As the number of IoT applications and devices continues to grow, so does the need for improved IoT security—yet the reality is we have a long way to go. A recent article pointed out that more than 2 million security cameras, doorbells, and even baby monitors contain serious IoT vulnerabilities. The worst part is there is no known patch for the common flaws in these everyday devices.
When it comes to IoT application security solutions, the bulk of the responsibility lies with the creator of the application. Yes, users should update their passwords frequently and follow basic security precautions, but the application itself has to be secure, not only from the day of launch, but throughout the lifecycle of the app.
This requires several things—an awareness of the top Internet of Things security vulnerabilities, knowledge of the best approaches to take to design a secure IoT app, and the right tools to manage it all.
Problems: The top IoT application vulnerabilities
The OWASP Top 10 IoT Vulnerabilities list is a great resource for the most serious IoT security threats. While some of these do pertain to the user’s personal IoT device itself, it’s important for application security professionals to be aware of all of the issues on this list, so they can take every measure possible to build protection into their IoT applications.
The OWASP list:
- Weak or hardcoded passwords—Many passwords are too easy to guess, are publicly available, or cannot be changed. Others come with “default” login credentials embedded into the source code that are either easy to discover socially (by asking around) or by examining the code itself through reverse engineering.
- Insecure network services—Insecure network services pertain to vulnerabilities in the network services used to access an IoT device. They open a door for an attacker to gain access to the device or its data. Insecure network services (which may even be unnecessary) that run on IoT devices may compromise the integrity or availability of information or open the door for unauthorized remote control of the device.
- Insecure ecosystem interfaces—This refers to any insecure web, back-end API, cloud, or mobile interface external to the device itself. Common security issues in these interfaces include lack of authentication and weak encryption.
- Lack of secure update mechanism—This issue really covers two problems. The first being the lack of an update mechanism all together, and the second being providing an update mechanism that is not secure. Whenever possible, you should build updating capability into your IoT device so you can send updates to it when it is in the field. Additionally, that update mechanism must be secure, so bad actors cannot hijack the device for their own nefarious purposes. Common missteps here include lack of firmware validation, the delivery of updates that are not encrypted in transit, and failure to provide notification of security changes due to updates.
- Use of insecure outdated components—Many IoT applications make use of third-party libraries and frameworks. This is a great way to build your application more efficiently, but these third-party resources must be included in AppSec testing. The use of outdated and potentially insecure components puts your application and IoT devices at risk.
- Insufficient privacy protection—The user’s personal information is stored on the device improperly, insecurely, or without permission.
- Insecure data transfer and storage—The failure to encrypt or restrict access to sensitive data is another IoT security threat.
- Lack of device management—Device management includes all aspects of security support for IoT devices, such as asset and update management, systems monitoring, and response capabilities.
- Insecure default settings—Many IoT devices are shipped with weak default settings (and many users don’t bother to change them). Some devices also don’t afford the user the ability to modify the device’s settings to make it more secure.
- Lack of physical hardening—This refers to physical weaknesses on the device itself, allowing an attacker to access data on the device or easily take control of it. This security vulnerability is an often overlooked one, but if an attacker can get at your hardware, they can do a lot of damage.
Fixes: The top IoT security solutions
There are steps you can (and should) take to increase the security of IoT applications and devices.
Authentication can be as simple as a username and password or a more complex two-factor verification process. IoT authentication is often done through embedded sensors (which is just a piece of embedded hardware that performs the authentication process), removing the need for human interaction. There are many secure IoT authentication methods that are easy to implement, such as Secure Boot and Trusted Platform Module (TPM).
Encrypting data between IoT devices and back-end systems keeps data safe from attackers. Data must be encrypted at rest and in transit in order for it to be truly secure.
IoT network security
The network that connects IoT devices to back-end systems must be secure. Network security is more challenging with IoT applications because there is a wide variety of standards, devices, and communication protocols involved.
IoT network security demands in-depth attention during design and deployment. Developers need to create more secure IoT devices, but deployment cannot be based on the assumption that the device itself is secure. Firewalls, antivirus, and intrusion detection and prevention systems should be used to create a secure IoT network.
As cloud-based communications and data storage continue to rise, more data is traveling between the cloud and IoT devices. Customers expect their personal data will be safe during transit. Public Key Infrastructure (PKI) delivers this transit security.
PKI is a digital certificate that provides encryption and authentication via a third party. Each digital certificate is issued by a Certificate Authority and is based on cryptographic keys to create a unique and strong credential without the need for passwords, tokens, or other clunky verification. PKI is needed to make sure the data is encrypted properly.
IoT API security
Representational State Transfer (REST) Application Programming Interfaces (APIs) are often employed to connect devices to the internet. APIs are another way for an attacker to connect to your device and access data.
Only authorized devices and applications should be communicating with APIs. An attack (or a potential threat) needs to be detected immediately. Authentication, encryption, and PKI can all be used to enhance API security.
API security policies and procedures must be established and enforced. Version management is also important—aging and redundant versions should be identified and removed on a regular basis.
Over-the-air update security
Over-the-air updates allow you to remotely update hardware settings, software, or firmware. They are great for adding new features to IoT applications and for sending out necessary security patches. But they also open your IoT system to attack.
Over-the-air updates must be fully controlled. You can require the customer to physically press a button on the device to allow an update to occur or you can use Virtual Private Networks (VPN) to create an encrypted tunnel between the device and the network for transmitting the software update. Cryptography can be used to make sure the updates are from a verified author and have not been altered in any way during transit.
For more details on these solutions, we recommend consulting this resource from Software Design Solutions, experts in IoT application development.
The golden rule of IoT AppSec: Test, test, test
In addition to the above protocols, you must remember the golden rule of secure IoT application development. Namely, that the only way to build and maintain a secure IoT application is to make security a priority from day one. This means you must follow secure coding practices and run frequent software scans and security tests.
This can be accomplished with the right tools. Proper scanning and security testing require the use of a combination of testing tools, such as Static Application Security Testing (SAST) tools, Dynamic Application Security Testing (DAST) tools, and Interactive Application Security Testing (IAST).
Sometimes these tools are applied differently to IoT devices than they are to web and cloud apps, so your developers need to understand how these tools relate to the IoT device or application they are developing. Consult outside experts if you do not have the in-house knowledge around proper IoT application security testing.
When it comes to IoT, it’s important to point out specific types of testing that should be included in the application security process:
- Threat modeling—Threat modeling is a process through which potential vulnerabilities are identified, assessed, and prioritized. Numerous approaches can be taken. Develop a comprehensive threat model of the entire system to identify the most serious issues. This model should continue to develop and grow throughout the product lifecycle to accurately reflect the current state of the system.
- IoT penetration testing—In some cases, you can use automated DAST tools to simulate an attack on your application, but in other cases, hands-on testing is required. A penetration test is a simulated attack against your application carried out by a human. For IoT, penetration testing must cover the entire IoT ecosystem, including IoT applications, APIs, hardware, and firmware.
- Communications protocol testing—It is important to test communications and the transfer of information to and from the IoT device, including any encryption technology that may be employed.
Sorting through the results from all of these tools can be cumbersome and slow down development, which is why security is often given a back seat during the development process. However, there is a way you can quickly correlate the results from many tools into a single report that is easy to digest.
An automated application vulnerability management tool processes the results from all of your scans and removes the duplicates. It identifies which vulnerabilities were found by more than one tool and allows you to set priorities based on severity.
Even more importantly, it integrates with the environments your developers are already using, such as Visual Studio, Jenkins, and TeamCity, so your team members do not need to go to an additional location for security issues. They receive alerts on issues within the tools they are already using, so they can continuously monitor security as they work.
This kind of tool allows you to keep security as a main concern without slowing down development time. Progress against remediation of security issues are easily tracked, so you can make sure the most critical issues are addressed quickly, before additional work on the application is done. An application vulnerability management tool streamlines the AppSec process, allowing your team to keep development moving at a steady pace without ignoring the importance of security threats.
While security should always be at the forefront of your mind when building any type of application, it needs to be a higher priority when it comes to IoT apps. The constant connection these devices and applications have with external networks and other devices put them (and their data and users) at increased risk of attack.
Taking extra care to avoid the top IoT AppSec vulnerabilities and following the precautionary steps laid out above will help you build and maintain a secure IoT application. The key to making the process manageable and efficient is to use the right tools, so your team doesn’t waste time weeding through results.