The Top 10 IoT Security Threats and Vulnerabilities

By the end of 2020, there will be 21B IoT devices worldwide, creating a massive network of self-driving cars, connected energy grids, and smart appliances. As innovative companies and product creators build towards this connected future, they must constantly evaluate the risks that come with these large IoT security networks.

But what are the biggest security risks that are associated with IoT networks? In 2014, the Open Web Application Security Project, a volunteer community of security professionals, identified the top 10 most common security IoT threats and published them to raise awareness and help create a more secure world.

Open Web Application Security Project — Top 10 IoT Security Threats

This list has been recently updated for 2018, and that is the version we will be focusing on in this article. At Particle, as part of our security and compliance programs, our security team frequently performs testing against various standards to make sure that we are thinking about every possible attack vector. This is just one of many activities we perform to ensure we are providing the most secure IoT platform out there.

That’s why, in this post, we are going to explain how our platform addresses the vulnerabilities identified by OWASP’s Top 10 list. So, without further ado, let’s count down:

1. Weak, guessable, and hardcoded passwords

In October 2016, a Mirai botnet of IoT security cameras, set-top boxes, routers, and similar devices attacked Dyn, a prominent domain and service provider. This Mirai botnet was comprised of various IoT devices that leveraged default weak credentials (think admin/admin).

Dyn underwent a massive Internet outage that cost millions of dollars in productivity losses alone. In the wake of the Dyn hack, many decision-makers realized that they needed to consider not just functionality, but security and reliability as key features of the IoT platforms.

The best way to avoid weak, guessable, passwords is not relying on passwords at all. At Particle, our devices do not leverage local, or otherwise hardcoded passwords. All Particle devices are managed exclusively through our Device Cloud, which makes it unnecessary for every device to have its own password.

2. Insecure network services

Many smart devices often have unneeded or exposed network services running on it. For instance, open ports that provide access to the operating system or other services on the device is a common security flaw.

On smart devices, each open port provides a new opportunity for a malicious actor to gain access to the device, so the aim is to keep the number of open ports as small as possible to ensure the smallest attack surface.

If you were to run a port scan on some smart devices, it is possible that the services running on there are older than the person who put the device on the network. It’s not unheard of for devices to run legacy protocols like telnet, or plain text HTTP servers, each with various vulnerabilities that place the device at risk.

A port scan against a Particle device will reveal exactly zero open ports. That’s because we don’t run any devices with open ports in the first place. All connectivity from our devices happens through our Device Cloud, which means there is zero local attack surface exposed to bad actors already on a network.

3. Insecure ecosystem interfaces

Securing the device is half the battle. A secure IoT solution requires security to extend beyond the device to all of the various services and components that it’s communicating with. This includes the various software elements that make the connected device accessible and usable by the consumer. Think APIs, mobile, and web apps that allow users to interact with their devices.

Our interface ecosystem, the Particle Device Cloud, is frequently tested against the OWASP standards. We also work closely with security researchers through our responsible disclosure program to address any issues found within the Device Cloud. Strong access controls, including two-factor authentication, and role-based access to products, are standard fare on the Particle Device Cloud as well.

4. Lack of Secure Update Mechanism

A key advantage of a connected device (versus an unconnected device) is that it can be updated wirelessly as long as the right functionality (like OTA firmware updates) is in place. OTA firmware updates give companies the freedom to iterate and improve upon their product in ways that would’ve been unimaginable a few years ago. The ability to remotely update firmware opens the doors to the ability to introduce new features, and squash bugs; much to the delight of consumers.

However, the trade-off is that firmware updates must be done securely and reliably, over encrypted channels, and in a manner that doesn’t leave a device unresponsive should an update fail to complete fully. The Particle Device Cloud allows teams to push firmware updates in just this manner, over encrypted communications protocols. The Particle Device OS includes mechanisms to ensure failed firmware updates do not cause a device to become unreachable.

5. Use of insecure or outdated components

Information security is a constant race to stay on top of newly discovered vulnerabilities in the different software libraries that are leveraged by a given product or service. One only has to think back to significant vulnerabilities like Heartbleed (OpenSSL, 2014) and Shellshock (Bash, also 2014) to recall how rapid patching of vulnerable components is a critical activity.

Both Heartbleed and Shellshock were significant vulnerabilities that placed an extremely large number of devices at risk because they appeared in commonly used software libraries. Security teams had to scramble to ensure these vulnerabilities were patched before they were exploited with devastating effect.

At Particle, we address this security vulnerability in a few different ways.

  • We frequently run static code analysis to determine if we are using libraries with known flaws. These can then be updated and removed from our services.
  • We perform vulnerability scanning within our device cloud, as a second discovery vector.
  • And finally, our Particle Device OS is open source, meaning that anyone can report and help us address found and potential vulnerabilities

6. Insufficient privacy protection

Personal information is more than just data. If mishandled, either intentionally or by accident, it can have a significant impact on the lives and livelihoods of individuals. The problem is smart devices can collect a significant amount of data about the networks they are on, and the folks using them.

To ensure we’re always doing the right thing with information that passes through our systems, Particle has put in place a privacy program that has been independently validated by a leading third-party audit firm.

Our compliance with legislation, such as CCPA and GDPR has been independently verified as well. We are active participants in the EU-US privacy shield program, which provides safeguards for EU citizens concerning the handling of their personal information.

7. Insecure data transfer and storage

Each time data collected by a smart device moves across a network or is stored in a new location, the potential for it to be compromised increases. To overcome these risks, Particle has put into place a couple of relevant controls.

First, all communications that occur on the platform use the secure DTLS protocol, which ensures that network communications are always encrypted. Public key cryptography, a robust encryption methodology that relies on private and public keys, rather than hard coded secrets, is used to authenticate a Particle device to the device cloud.

Secondly, we don’t store any data that we do not need to deliver our service. Customer information is passed through the Device Cloud, and not retained by Particle. We do not store any personally identifiable information or data that could be used to compromise products or customers in the Device Cloud.

8. Lack of device management

You cannot secure devices you don’t know you have. Device management is a foundational, but commonly overlooked aspect of security.

So many devices are brought outside of official procurement programs and placed on networks in an unmanaged fashion. The Particle Device Cloud console takes care of this issue by acting as a command center for smart device fleets. In the Device Console, you can see all your connected assets in one place and have a complete overview of first versions and other important metrics like device health. There will be no surprise discoveries of unmanaged devices. Maintaining a secure, authenticated connection to the Particle Cloud gives you confidence to deploy firmware and issue commands to your devices.

9. Insecure default settings

A great deal of devices ship with a series of overly permissive settings to reduce deployment friction. Local services and software running as root, as an example. On top of this, they may also allow locally connected users to disable certain security features, and make devices less secure than when they arrived.

A Particle device does not expose such settings to local users, all management occurs through the Device Cloud console, meaning device owners do not have to worry about end users altering settings without their knowledge.

A deployed device cannot have software interfered with, meaning you can rest assured that your device configuration will be the same on day 100, as it is on day 1. Particle’s end-to-end Device Cloud solution allows you to ensure device integrity throughout the device lifecycle.

10. Lack of physical hardening

There is an old saying that goes, if an attacker has physical access to their target, it has already been hacked.

Folks like to void warranties, rip open enclosures, and solder their own connections to hardware in order to gain insight into what is occurring on a given device. For this reason, physical hardware access is one of the most significant security challenges to overcome.

Particle devices leverage an embedded microcontroller to greatly reduce the attack surface available to hardware hackers. Given that Particle is responsible for managing both the hardware and software elements of a solution (through Device Cloud) were also able to detect indicators of devices being compromised at the hardware level. For example, cloned device detection, and devices behaving abnormally.

The bottom line

So there you have, a rundown of the top 10 security vulnerabilities identified by OWASP, and how we at Particle go about mitigating the vulnerabilities listed.

One of our favorite ‘securityisms’, and one that is particularly relevant here, goes like this, “security is a journey, not a destination”. When it comes to security, there is no ‘perfect’, we’re always striving to make things better. We must stay on top of new and evolving security issues as they arise, and resources like the OWASP Top 10 for IoT, are extremely useful benchmarks for doing just that. As your trusted partner, Particle will continue to do just that, on your behalf.

Looking for more information?

If you’re interested in learning more about Particle’s IoT security, you can visit the Particle docs or reach out to our team of IoT experts today.

Author Bio

Mike Sheward, CISSP, CISM, CCFP-US, CISA, HCISPP, CEH, OSCP, CHFI is a Seattle-based information security professional with 15 years of experience in the field, currently overseeing Particle's security program. Mike has worked primarily in security operations, incident response and digital forensics roles, in both the UK and USA, and across both the public and private sectors. Mike is a published author, having written a mixture of fiction and non-fiction titles including Digital Forensic Diaries (2017), Hands-on Incident Response and Digital Forensics (2018), and Security Operations in Practice (2020).

Leave a Reply

Your email address will not be published. Required fields are marked *