Safeguard your IoT device credentials

Credit: ID 132201453 © Akarat Phasura | Dreamstime.com

Internet of Things (IoT) devices were popular gifts again this Christmas season. The trend represents a huge shift in how products are made and used, as network connectivity is added to products that weren’t previously intended to have this functionality.

Your refrigerator that sends you a text message when you're out of milk is IoT. Your thermostat that provides usage graphs on your phone is IoT too. Basically, any consumer device capable of connecting to a network other than a computer, phone, tablet or router is considered an IoT device.

Security remains a big concern with IoT devices, however. Although improvements have been made, new types of vulnerabilities remain.

IoT credential compromise

One of the latest threats we’re seeing is IoT credential compromise. Attackers use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials. These details can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage and read account information.

Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.

The Barracuda Labs team recently conducted research on a connected security camera to illustrate this threat. They identified multiple vulnerabilities in the camera’s web app and mobile app ecosystem. Using these vulnerabilities, the team was able to perform a number of attacks to acquire credentials and compromise an IoT device, all without a direct connection to the device itself.

Credit: Fergus Halliday | IDG

This makes life easier for attackers. No more scanning on Internet connected device search engine Shodan for vulnerable devices. Instead, the attack will be performed against the vendor’s infrastructure. It’s a threat that could affect other types of IoT devices as well, regardless of their function, because it takes advantage of the way the device communicates with the cloud.

After all, bugs are not inherent to products, rather to processes, skills and awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, making possible the types of attacks uncovered by the Barracuda Labs team.

Lessons for IoT manufacturers

Vendors creating IoT solutions need to protect all aspects of the applications used to run those devices. IoT devices are sensors distributed in homes, schools and offices. They’re potential entry points for attackers. Each customer’s network is an opening to the server core and to other customers.

A web application firewall, one of the most critical protections IoT vendors need to put in place, is designed to protect servers from HTTP traffic at Layer 7. Manufacturers also need to ramp up protection against network layer attacks and phishing.

Cloud security is also important, providing visibility, protection and remediation of IoT applications and the infrastructures they run on. The potential for lateral-movement exposure is large and complex, so taking proper security precautions is key.

How to protect yourself as a consumer

When buying an IoT device, you need to think about security, in addition to convenience and price. Here are a few tips to consider:

  • Research the device manufacturer — A few companies that produce IoT devices understand software security. Most are either existing companies whose expertise lies in making the physical products that are being connected or startups trying to bring devices to market as quickly as possible. In both cases, proper software and network security measures are often overlooked.

  • Look for existing vulnerabilities in a vendor’s other devices — If one device has a vulnerability, it’s likely other devices with similar features from the same company are also vulnerable. Ultimately, a vendor that has a history of secure devices will likely build secure devices going forward.

  • Evaluate responses to past vulnerabilities — If a vendor is responsive to people reporting a vulnerability and quickly resolves it with firmware update, it bodes well for their outlook on security and future products they make.

Unfortunately, the amount of information available about the security posture of IoT devices is astonishingly low. Ideally, we need to get a place where IoT products are all scored with a safety rating, just like cars. Consumers should be informed before they invest in IoT devices.

Credit: ID 121113778 © Sdecoret | Dreamstime.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cybersecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?