With shadowy botnet armies lurking around the globe and vigilante gray-hat actors inoculating susceptible devices, the appetite for Internet of Things security is stronger than ever.
“If you throw IoT on a con talk, you’ve got a pretty good chance to get in,” remarked information security professional Jason Kent, as he began his presentation at Chicago’s Thotcon hacking and security conference last week.
While the vulnerabilities he described may not have been the ones researchers find the most thrilling, they served to illustrate just how much work remains to be done to shore up simple, but devastating, security holes.
With the likes of the Mirai and Hajime botnets preying on swaths of IoT devices that have weak root account passwords and open telnet ports, security professionals are understandably keen on nudging the industry away from these pitfalls.
However, there are serious shortcomings in SSL
Working Under the Radar
Still, the outlook is not entirely pessimistic, Kent said, noting that there are many resources developers can tap in order to up their game.
“Every app dev should be a participating member of OWASP,” he advised, referring to the Open Web Application Security Project, a nonprofit dedicated to aggregating security best practices into comprehensive guides for developers at all levels.
Kent also praised the precedent set by DEVSECOPS for its effectiveness instilling security consciousness into the development process so that developers can learn to spot vulnerabilities themselves.
Software development hygiene may seem like an annoyance at times, but it goes a long way toward preventing big headaches down the road — and users certainly will benefit, even if they are not always aware of behind-the-scenes efforts.
implementation and information security practices found in many IoT companion mobile apps, Kent pointed out in his talk, “IoT Web of Intrigue.”
Personal Data Exposed
SSL misconfigurations might seem mundane compared to other threats, but the example of a simple BURP proxy collecting data transferred between a mobile app and its corresponding server for a slew of devices, highlighted just how pervasive — and potentially devastating for users — such vulnerabilities can be.
Kent presented numerous examples that showed how splitting the full SSL certificate into packets captured from the app can allow anyone to send commands on behalf of the user who initially sent it, as many IoT device servers will accept any packet bearing the right encryption key, regardless of whether or not the certificate portion accompanies it.
In many cases, it gets worse. Once the certificate is split, the often excessive or creepily invasive data contained within it is plain for all to see. In the case of one home security camera, examining the packet revealed not only the username and password in plaintext, but also a variable setting the homeowner’s insurance provider for the user.
Another camera’s packets contained a GET request sent upon authentication, listing other family members, and their corresponding email addresses and user IDs, who were authorized to access the camera.
If any of the conference’s attendees left the talk feeling deeply uneasy with the state of IoT practices, it was more than understandable.
So, where did all those gaping holes come from?
Cracks in the Foundation
The problem stems in part from an underappreciation of just how many security implications are raised by connecting IoT devices to the Internet, or failure to raise them at all, Kent told LinuxInsider following his talk.
“I was reporting a problem and never met their security team,” he said, recounting a disclosure phone call with one company. “I met their PR team, their lawyers — no one from security. Why? Because this company [made] a machine and then put it on the Internet, not realizing they needed to change their business a bit when that happened.”
Although IoT manufacturers can benefit by making more a concerted effort to keep pace with modern network security practices, there are industry-wide challenges associated with the use of SSL to bolster insecure underlying architectures, Kent pointed out.
“The mobile apps are really just Web browsers with premade pages,” he said. “The app asks for data from the API and displays that data to the user.”
Properly implemented SSL certainly can go a long way toward fortifying underlying processes, but “we are building on a foundation that wasn’t secure to begin with,” Kent observed.