Many Internet of Things (IoT) systems are so riddled with security vulnerabilities that they can easily be compromised by hackers. That's the alarming conclusion of a recent study carried out by HP. It found that every one of 10 popular Internet-connected security systems -- which include video cameras and motion detectors -- had significant security vulnerabilities which would allow hackers to access the devices and control them remotely.
Looking at a wider variety of Internet of Things devices, the company found the story was no better. "We found an average of 20 vulnerabilities per device ranging from Web security, mobile security, network security," said Daniel Miessler, a practice principal at HP Fortify. Miessler is also active in compiling the OWASP Internet of Things Top 10 security vulnerabilities list.
Perhaps most concerning, these vulnerabilities are not new. In fact the reverse is true: They are well understood, and most of the specific vulnerabilities could probably be easily avoided by following best practices and recommendations for secure coding. The problem, according to Miessler, is that many IoT developers simply don't follow them.
"We need to apply the knowledge we know to be correct, but every time a new technology comes out, we forget everything we learned in the last few years," he said. "It happened with app sec, with mobile sec and now with IoT sec."
There's nothing intrinsic to IoT application development that makes it difficult to code securely, he said. But IoT apps are more complex than straight Web or mobile applications because they often contain Web, mobile and networking components.
So what can you do to make Internet of Things application development more secure?
Use Developers with Right Skills
It's noticeable that many of the insecure IoT applications (such as some of those in HP's study) come from IoT hardware device vendors who offer software to work with their products.
It may well be that a hardware vendor which makes something like a thermostat doesn't have developers on its staff who are familiar with the security mistakes of the last 10 years, said Diana Kelley, an executive security advisor at IBM Security. "In the industrial control space, operational technology tends to be locked down and not on the net," she explained. "So these developers look at a different threat model and are not trained in Internet ready coding like Web developers. They need to learn."
Use Proven IoT Application Platforms
A number of companies (such as Thingworx and Xively) offer IoT application platforms that handle many of the components of a secure IoT application such as authentication. By building an application on a well-engineered platform, you can avoid introducing vulnerabilities that have already been ironed out by platform vendors.
"As a general security statement, we get most benefit when developers aren't doing anything," said Daniel Miessler. "If car drivers were responsible for implementing their own airbags, they probably wouldn't work. Secure frameworks are key, and they should provide simple hooks for developers."
IBM's Diana Kelley agreed. "Robust frameworks can certainly help - but you do need developers who know how to use them properly and implement security properly," she said.
Watch IoT Device Firmware Security
One difference between conventional, Web or mobile apps and IoT apps is the fact that they interact with "things": Internet-connected hardware devices which may have security vulnerabilities in their firmware. So it's essential to ensure that IoT apps have a mechanism to update firmware securely. (Many IoT platforms provide this type of functionality.)
Tips provided by OWASP for IoT firmware security include ensuring that devices can process encrypted update files, and that firmware updates are signed and validated before being installed.
Ensure IoT Data is Secure from Physical Attacks
Another implication of the fact that IoT applications interact with "things" is that many "things" (for example a remote temperature sensor or a GPS unit in a shipping container) are difficult to secure physically. That means that any data they store should be encrypted and the storage medium made difficult to remove.
Use Secure Hardware Components
Component vendors such as processor designer ARM and chip maker Intel are stepping up their IoT security offerings. For example, ARM recently acquired Dutch company Offspark in order to be able to integrate more security into its designs. Offspark's PolarSLL technology will be integrated into ARM's mbed OS to encrypt traffic flowing from ARM devices running the operating system.
Hardware vendors can also help you ensure user privacy. For example, Intel announced last December that it will license its Enhanced Privacy Identity (EPID) technology to other chip makers. EPID enables IoT platforms to confirm that remote "things" have the correct authentication credentials without revealing information about themselves or their owners. This could be useful for ensuring that, for example, a GPS unit in a vehicle can authenticate itself to transmit information or receive an update from the manufacturer without revealing confidential information about the location of the owner of the vehicle.
Apply Standard Security Best Practices
IoT applications are complex and composite in that they are often made up of many components. "That means you have to think of your system as a whole and think holistically," said Miessler. "You have to think about how pieces can be used against themselves. For example, when you authenticate to the cloud, how does that propagate to other components?"
Other potential problem areas that OWASP highlights include: insecure Web, mobile and cloud interfaces; insufficient authentication; insecure network services; and lack of transport encryption.
More information about security best practices and standards is available from:
- OWASP Secure Coding Practices - Quick Reference Guide
- Security in Development: The IBM Secure Engineering Framework
- Microsoft Secure Coding Guidelines
- NIST Security Considerations in the System Development Life Cycle
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.