IoT Security Vulnerabilities

Consumers buy Internet of Things (IoT) devices like Ring Doorbell Pro to see instant videos of their doorsteps and keep their homes safe.

So imagine their surprise when some began seeing videos from other houses. The company had been merging databases with user information and some ID numbers were accidentally overridden, leading to a mixup of user accounts. Ring contested that the error rate was extremely small — fewer than 10 out nearly 84 million calls.

Still, the security error demonstrates the vulnerability of IoT security systems. There’s a lot of areas where things can go wrong — from the backend network that keeps everything running, to the web or mobile app screens where users view information, and even the physical devices themselves.

And although the Ring case was seemingly an internal error which was caught relatively quickly, the real danger is if a hacker can break into a system and use it damage people.

OWASP (Open Web Application Security Project) is currently working on a project that analyzes the security of IoT applications. The project highlights some major vulnerabilities that can occur:

  • Easy collection of usernames— Any time there is something that needs to authenticate users (make sure it’s who they say they are), there's a chance that an attacker can view and collect a list of valid usernames.

  • Weak passwords — If they system allows weak passwords (e.g. “1234”) people may be tempted to choose them, allowing attackers to easily guess and obtain access to the account.

  • Lack of account lockout — Does the system let users guess passwords an infinite amount of times? Systems that do are prime real estate for attackers.

  • Unencrypted services — There is a lot of information being passed between the physical device, a device on the user side (e.g. a computer or mobile phone), and a backend network that is keeping everything runner. If that communication between devices is unencrypted, attackers can eavesdrop into the system and learn sensitive information.

  • Poor update mechanisms — All good systems should have the ability to securely install update files and clearly mark when the last update occurred. If this process is not stable, attackers can break into the update files and do damage — either by installing malicious updates or overriding other security measures.

These security vulnerabilities aren’t just hypothetical; some systems have already shown failures in the real world.

Observer.com published a list of eight of the biggest IoT security fails. Number one on the list was Target, the company that suffered a major breach of credit card information at the hands of hackers.

To pull it off, the attackers entered through a security vulnerability in Target’s IoT heating and cooling system. After gaining access to that system, the attackers were recognized as legitimate users and were able to access Target’s point of sale system — installing software on credit card readers that allowed them to see personal information every time a card was swiped.

In another case on Observer’s list, a presenter at a security conference demonstrated how easy it was to install code onto Nest thermostats.

The ability to tamper with the physical devices meant that attackers could buy tons of Nest devices, install malicious code, and then resell them to the general public. The attackers would then be able to access secure information from the unknowing consumers.

* Illustration re-posted under Creative Commons License from www.nesta.org.uk