{"id":14927,"date":"2017-01-25T19:44:31","date_gmt":"2017-01-25T14:14:31","guid":{"rendered":"https:\/\/blog.resellerclub.com\/?p=14927"},"modified":"2025-02-28T06:54:12","modified_gmt":"2025-02-28T06:54:12","slug":"a-look-into-iot-security-and-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.resellerclub.com\/blog\/a-look-into-iot-security-and-vulnerabilities\/","title":{"rendered":"A Look Into IoT Security and Vulnerabilities"},"content":{"rendered":"

Looking at the top left in Google Chrome, you may see a red X–Google\u2019s way to denote unsecured SSL (Secure Sockets Layer). Non-HTTPS sites also face consequences of the 2016 update to Google\u2019s security measures, potentially confusing WordPress users and other login pages that appear to have been compromised (while this is just Google\u2019s way of denoting a non-HTTPS site).<\/span><\/p>\n

Also, as consumer electronics manufacturers release new and more complex gadgets, security is likely to be the last thing on people’s minds. Devices like Apple\u2019s HomeKit turn your iPhone or iPad into a remote control for lights, locks, the thermostat, window shades and even your doorbell, making typical iOS functions like Siri voice-based extensions of controlling a smart home.<\/span><\/p>\n

Yet even if most electronics on a home network employ top security standards, all it takes is a faulty webcam for an attack to happen.<\/span><\/p>\n

We just saw this with internet infrastructure company Dyn in late October of 2016. Mirai malware took advantage of default, easy-to-guess passwords on the webcams of unsuspecting consumers, leading to a massive Distributed Denial of Service (DDoS) attack temporarily shutting down popular sites like Twitter and PayPal.<\/span><\/p>\n

Along with Apple\u2019s Authentication Coprocessor, HomeKit\u2019s end-to-end encryption helps mitigate the risk of hacking. The coprocessor only sends a certificate that allows an iOS device to unlock an accessory (like your home\u2019s light dimmers, thermostat and power meter) after the accessory completes a challenge sent by the iOS device. Any Internet of Things device that connects to this network, however, may not have the same robustness rules in place.<\/span><\/p>\n

\"ArxanIG_960\"<\/a><\/p>\n

According to this graphic from Arxan, the number of devices connected to the internet reached 6.4 billion in 2016. According to <\/span>cisco<\/span><\/a>, the estimate number of connected devices is expected to grow to 50 billion by 2020! Thus, in-home communication network security is only half the battle for consumers, as the cars they drive are increasingly becoming connected as well. Car manufacturers have different OEMs when it comes to displays and in-vehicle digital storage, meaning that all devices in a connected car may not use end-to-end encryption. Code scanners can interrupt critical functions and<\/span> if you look further into automotive IoT security<\/span><\/a> you\u2019ll find that many parts of a vehicle that have been around for years–like the OBD2 port for engine diagnostics and on-board computers–could potentially be decrypted and injected with malware.<\/span><\/p>\n

On the issue of DDoS attacks, Arxan CMO Mandeep Khera explains that \u201chackers go after the weakest attack vectors and it\u2019s increasingly apparent that IoT infrastructure from devices and sensors to the embedded software to APIs is the weakest link.\u201d<\/span><\/p>\n

The idea of a smart home we see today has been around since the early 2000s, when structured wiring came into focus as a way to connect video and networking devices to DSL, which offered higher speed internet access than over a phone line. Fast forward to wireless technology in 2016, and connected homes are easier to set up, but vulnerable in different ways.<\/span><\/p>\n

A lot of today\u2019s IoT hardware, including the consumer webcams that were hacked during the DDoS attack targeting Dyn\u2019s infrastructure, can still access Telnet after changing the default username and password of the system. This keeps the door open for remote hacking and without wireless chip security standards you find in HomeKit, it can be more difficult to build a secure network of non-iOS devices.<\/span><\/p>\n

Cisco neatly outlines the security challenges within IoT systems including Management of multi-party networks, crypto resilience, physical protection and more in <\/span>this<\/span><\/a> article. <\/span><\/p>\n

This detailed <\/span>article by IBM<\/span><\/a> highlights things you can do to secure your IoT devices with mechanisms such as User ID authentication, One Time Passwords, server unique ID authentication and more and offers comprehensive ways to implement such mechanisms.<\/span><\/p>\n

Contributors:<\/em><\/p>\n