Lots of Internet-connected devices are available on the market and a popular theme now is devices to create a ‘smart home’, which includes smart door locks, surveillance/security cameras and heating control systems that can be monitored and controlled when you are away from the home.
This ability to remotely connect to and integrate devices to communicate with each other may provide a better lifestyle for the consumer. Furthermore, device manufacturers are embracing all this new data captured by the Internet of Things (IoT) and may use data on product usage for market research and to understand the end customer better. However, these devices may have associated security challenges.
Is more better?
The bigger question though is whether devices being developed have a suitable level of security to protect the consumer, their network, their home and their information. The more devices available and connected, the larger the attack surface. If any of these devices are compromised, more interconnected and integrated devices may also mean more targets to attack.
Just imagine if your devices are all connected by a Wi-Fi router, if there was a compromise of one smart device (such as a smart fridge) communications from your mobile phone, your computer or tablets that all share the same Wi-Fi network could be intercepted or at risk.
Furthermore, shipping all these devices en masse out on the market, it is highly likely that devices are all configured with default settings and passwords that could be easily identified and exploited by an attacker. Consider a smart fridge, whereby the consumer may have little or no ability to change the security settings.
IoT vendors need to ensure they understand the risks to their products and therefore also to the end consumer that may be opened up by introducing new technology such as wireless or Bluetooth features to their smart devices.
What are the trends?
You may think that IoT devices are just a little more than ‘dumb machines’, however remember the following:
- Connectivity: Smart devices means keeping the customer informed, updated and happy, by allowing a means (or multiple means) to connect to and communicate with the devices, such as Wi-Fi, Bluetooth, GPRS etc.
- CPUs: Consider how small your mobile phone is. Some devices can embed a fast processor and have a lot of power in such a small space.
- Reusability: Many devices share similar parts, such as processors, batteries and may even reuse common software code. Any compromise of one type of device could impact devices of similar or even different types, supplied by other vendors.
- Home Security: Businesses spend lots of money to protect their corporate networks. Home networks do not get the same level of security.
What security baseline?
As technology advances, there is the never-ending game between those attacking and those seeking to defend.
Vendors and businesses must ensure that their products and services are secure but what baseline of good security are they using? I would encourage any business to adhere to the appropriate sections of the PCI DSS (Payment Card Industry Data Security Standard).
Yes, the PCI DSS focuses mainly on payment security but the PCI DSS is also a great baseline security standard covering both hardware and software security aspects. Here are a few examples:
- Change defaults: The default settings and passwords of devices can be published on the Internet and readily available to an attacker for use in trying to exploit unsecured devices. If an attacker has access to usernames/passwords, it is a trivial task for an attacker to view or possibly change device settings. By changing defaults such as vendor pre-set passwords, it makes it harder for an attacker to compromise the device.
- Applying necessary hardening settings: There may be services/protocols/daemons that may be exploited. Enabling only necessary services/protocols/daemons minimises the available device functions that could be exposed to and potentially exploited by attackers. By applying the relevant hardening settings, this ensures any weak services/protocols/daemons are secure enough for use.
- Using secure encryption technology: Using an appropriate level of security, such as the TLS 1.2 security protocol for device communications or industry standard cryptographic technologies and methods, will help to ensure that any transmission or storage of sensitive data is secured.
- Developing secure applications: There are many types of attacks on software such as injection attacks and buffer overflows. By following secure software development practices to develop inherently more secure applications/firmware, this can help ensure malicious code is not successful.
Physical and logical mechanisms to protect critical files: By protecting access to critical files and settings, this helps ensure that secure settings cannot be overridden and that malicious code is not inserted.
This can be done by having a secure tamperproof casing and ensuring all software/firmware has been developed using secure coding practices (for example, ensuring all requests for access to resources go through some kind of authentication/authorisation layer, using encoding and input validation to prevent injection attacks, etc.).
As IoT devices are distributed or sold to the public, we can even apply some controls from the PCI Point-to-Point Encryption (P2PE) standard such as:
- Update devices ‘in the field’: Having the ability to deploy software security updates to devices already sold and in use
- Secure updates: Validating that any updates are via security mechanisms that ensure the integrity and authenticity of the update and its originator.
- Secure chain of custody: Ensuring that the devices are secured in transit; the device the consumer receives is as it was dispatched by the vendor with no tampering or other interference.
- Credentials change: Having installation or set-up procedures that force the user to change default settings and credentials or ensure these defaults are changed prior to use.
Without implementing sufficient security controls, a breach of IoT devices can lead to severe consequences. First, to resolve security failings devices may need to be recalled which can be very costly. There may be legal implications and financial penalties to vendors/businesses that lose sensitive consumer data which may include personal information or private details of their home network.
Finally, there is a breach of customer trust which can have damaging PR consequences and can impact future sales, services and/or profitability.
IoT is still in its infancy but, no doubt, as more creative and ever more connected solutions come on the market, the more it is imperative to stay up to date with the potential vulnerabilities and threats, associated with the ever-changing security landscape, that could present a risk to IoT devices and the consumers that use them.
By adhering to an industry security standard (such as the PCI DSS) as a minimum level of security, vendors and businesses can ensure that the likelihood of an IoT device compromise, data breach or loss can be minimised.
If you are a merchant that requires technical or PCI DSS help, please click here