Protect against OWASP’s Internet of Things Top 10 (Part 2)

This blog previously examined the first five points on OWASP‘s Internet of Things Top Ten, a list of internal and external vulnerabilities. This trend has led to potential design flaws as developers fail to build proper security measures into their devices. A 2011 Cisco report alleged that 50 billion devices could connect to the Internet by 2020. In 2003, this number wasn’t even higher than 1 billion.

alt textMany devices have not been adequately prepared for the Internet of Things, posing serious security risks.

As with the earlier points, these areas represent the grand approach that developers may need to take to protect newly connected devices and their users. The software security testing methods companies deploy can vary based on which vulnerabilities are the most present. In many cases, a thorough review is the first step to determining how much of a target a flaw represents.

  • #6 Insecure Cloud Interface: IoT users are relying heavily on the cloud, so securing this may seem like an obvious precaution. It could still involve multiple measures, with managers guaranteeing two-factor authentication as well as strict failed login lockout measures. The fact that the IoT represents connectivity between several devices and networks means attackers could break through ineffective passwords more easily to gain access to the privileges of a specific account.
  • #7 Insecure Mobile Interface: As with cloud interfaces, improving a system’s means of authentication is part of the way developers can stem mobile interface exploits. Before implementing a permanent change, companies can test whether or not new devices can allow users access. However, in an InfoSec Institute article, Jonathan Lampe recommends paying attention to the network as well as the device itself.  He says that network specialists would recommend “eliminating unnecessary WAPs, turning off broadcasts of non-public SSIDs, disabling public wireless interfaces, considering the ‘two headed’ ramifications of WAPs also connected to other networks, using strong wireless protocols to authenticate and secure traffic, and more.”
  • #8 Insufficient Security Configurability: The best way to fix this vulnerability may be to undertake an intense review of the system’s administrative interface. Users need to be able to adjust security controls to make them more effective if necessary. The project stated that this vulnerability has an easy detectability rating but only a moderate technical impact, though it could still allow hackers to exploit these holes in security. Another related problem is the gap between the need for overarching security and the simplicity of some device controls.
  • #9 Insecure Software/Firmware: Vehicles are one of the major areas of concern for IoT security, with the possibility of a hacker taking over a car or truck triggering more research efforts. In 2015, WIRED noted research from the University of California at San Diego that shows the way users can affect firmware within a dongle to manipulate a vehicle once it’s connected. One of the biggest ways to improve firmware security is to establish high-quality software updates from within the program, as well as verifying encryption. If the device can’t update at all, user data could be at serious risk.
  • #10 Poor Physical Security: Even with a greater reliance on cloud storage, physical devices present vulnerabilities. While the OWASP list chiefly refers to storage media removal and access to USB ports as the main weaknesses, the IoT also poses risks through the sheer extension of networking abilities to new devices. Naked Security reported on a Wi-Fi-enhanced doorbell that, despite its internal security features, could easily allow hackers to learn the network password by simply removing it from the doorway. Targeting this vulnerability requires companies to secure both access points as well as the exterior of the device as a whole.

Contact PSC to get consultation for fitting application testing scenarios and start guarding against these threats.


About the Author:

Rob Cross is currently an executive with PSC.
  Related Posts
  • No related posts found.