Live, die, repeat: The security shortcuts endangering IoT device adoption

IoT devices are repeatedly exhibiting the same flaws creating a massive vulnerable attack surface which will inevitably lead to more major attacks. We’ve already seen DDoS attacks increase 91 percent over the course of 2017 due to vulnerable deployed devices, yet estimates suggest only 9 percent of IoT vendor budgets are spent on security. This pitiful investment is leading to shortcuts and a ‘live, die, repeat’ attitude to development that spells disaster for the user and the long-term viability of the IoT seedbed.  

So what are these common issues that are cropping up time and again? Security research reveals specific issues across all aspects of IoT design, from access and connectivity, hardware and firmware, and update mechanisms. 

Access all areas

In terms of access, vendors often fail to implement ‘least privilege’ in the permissions on the device. Without this an attacker can quickly gain root access to the entire system. The root user log-in should require a password and this should not be set by default or hardcoded in as this could mean that one vulnerability, such as having telnet enabled, could provide root access.

Encryption is also another common failing, without which the attacker can recover keys, certificates, hashes, and passwords and again gain control. Using System on a Chip (SoC) to store encryption keys or sensitive information on the device using Trusted Platform Module (TPM) is the preferred option. A secure boot should also be implemented as without this the SoC cannot check the integrity of the bootloader, and the bootloader cannot check the integrity of the firmware. This can allow an attacker to modify firmware of the device, either by subverting controls on the firmware update process, or through physical access to devices.

Just because the device is encrypted doesn’t mean it is protected, however. Poor implementation of encryption such as encryption without MAC, hardcoded IV and weak key generation can all lead to compromise and steer clear of home-grown cryptography. Ensure encryption is extended to include firmware. Attacks can see malicious firmware deployed to devices so sign and validate the signature during updates and ensure that the HTTPS connection is secure, with SSL certificates validated.

Wireless weaknesses

Connectivity is also a major sticking point. There’s a tendency to assume that a local connection over a WiFi access point or Bluetooth Low Energy (BLE) confers some protection because of the limited range of the signal but this can still lead to drive-by attacks. Typically wireless communication is used to pass the user’s SSID and pre-shared key (PSK) to the device, often in plain text, which the attacker can then capture and use.

Redundant functions often provide a convenient entrance point for the attacker. Developers favour off-the-shelf toolkit such as BusyBox, described as the Swiss army knife of embedded Linux, but it’s important to minimise the use of these functions. Similarly, open ports or redundant web user interfaces should be disabled rather than left in place. Devices that ship with serial ports enabled are particularly vulnerable. This can allow the bootloader, a login prompt, or an unprotected shell to be accessed. Such debug headers may well be present for troubleshooting during the development and programming stages but should be disabled in the end consumer product, an issue often overlooked.

Exploiting buffer overflows is another prime way for the attacker to seize control of the device once it’s on the network but it’s possible to prevent this by using compile time hardening in the form of PIE, NX, ASLR, RELRO, Stack Canaries or Fortify. These are often included in embedded systems but can affect performance and battery life so some experimentation will be required. Consider also whether unsafe functions associated with buffer overflow are used ie strcpy, sprint, and gets, used in binaries on the system.

Keep it current

Is the software up to date? This sounds obvious but lots of devices have Certificate Authority (CA) bundles predating 2012, kernels dating back ten years, old versions of Busybox or even web server connections last accessed in 2005. Old CAs may have already been compromised but are still used by developers because it’s generally easier to leave them in place and simply switch off certificate validation. Unfortunately, this can then expose the device to man in the middle attacks. Check the certificate is correctly signed by a valid certificate authority, check that it matches the server name, and check that it hasn’t expired.

If IoT vendors take the necessary steps to address these common security failings these devices will no longer be so easy to hijack and to subvert. A failure to do so will inevitably lead to yet more behemoth botnets, as well as the emergence of malicious firmware updates and ransomware attacks, which could potentially threaten the viability of the IoT itself.

iottechnews.com: Latest from the homepage

Sigfox posts €50 million in revenue, reiterates plans for 60 country connectivity in 2018

Sigfox, the French-based Internet of Things (IoT) connectivity provider, has announced its 2017 results and 2018 roadmap, promising a network of 60 countries and more than a billion people worldwide.

Revenues went up to €50 million (£44.4m), a rise of more than 56% year over year, according to the company, while the total number of objects connected to the Sigfox network rose by 65% to a total of 2.5 million. Alongside this, the company’s network grew to 45 countries earlier this month, including Malaysia, South Korea, and Switzerland.

Looking at the company’s 2018 roadmap, alongside its network figures Sigfox is promising greater focus on its evangelisation strategy. To that end, the provider is launching Hacking House, a project that will ‘bring together students from around the world to learn about IoT and Sigfox’s pioneering technology’, as the company put it.

“There is tremendous value in IoT, which lies in the data that is generated by millions of connected objects across the globe,” said Ludovic Le Moan, co-founder and CEO of Sigfox in a statement. “It’s up to us to turn this golden opportunity into a multi-billion dollar industry, just like we did with petrol a century ago.

“Our challenge for the next few years will be to lower the cost of collecting that data to close to zero,” Le Moan added.

This makes for an interesting comparison when looking at Sigfox’s proclamations in November 2016. The company had just secured a €150m funding round and promised then what it promises today – coverage in 60 countries by 2018.

iottechnews.com: Latest from the homepage

IoT identity and management revenues to hit $21.5bn by 2022, says ABI Research

ABI Research projects that revenues from IoT identity and management are heading to hit the $ 21.5 billion benchmark by 2022, driven by IoT platform services together with security, cryptography, digital certificate management and data exchange services.

According to predictions put forward by the advisory firm in its report “​Thing Identity and Management Services”, IDoT (Identity of Things) services will realise robust growth over the next five years driven primarily by the industrial, manufacturing, and automotive industries.

Dimitrios Pavlakis, industry analyst at ABI Research, said: “Through ‘smarter gateways’, cloud services, and application programming interface (API)-focused solutions, thing identity and management services are steadily finding their way in a wider spectrum of IoT verticals.”

Although some industries are not so up-to-date in terms of security, vendors in the IoT market are finally making investment moves in encryption and device certificate management. Some of the leading verticals that are eating up over 60% of the total global revenues include aftermarket telematics, fleet management, OEM telematics, metering, home security, and automation.

Elsewhere, a BCC Research report projected that the value of the global IoT networking solutions market is anticipated to reach $ 1 trillion by 2022 at a CAGR of 21.6%. The report titled “Internet of Things (IoT) Networks: Technologies and Global Markets to 2022” highlighted that the Asia Pacific’s IoT networking solutions market is anticipated to grow at a CAGR of 27.6% through 2022, followed by Europe with a CAGR of 23.8% and market share of 31.3%.

iottechnews.com: Latest from the homepage

Google assimilates Nest once more

Saying goodbye must have been too hard for Google as the company is bringing Nest back under its roof.

Nest was co-founded by former Apple engineers in 2010. Google bought the young startup, whose innovative thermostat became one of the first successful smart home devices, for $ 3.2 billion (£2.3bn) back in 2014.

Following a major restructuring — when Google’s umbrella company, Alphabet, was created — Nest was spun off into a separate company. Alphabet is now folding Nest back into Google as the company attempts to fight off increasing competition from Amazon.

Rick Osterloh, Senior Vice President of Hardware at Google, says:

“We're excited to bring the Nest and Google Hardware teams together. The goal is to supercharge Nest’s mission: to create a more thoughtful home, one that takes care of the people inside it and the world around it.

By working together, we’ll continue to combine hardware, software and services to create a home that’s safer, friendlier to the environment, smarter and even helps you save money—built with Google’s artificial intelligence and the Assistant at the core.”

Google sees the IoT and smart homes as a major source of growth in the coming years. The company has put significant resources into building its AI and launching a range of smart home devices.

Amazon’s competitor, the Echo line, has been commercially more successful than Google’s — in part due to the company’s retail influence. However, according to survey-based data from Consumer Intelligence Research Partners (CIRP), it appears Google Home has gained some ground on Amazon’s devices.

The competition is increasing for Google and not just from Amazon. Apple joins the fray, as of today, with its HomePod. Later this year, Microsoft, Samsung and Facebook will also be entering the market.

In advance of their entries, Google is bolstering its in-house manufacturing capabilities. Last week, Alphabet's Google unit announced it had paid $ 1.1bn to buy a large chunk of HTC's hardware operations — gaining the company around 2,000 engineers in Asia.

Do you think bringing Nest back into Google is a good idea? Let us know in the comments.

iottechnews.com: Latest from the homepage

SEAT and Orange partner on development and use of connected vehicles

SEAT and Orange Spain have entered into a strategic partnership to promote the development and use of connect vehicles by focussing on several work areas.

As part of the deal, the companies will focus on three primary areas: formulation of innovations for connected vehicles to enhance user experience; turn the car into the user’s second digital home by bringing digital home or office experience to the vehicle and launch a cross-company loyalty and frequent use programme to promote use of the new connectivity and mobility solutions (related to connected cars) rolled out by them in the market.

The partnership is not just confined to the formulation of digital applications for cars but both SEAT and Orange will work together to generate initiatives that encourage using the fresh functions. The loyalty programme is a result of these initiatives.

Under their efforts to enhance entertainment and leisure services for drivers and passengers, initially music, audiovisual and learning content will be included – without any compromise to the safety of the vehicle occupants.

Luis Santos, Orange Director of Innovation and New Digital Services for Spain, expressed confidence that “this strategic agreement with SEAT is a great step for Orange in its strategy of connected objects and Big Data and opens the door to innovations and new developments surrounding cars of the future, which will contribute to helping us achieve our goal of connecting our customers with what truly matters most to them.”

While inking the deal, Arantxa Alonso, Head of Business Development at SEAT, comments: “This partnership opens up a large collaborative space for both companies that are pursuing a common goal – promote the use of the connected car and make the car user’s experience easier and more efficient.”

iottechnews.com: Latest from the homepage