Security providers need to rethink basic security functions of IoT-enabled applications before they are put to market
Innocuous devices the Internet of Things search engine Shodan recently found to be vulnerable to cyber attacks include a teddy bear able to remotely send voice messages and a doorbell with a video monitor that can be remotely accessed by a phone. Unchanged default passwords and poor app configuration were discovered as the most prominent flaws affecting these devices.
Tom Lysemose Hansen, founder and CTO of Norwegian app security firm Promon, commented on the importance of comprehensively protecting apps that could present a portal for hackers to intrude into the wider lives of their owners:
“Introducing a single object into a wireless network that is inadequately protected is a straightforward way of exposing personal data to an intruder. Fortunately, according to the security analyst that identified the threat, no external user exploited the attack vectors. This, however, is beside the point: it is typical that a successful attack vector could remain open to exploit data for some time before it is identified and patched.”
Hansen continued: “Part of the vulnerability is due to the ease with which consumer goods can be cracked. If the default passwords are not changed – and I suspect with childrens’ toys this is the case – bypassing them is relatively simple. A patch can be introduced retroactively, but until then, the device could be a single entry point into an entire private network, enabling hackers to uncover sensitive data or relay false information. The model of using default passwords must be put to bed if IoT is to become an integral feature of domestic life, otherwise its associated dangers will overwhelm any perceived benefits.”
According to Gartner, by 2020 a black market worth more than $5billion will exist to sell sensor and video data extracted from IoT devices. This data will allow criminals to access privately held consumer information through man-in-the middle attacks, where attackers can drain data from customers’ accounts through an approved external request.
Hansen said: “The developers of applications are all too eager to crack the simplest and least demanding way of controlling a device remotely, but – in order to maintain IoT’s pace of growth without muddying its image – adequate security must be developed in tandem.”
Hansen continued: “The security of the IoT hinges on the apps used to access, monitor and control the device – whether it’s a mobile app used to control a doorbell or a teddy bear. It is crucial this app is able to self-protect, otherwise sensitive data, such as passwords, may be leaked and misused. Ideally, the device should verify that it’s being accessed from a trusted app, and this verification process should not rely on single static factors, like default passwords, but multiple factor authentication to ensure the integrity of the private network.
“While the implications of a hacked banking application are widely recognised, wireless consumer goods now pose an uncertain threat. How app developers and manufacturers handle these threats will determine the success and legality of their entry into the consumer IoT market. It’s important that these early incursions on unsafe networks are nipped in the bud with effective security measures, namely the replacement of ineffective or unavailable anti-malware software with perennial in-app security and a more individualised, user-friendly password system.” Hansen concluded.