call.<\/p>\n\n\n\n

With attackers finding ingenious ways to evade security controls to\nsteal data, cause damage, or merely be disruptive, it is reasonable to err on\nthe side of safety. Nevertheless, if you still fancy a smart home, umm… good\nluck? <\/p>\n\n\n\n

IoT Devices Are Used in Large Botnets Like Mirai<\/strong><\/h3>\n\n\n\n

Mirai is an IoT-centric malware that infects devices with weak\ncredentials, turning them into a network of remotely controlled zombies or\nbots. Although the original creators of Mirai have been caught, they previously\nreleased the malware\u2019s source code (possibly to confuse and distract\nauthorities), and now it has several mutations. <\/p>\n\n\n\n

Botnets have been used to launch several DDoS attacks with the attack on\nRutgers University and the one on Dyn (the company that provides domain name\nservices to the likes of Netflix, Twitter, etc.).<\/p>\n\n\n\n

Implantable Medical Devices<\/strong><\/h3>\n\n\n\n

In\ntechnology, nothing is sacred or spared from the clutches of cybercriminals.\nThis includes medical devices. <\/p>\n\n\n\n

At a Black Hat conference in 2018, Billy Rios of WhiteScope and Jonathan Butts of QED Secure Solutions demonstrated how medical implants<\/a>, which are intended to save patients\u2019 lives, can be controlled remotely by hackers and manipulated to cause unwarranted harm. The two security researchers demonstrated how they could disable an insulin pump and take control of the system of pacemaker devices manufactured by Medtronic<\/a>. In response, Medtronic<\/a> had initially brushed off the reported vulnerabilities as \u201clow risk\u201d bugs, failing to acknowledge the seriousness of the situation. They refused to resolve the issue even 570 days after the researches first submitted their findings!<\/p>\n\n\n\n

We can spend hours speculating over how a network of remotely controlled IoT devices can be used to bring down power grids<\/a> (or SCADA systems used in water distribution stations, to control gas pipelines, etc.) or squirm uncomfortably at the idea of baby monitors<\/a> being hacked. But what remains certain is that IoT is here to stay. As such, manufacturers need to be more mindful of the security risks (advanced persistent threats [APTs] being most dangerous) involved if we are to avoid an unbridled crisis. <\/p>\n\n\n\n

What Are the Biggest IoT\nSecurity Risks?<\/h2>\n\n\n\n

While we may not have much say in the matter, we can, to some extent, limit its control on our lives by taking some safety measures to secure our devices. The Open Web Application Security Project (OWASP)<\/a> Foundation is a global non-profit group that creates awareness regarding security risks in domains like web application security, mobile security, etc. so that individuals and organizations can make informed decisions. <\/p>\n\n\n\n

The table below lists the OWASP Top 10 <\/a>I<\/a>oT vulnerabilities<\/a> found in smart devices in 2014 and 2018:<\/p>\n\n\n\n

Top Ten<\/strong> <\/td>\n 2014 IoT Top Ten<\/strong>\n <\/td>\n 2018 IoT Top Ten<\/strong>\n <\/td><\/tr>
1<\/strong> <\/td>\n Insecure Web Interface\n <\/td>\n Weak, Guessable, or Hardcoded Passwords\n <\/td><\/tr>
2<\/strong> <\/td>\n Insufficient Authentication\/Authorization\n <\/td>\n Insecure Network Services\n <\/td><\/tr>
3<\/strong> <\/td>\n Insecure Network Services\n <\/td>\n Insecure Ecosystem Interfaces\n <\/td><\/tr>
4<\/strong> <\/td>\n Lack of Transport Encryption\/Integrity Verification\n <\/td>\n Lack of Secure Update Mechanism\n <\/td><\/tr>
5<\/strong> <\/td>\n Privacy Concerns\n <\/td>\n Use of Insecure or Outdated Components (NEW)\n <\/td><\/tr>
6<\/strong> <\/td>\n Insecure Cloud Interface\n <\/td>\n Insufficient Privacy Protection\n <\/td><\/tr>
7<\/strong> <\/td>\n Insecure Mobile Interface\n <\/td>\n Insecure Data Transfer and Storage\n <\/td><\/tr>
8<\/strong> <\/td>\n Insufficient Security Configurability\n <\/td>\n Lack of Device Management\n <\/td><\/tr>
9<\/strong> <\/td>\n Insecure Software\/Firmware\n <\/td>\n Insecure Default Settings (NEW)\n <\/td><\/tr>
10<\/strong> <\/td>\n Poor Physical Security\n <\/td>\n Lack of Physical Hardening\n <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Table\n1:\nOWASP IoT Top 10 \u2014 2014 vs 2018<\/p>\n\n\n\n

Top 10 Tips for IoT Security for Your Organization<\/strong><\/h2>\n\n\n\n

If your smart device comes equipped with unchangeable credentials or any type of authentication\/authorization mechanism<\/a>, do yourself a huge favor and don\u2019t buy it! As you can see from the OWASP Top 10 Internet of Things 2018<\/a> list of vulnerabilities, several concerns such as insecure ecosystems (web interface, cloud interface, etc.), data security, and physical security have retained their top 10 positions from the previous 2014 list. This gives us an inkling of the direction and speed at which IoT device security is moving. It also raises pertinent questions on the efficacy and adoption rate of IoT security solutions. <\/p>\n\n\n\n

However, because\nIoT is becoming such an integral part of our everyday lives, and we must do our\nbest to safeguard our connected devices, our data, and our networks. Here are a\nfew of the ways you can do that:<\/p>\n\n\n\n

1. Know Your Network and The Connected Devices on It<\/strong><\/h3>\n\n\n\n

When your\ndevices connect to the internet, these connections leave your entire network\nvulnerable and open to attackers if the devices aren\u2019t adequately secured. With\nmore and more devices being equipped with web interfaces, it\u2019s easy to lose\ntrack of which of your devices are accessible over the wire. To stay secure, it\u2019s\nessential to know your network \u2014 the devices on it and the type of information\nthey\u2019re susceptible to disclosing (especially if their corresponding apps come\nwith social sharing features). <\/p>\n\n\n\n

Cybercriminals\nuse information such as your location, your personal details, etc. to keep tabs\non you \u2014 which can translate into real-world dangers.<\/p>\n\n\n\n

2. Assess the IoT Devices on Your Network<\/strong><\/h3>\n\n\n\n

Once you\nknow which devices are connected to your network, audit your devices to\nunderstand their security posture. Internet of things security can be implemented\nby installing security patches and updates from manufacturers\u2019 website in a\ntimely manner, check for newer models with stronger security features, etc.\nAdditionally, before making a purchase, read up to understand how much of a\npriority, security is, for that brand. Ask yourself: <\/p>\n\n\n\n