Defending Against IoT Bugs is an Uphill Challenge (But it Doesn’t Have to Be) Written by: Jason Segarra Published: September 8, 2022 IoT Advice Tags: Developers | IoT devices | Iot Security With the Global IoT Security market expected to grow to $5.09 billion USD by the end of the year, it’s clear that modern businesses recognize the importance of a secure IoT infrastructure. The growth in investment comes as the disclosure of IoT bugs for extended IoT devices is estimated to have grown by 57% in the first half of 2022. When developing technological solutions, bugs may be inevitable, but the fact that bugs are common doesn’t mean they are harmless. Let’s look at just some of the impact that IoT bugs have had in recent years. Seemingly Simple IoT Bugs Can Have a Big Impact A major compromise via a known critical remote code execution (RCE) vulnerability in the popular Hikvision line of IP video cameras has placed more than 2300 organizations across the globe at risk of incursion. The vulnerability, which occurs in the web server for these cameras, could allow hackers to launch commands that would grant them complete root shell access to an affected device – something even the owners of the cameras don’t have access to. Once in the system, they could disable connected IoT devices, breach connected networks, and launch DDoS or other attacks. Elsewhere, researchers discovered a critical flaw in Throughtek’s Kalay IoT cloud platform that covers more than 83 million devices, including security cameras and baby monitors. The flaw was assigned a critical CVSS3.1 base score of 9.6/10, explaining that affected devices could be compromised remotely by accessing a UID and launching further attacks, depending on the functionality of the compromised device. These vulnerabilities are not isolated to consumer IoT devices. Healthcare IoT devices are currently being targeted due to seven separate vulnerabilities with a collective CVSS v3 score of 9.8/10. Dubbed “Access:7,” these IoT bugs affect one of the most popular platforms for embedded devices in the medical industry (the same platform can also be found managing ATMs, vending machines, and PoS systems, among other devices). The vulnerabilities run the gamut, from default configuration issues to the processing of undocumented and unauthenticated commands. This potentially puts more than just patients’ personal information at risk; attacking medical devices with DDoS attacks could potentially lead to loss of life. Challenges in Securing Devices from IoT Bugs Given that vulnerabilities can be introduced across so many surfaces, including physical devices, software, or network elements. it may not be possible to prevent IoT bugs altogether. To help manage and address these issues, some developers and security organizations deploy automation and cybersecurity tools to help scan for, detect and mitigate vulnerabilities from the software side. Though some view these tools as a means of improving efficiency by “removing the human element,” studies show that automated tools only discover around 45% of overall vulnerabilities. Worse yet, these tests can yield false results that can create delays (on false positives) or products shipping with known vulnerabilities (on misdiagnosed negatives). Even the best developers must also work alongside security experts if they hope to ship a complete product. A report from the Enterprise Strategy Group found that poor communication between developers and security teams leads around 48% of products to be produced with vulnerable code. This, in turn, can lead to delays if they’re caught before shipping, or unsecured products if not. Of course, there are also common blindspots that design teams, developers, and systems architects often overlook as well. Are there any ways for users to introduce new risks to the system? Using removable media, for example, opens a new option for bad actors to potentially introduce or extract potentially sensitive information. Similarly, creating a system without visibility on large deployments through logging capabilities creates space for hackers to access physical architecture, leaving them plenty of time to infiltrate a network before a response can be made. How to Deal with Bugs and Other Security Concerns IoT bugs may be inevitable, but that doesn’t mean there is nothing companies can do to help defend their systems from incursion. Some of the simplest solutions include: Keeping Current with Password and Firmware Updates: The most common access point for hackers is the default password. Updating your system to employ unique passwords and staying current with all firmware updates can cut risk factors considerably. Architecting around the Public Internet: Hackers will have a much harder time accessing your IoT network if it is hidden from the public internet. By deploying solutions like Soracom’s Virtual Private Gateway, dedicated VPNs like Soracom Door, or secure private connections through Soracom Canal, businesses can limit the public footprint of their IoT system considerably.Encrypt All Credentials and Security-Sensitive Data: Depending on your web service of choice, data transmitted to the cloud may be encrypted while in transit, but you should employ description at the device level as well. Hard-coded usernames and passwords can be reverse engineered should a device from your fleet be obtained by enterprising hackers. Conversely, you could avoid keeping credentials on devices entirely through the use of provisioning tools like Soracom Krypton.Monitor Potential Attacks Via Intrusion Detection Systems or Firewalls: Though more of a tool for mitigating the costs of an incursion, these systems will monitor network traffic for any suspicious activity. Packet capture tools like Soracom Peek can be combined with packet inspection tools like Soracom Junction to help keep close tabs on traffic for any concerning activity. Once identified, companies should follow the intrusion with the appropriate incident response.Create Contingency Plans to Address DDoS Attacks: It’s important to have plans in place in the event of an attack that allows your service to avoid costly downtime. Once the initial response is laid out, it’s also important to review the process to learn how best to address – and hopefully prevent – any future incursions of a similar nature. ……………… Got a question for Soracom? Whether you’re an existing customer, interested in learning more about our product and services, or want to learn about our Partner program – we’d love to hear from you!