IoT Security

October 11, 2020 |
Union Station aka my second home. Taken by MJ

OWASP has a list of the top 10 most commonly found vulnerabilities—the “OWASP Top Ten.” The OWASP site describes this list as representing “a broad consensus about the most critical security risks to web applications.” Number one on the list is Injection, the vulnerability hackers love to exploit. There’s something real cool about pulling off an injection attack. Compromising a database, getting the browser to run commands on your behalf, or gaining god-level privileges on a server. But you know what’s cooler? Getting that god-level access with a lot less work. Let me introduce number six on the top ten list—security misconfiguration. 

 

A security misconfiguration is exactly what it sounds like. A device that is meant to be protected by security is instead configured in a way that allows an attacker to exploit the poorly secured device. Here a few scenarios of security misconfigurations: using default passwords, not patching (plugging known security holes), or the inability to enforce and track user access control—giving unauthorized people the keys to the kingdom. 

 

I’ve seen these misconfigurations happen when people are rushing, and when this happens, security takes a back seat. The reasons for rushing can vary. Sometimes due to strict deadlines from the top of the corporate hierarchy, or perhaps because of a perverse idea that being the first to market trumps everything else. Thus, misconfigurations create a security risk that can be easily avoided, yet it continues to happen. Often enough that it’s on the top-ten list. 

 

How Does This Affect You?

 

Internet of Things (IoT) devices are becoming more prominent in our homes. If you’re unaware of what an IoT device is, it can be described as a device connected to the internet and can be controlled to give information. Some examples of IoT devices are lightbulbs, toasters, cameras, refrigerators, and smartwatches. 

 

An IoT device can be described as a device that we wouldn’t expect to have an internet connection, therefore our phones and laptops don’t fall under the IoT umbrella. But for the devices that do, they are making our world more connected and smarter—giving us the ability to optimize our lives. Check out this introductory article from ZDNet that discusses IoT more in-depth. 

 

Check out Shodan.io, the search engine of internet-connected devices, which of course includes IoT, and you’ll see a list of misconfigured devices. Webcams from all over the world top the list because the people who sell them want to make a quick dollar and the end-user is not usually bothered with security. As long as the product works, it’s happy days. That is until your compromised IoT device is used to attack other systems, or worse, they are used to attack you.


 

Sue Walsh, a writer for RT Insights, writes in an article about the Mozi botnet, a number of internet-connected devices used by hackers to run commands across the internet, and states, “Mozi continues to be successful largely through the use of command-injection (CMDi) attacks, which often result from the misconfiguration of IoT devices. The continued growth of IoT usage and poor configuration protocols are the likely culprits behind this jump.” Presently, the Mozi botnet accounts for about 90% of IoT internet activity. 


 

What Do You Do?

 

Security research company DivvyCloud has created a report that details cloud misconfigurations from 2018 to 2019. Using public data on security breaches, DivvyCloud has calculated that misconfigurations have cost companies five-billion dollars within that time frame. A number that can be avoided if misconfigurations are addressed. 

 

If companies are not going to do the work of ensuring your security, then you must take the time to ensure your own security. You might not have an IoT device at the moment, but chances are you’ll eventually get one. They are becoming more and more a part of our daily lives. My cousin told me just a few hours ago that his smartwatch has made his life a lot easier and who doesn’t want it easy?

 

But let’s not make it easy for those that want to attack us or use our systems to attack others. As you read this, nations are attacking other nations in the cyber realm. My advice is that you protect yourself by taking away a hacker’s easy win. Research the security of your device before it’s purchased. Check whether the device has a track record of being vulnerable to attacks. When buying a device, verify what configurations need to be updated and get it done.

 

Together we can take security misconfigurations off the OWASP Top Ten. 


Thanks for reading!