This week, we are discussing IoT security. If IoT devices and ip cameras are not secured, hackers can use them to gain access to the enterprise network, to distribute malware, or to launch distributed denial of service (DDoS) attacks. As in the case of recent incidents for Dahua, Hikvision and others security camera manufacturers. According to a recent report from Flashpoint and Level 3 Threat Research Labs, botnets made up of hundreds of thousands of compromised IoT devices are already being used to launch massive DDoS attacks.

In addition, IoT data must be secured whether it is in flight across the network, at rest in storage, or in use by an application. As with most other challenges related to the IoT, the sheer number of devices, and the large volume of data they generate, makes security especially difficult.

The OWASP Internet of Things Project has identified the Top 10 IoT vulnerabilities:

  1. Insecure web interface – The default username and password are used, and the device has no account lockout – It may also have web application vulnerabilities.
  2. Insufficient authentication – Weak passwords and insecure password recovery mechanisms make a hacker’s job easy – Multifactor authentication is not available.
  3. Insecure network services – Network ports are exposed to the Internet, and unnecessary ports are open –  Network services are vulnerable to DDoS attacks.
  4. Lack of transport encryptions – IoT data is sent across the network as clear text because encryption is unavailable or improperly configured.
  5. Privacy concerns – Too much sensitive data is collected, and is not properly secured. Users are not given the option to disallow the collection of personal data.
  6. Insecure cloud interface – Weak passwords, a lack of multifactor authentication and application vulnerabilities create risks.
  7. Insecure mobile interface – Strong passwords are not required. Multifactor authentication and account lockout are not available.
  8. Insufficient security configurability – Strong authentication, encryption and security logging are not available.
  9. Insecure software/firmware – Device updates are not secured with encryption or digital certificates.
  10. Poor physical security – External ports and removal media are easy to access. Administrator-level capabilities cannot be limited.

Many of these vulnerabilities must be addressed at the device level, adding to the complexity. Security solutions and best practices are emerging, but they have not kept pace with the rapid growth of the IoT. In addition, some organizations have launched IoT initiatives without fully considering the security implications. Lacking a sound IoT security strategy, organizations are forced remediate vulnerabilities reactively.

The size and complexity of the IoT makes security extremely challenging, but it is absolutely critical. If your organization plans to leverage the IoT, FusionStorm can help you evaluate solutions that can reduce the risk of a security breach.