Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

IoT is the Frankenbeast of Information Security

danielmiessler ‎02-10-2015 04:45 AM - edited ‎07-07-2015 12:29 PM

 

Internet of Things Security Study: Home Security Systems Report ]

 

It seems that every time we introduce a new space in IT we lose 10 years from our collective security knowledge.

 

We started with network security, and even that isn't solid yet. But 20 years later we're doing pretty well there.

 

Then around 10 years ago we started talking about applications being the horizon technology, and we proceeded to build a global application portfolio ignoring the security lessons learned from the network world. 

 

Then, five years ago, we decided that mobile was the real place to be. So everyone started building mobile apps while ignoring everything we've learned from securing web and thick-client applications.

 

And now we have the Internet of Things (IoT). If we continued in this trend we'd have a new space that ignores the security lessons from mobile, but it's actually much worse than that.

 

The Internet of Things is worse than just a new insecure space: it's a Frankenbeast of technology that links network, application, mobile, and cloud technologies together into a single ecosystem, and it unfortunately seems to be taking on the worst security characteristics of each.

 

What could go right?

 

Here at Fortify on Demand our research team just completed our second project looking at the security of IoT devices. In the first report we looked at 10 devices across multiple product types. In that research we found an average of 20 vulnerabilities per system, spanning TVs, thermostats, home automation hubs, alarm systems, etc. 

 

It was as if everything we'd learned over the last 25 years in security had been extracted from memory. We saw credentials being sent over clear text, network ports listening with root shells without a password, private data leakage, and every common web and mobile vulnerability you'd expect in a web or mobile security lab.

 

Today we're announcing our second set of research, which focused specifically on IoT-connected Home Security Systems, and we have to say that the State of the IoT Security Union is not strong.

 

The full report is available here, but I'll just touch on a few key highlights:

 

  • 10/10 systems were vulnerable to account harvesting via the cloud interface. This means that attackers can brute force account credentials and then log in to the web and mobile interfaces as you, enabling them to know when you’re home, when you’re away, and most startling--watch video of your home from anywhere in the world.
  • 10/10 systems allowed weak passwords (like 12345 weak)
  • 10/10 systems failed to implement account lockout defense
  • 7/10 systems had security posture variance between their cloud, web, and mobile interfaces, meaning attackers could keep pounding on various vectors to find the weakest link
  • 7/10 systems had serious issues with their software update systems. Issues included using cleartext protocols to authenticate to the download server, failing to use encryption to transfer update files, and failing to detect that the update package had been modified. One system had all three of these issues plus it allowed write access to the update server, meaning we could replace the software others were downloading. Not only that, but the download location hosted lots of software, not just the package for the product we had
  • 9/10 systems lacked a two-factor authentication option, with 1 integrating with Apple’s TouchID

The biggest takeaway is the fact that we were able to brute force against all 10 systems, meaning they had the trifecta of fail (enumerable usernames, weak password policy, and no account lockout), meaning we could gather  and watch home video remotely.

 

With complex systems like IoT, breaking security is often all about chaining smaller vulnerabilities together, and that's what we saw when looking at these home security systems. We can expect to see more of the same across the IoT space precisely because of the complexity of merging network, application, mobile, and cloud components into one system.

 

Securing the Internet of Things will be our greatest challenge as an information security community. This is true not only because we are starting over from square one again (as we always seem to do), but because the surface area is--by definition--much larger.

 

Most network security and applications sit behind some sort of filter that protects them from exposure, and mobile apps are mostly client interfaces. With the Internet of Things we are knowingly putting many billions of devices--in the form of every day objects--on the global network, all with the goal of maximizing global interactibility.

 

Buckle in, folks. There is turbulence ahead.

 

[ Internet of Things Security Study: Home Security Systems Report ]

[ Internet of Things Security Study: Home Security Systems Infographic ]

 

::

 

Daniel Miessler is the leader of the OWASP Internet of Things Top 10 Project and heads the research team at HP Fortify on Demand. His areas of expertise are web, mobile, and IoT security, and he can be reached via email, at his website, or on Twitter (@danielmiessler). 
 

About HP Fortify on Demand 

HP Fortify on Demand is a cloud-based application security solution. We perform multiple types of manual and automated security testing, including web assessments, mobile application assessments, thick client testing, ERP testing, etc.--and we do it both statically and dynamically, both in the cloud and on-premise.

About the Author

danielmiessler

https://danielmiessler.com/about

Comments
James Hesketh
on ‎02-11-2015 01:29 AM

I fail to understand the significance of this. As ALWAYS security is the RESPONSIBILTY of the purchaser. Expecting the provider to mitigate security concerns and hold himself accountable in a revenue driven financial model and a ease of use as the main selling point, is like a turkey voting for Thanksgiving.

 

It is an abysmal failure of the industy that many consumers (and for many I mean 99%) do not know HOW to secure there environments, and look for the easy option of "next, next, next" when setting up ANYTHING. Perhpas a more fundemental of how technology is connected should be imparted to consumers, and common pitfalls should be imparted to consumers, rather than yet another informative, but none the less doom and gloom report/conculsion.

 

Informed and REASONING consumers will foster greater and more rapid change than just about anything else.  After all the consumer is ultimately in charge of the revenue stream, and altering a revenue stream is a very quick and effetive way of changing a company(ies) attitude.

 

 

Richmond Lock
on ‎02-14-2015 10:18 PM

thank you daniel very interesting!

Jonlocksmith2
on ‎12-14-2015 07:02 AM

thank you daniel very good info!

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference to learn from peers in every industry and hear from Big Data experts and thought leaders in an exciting, energy fille...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference and is the place to meet the world’s top information security talent, discuss new products and share information...
Read more
View all