January 7, 2019

OWASP’s Top 10 IoT Vulnerabilities

The Open Web Application Security Project (OWASP) recently updated its 2018 Top 10 IoT vulnerabilities list.

As can be expected there are a number of lists compiled at the end of the year to capture and summarize trends, events and activities. The following updated list from OWASP of IoT vulnerabilities that caught our attention as it very nicely keeps it to a limit of 10 and more importantly, we can help do something about it!

IoT Security has been a growing hot topic during 2018, and it is important to understand how to address the top key issues highlighted. Based on OWASP list the top vulnerability issues seem to be the usual suspects! Device Authority’s technology and KeyScaler platform can help mitigate some of these suspects.

Weak, Guessable, or Hardcoded Passwords

Weak, default, and stale passwords are the low-hanging fruit for hackers looking to attack and deploy large-scale botnets, and other malware. Managing device passwords at scale is a daunting responsibility, especially since IoT devices do not typically have human operators to instigate the password change.

Device Authority’s KeyScaler platform provides an Automated Password Management (APM) solution that helps organizations deal with the complexities of setting and managing local account passwords on IoT devices. Centralized policies ensure that the passwords are rotated frequently and securely. Device Authority’s APM solution uses a unique patented technology where only the recipe is used. There is no physical password stored on the device or exchanged over the network, making it the only solution that can withstand any type of password attacks.

Insecure Network Services

When attempting to compromise a connected IoT endpoint, one of the first and simplest attack surfaces is finding weaknesses in the network communication model and network services running on the device. Attackers will aim to exploit a number of vulnerabilities to capture login credentials, communications tokens, or other identifiers that the Service Ecosystem will use to identify the endpoint. It is imperative to secure the endpoint with industry best practices.

Device Authority takes a layered approach where a data-centric privacy model allows for data to be encrypted prior to transport layer network communications. i.e. transport layer security (TLS). Device Authority’s solution mitigates these attacks by implementing industry best practices to enforce confidentiality and integrity of data, preventing any man-in-the-middle attack (MITM) attempting to access the sensitive encrypted data between endpoint and KeyScaler platform. Device authentication data is encrypted at the data-level to the public key and therefore, any captured data would be unreadable without the corresponding private key. In addition, client-side TLS certificate validation mitigates MITM data packet capture.

Insecure Ecosystem Interfaces

To address insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the IoT device there needs be regular strong mechanism in place to authenticate and authorize the device. Several use cases have been developed to combat the protection of hardware, firmware and the end-to-end data communications. By ensuring strong authentication with the endpoint, each device is proven to have permission to communicate with the IoT Service Provider. Whenever the back-end services communicate with an IoT device, it will be able to differentiate between a valid endpoint and a clone by forcing the endpoint to authenticate itself. If the device cannot do so, KeyScaler can reject the device.

The above assurance is achieved by using patented technology that interrogates the hardware of a device to ensure that KeyScaler is communicating with the same physical device that was originally registered to the system. The technology utilizes inherent device entropy to query the physical properties of a device, incorporating additional synthetic keys which are dynamically generated and unique to each device for each authentication session. Rotating these synthetic key increases key entropy and helps identify any cloned devices.

Lack of Secure Update Mechanism

Unauthorized software and firmware updates are a major threat vector for IoT cyber-attacks. IoT breaches can have physical consequences that result in loss of data and also introduce substantial legal liability and erode brand reputation.

There are three critical security requirements for delivering updates securely to IoT devices:

  1. Securing access to the updates
  2. Verifying the source of the updates
  3. Verifying the integrity of the updates

Device Authority’s Secure Updates and Data Signing solution delivers each of these critical requirements for IoT environments. Access to secure updates is restricted to authorized devices. Updates are also specifically encrypted for target devices and are not exposed as unprotected software or firmware downloads. Lastly, secure updates ensure that both the update source and the integrity of the updates themselves are verified, delivering end-to-end protection for device updates.

Device Authority’s KeyScaler platform manages the signing and/or delivery of software updates to ensure that both the update source and the integrity of the updates themselves are verified, delivering an end-to-end protection for device updates.

Insufficient Privacy Protection

Device Authority’s approach to consumer privacy and personal information starts with providing security right from the beginning. That means providing data security from the endpoint device itself to establish Device Trust. To ensure the device can be trusted, the device must be enabled with Device Authority’s security technology to provide onboarding in terms of secure provisioning, registration and authentication. Following this, Data Trust can be established so the device can be trusted to send sensitive data across the network. Then organizations can establish and manage device identity and integrity by using policy driven end-to-end data security which ensures end to end consumer privacy.

Insecure Data Transfer and Storage

The protection of IoT data is paramount to the integrity of IoT applications. The data feeding IoT applications result in automated actions and controls that can have dangerous physical consequences. It is critical that both the source and the content of data generated by IoT devices are protected and verifiable. However, data must be encrypted from creation to consumption, and requires a higher level of crypto versatility and intelligence than traditional one-way Transport Layer Security (TLS) encryption can provide.

Device Authority’s policy-driven encryption utilizes our patented dynamic key generation, device-derived key technology and crypto-policy agents to provide “drop-in” application-level crypto that is configurable for specific data payloads and transmissions. The drop-in agents support transparent crypto processing of data sent over HTTP, MQTT, and custom protocols such as ThingWorx AlwaysOn™, which means there is no requirement to change existing applications on devices – simply install the agent and set the policy on the platform to begin securing the data.

Dynamic keys ensure that each data payload can be encrypted with one-time-use keys that are not shared over the network or stored on the device. Individual data elements can be encrypted for dynamic audiences, independently from data transport protocol security.

Lack of Device Management

Device Authority’s KeyScaler platform includes an administrative control panel to manage device onboarding, registration, and security policies. The Control Panel is also a window into the functions and configuration of the system and provides a wide range of security and system management functions. Control Panel access is protected by industry standard Time-based One Time Password (TOTP) which can be generated by any application. The platform provides device control management such as Secure Decommissioning, Endpoint Quarantine and Blacklisting. A registered device can easily be placed under quarantine from the control panel, if they are suspicious of being compromised. This will temporarily block all authentications originating from that device, as well as not receive any further security assets or code updates. Once a device is quarantined, it can be reauthorized, blacklisted or deleted.

It is important to understand the new IoT ecosystems being built, and how the IoT devices will be managed not only from initial install but throughout their lifecycle. As IoT services grow, and the number of deployments grow with it, the sheer scale and size of management of these devices cannot be underestimated. It is imperative to build security in right from the start. Device Authority can help organizations with their IoT security strategy and implement a ‘Secure by Design’ approach from the very beginning.

Download KeyScaler Overview

Nirmal Misra