In the corporate environment of today, Bring Your Own Device (BYOD) may extend beyond workers using their personal tablets and smartphones, to wearable devices like FitBits or Internet of Things (IoT)-connected badges and performance monitors.
On the domestic or public scene, mobile devices are increasingly being supplemented by IoT tagged or sensor-laden goods, appliances, and infrastructure components.
Office managers, home owners, and municipal authorities may not even be aware of how many connected devices there are on their premises – and recent research suggests that they’re now woefully ignorant of the potential threat posed to these devices by security vulnerabilities and attack vectors of all kinds.
Mobile Security Vulnerabilities for IoT – How Bad is it?
The situation’s pretty dismal. In a survey of 593 Information Technology and IT security practitioners conducted by the Ponemon Institute (including users, manufacturers, and developers of mobile apps and IoT devices), 71% of the respondents admitted to using mobile applications which haven’t undergone security vulnerability testing, while around 80% said that the IoT applications being used in their organizations weren’t tested, either.
Ponemon’s “2017 Study on Mobile and Internet of Things Application Security” quotes 79% of those surveyed as saying that the use of mobile apps increases security risks “very significantly” or “significantly” – an opinion held by 75% of those deploying IoT applications. And it appears that they have reason to worry.
At the DEF CON security conference held in August 2016, participants tasked with attempting to hack a variety of IoT devices found an unsettling 47 new vulnerabilities affecting 23 of the products tested. Goods ranged from refrigerators, padlocks and thermostats to wheelchairs and arrays of solar panels.
Defects ranged from the mundane to the esoteric:
- Padlocks and door locks with vulnerabilities to password sniffing and replay attacks, where a captured passcode could be replayed later to open them.
- An electronic wheelchair which could be hijacked by remote control once a safety feature was disabled.
- A thermostat employing plain-text protocols that could allow hackers to cause excessive heating, excessive cooling, or furnace shutdown.
Mobile Security Vulnerabilities for IoT – Many Weak Spots
The security vulnerability picture for mobile IoT is multi-faceted and includes flaws at all levels of the deployment ecosystem.
At present, security isn’t a priority at the conceptual stage and doesn’t exert a major influence on product or infrastructure design. The result is that IoT infrastructure remains vulnerable to attack – and there’s even greater risk associated with the software embedded in gateway devices and the cloud.
Economic incentives for hardware manufacturers to improve on this situation aren’t great, as so many IoT devices ship with tiny chips based on outdated technology – which are essentially designed to be disposable. They are therefore difficult to update or simply doomed to be overlooked and phased out in a similar manner to desktop operating systems or cell phones which are more than a few years old.
There’s a lack of standardization and security standards for the sector as whole, which makes the monitoring, governance, and rolling out of patches and updates to hardware, software, and infrastructure a disjointed process.
Malware remains an issue, with the continuing emergence of new strains targeting mobile applications. IoT-specific malware is still in its relative infancy – but there’s no guarantee how long this situation will last. And it could take only one serious incident of product or urban infrastructure compromise to have devastating consequences for thousands, or maybe millions of people.
Mobile Security Vulnerabilities for IoT – Fundamental Issues
As the Ponemon study suggests, enterprise deployments of IoT are still taking place in an atmosphere of relative ignorance. A disturbing 63% of survey respondents (30% not confident, and 33% with no confidence whatsoever) admitted to having little or no knowledge of how many or what type of mobile and IoT apps were present in their own workplaces.
Data privacy was an issue raised by U.S. Federal Trade Commission chairwoman, Edith Ramirez when speaking at the Consumer Electronics Show in Las Vegas recently. With embedded and connected sensors proliferating in products affecting all walks of life, consumer and user data are being gathered from a multitude of points – with a proportionally increased risk of security breaches, and the potential abuse of personal or other sensitive information.
55% of the Ponemon survey respondents confessed to lacking Quality Assurance (QA) and security testing methods for IoT applications. Part of this problem lies in a perceived shift of responsibility for mobile and IoT security away from Chief Information Security Officers (CISOs) to other officials such as application development chiefs or line of business leaders.
It’s a fragmented picture, with no-one quite sure of who’s responsible for what. So co-ordination and policy setting suffers as a result.
Emphasis on Usability
The emphasis on convenience and usability in the design of connected devices and their ecosystems tends to write security out of the mix. While the end-user experience is a major aspect of the marketability of IoT products and wearable devices, it will be necessary to include security robustness, privacy protection, and other factors into hardware and infrastructure design, if security vulnerabilities are to be avoided.
Help from OWASP
On the industry front, it is hoped that as the IoT market matures and attracts more investment, quality standards will improve along with security.
OWASP (the Open Web Application Security Project) has set up an Internet of Things Project, with the aim of helping manufacturers, developers, and consumers to better understand the security risks associated with IoT. The project intends to define a structure for handling a range of IoT sub-projects, including Attack Surface Areas, Testing Guides, and Top Vulnerabilities.
It’s a free resource, operating under the Creative Commons Attribution-ShareAlike 3.0 license, and is hoped to enable IoT stakeholders at all levels to be better informed on security issues when building, deploying, or assessing IoT technologies.
Share this Post