Application Security Testing: An Integral Part of DevOps
Internet of Things devices bring a great deal of convenience to our lives, allowing us to remotely control and monitor any number of different devices in our homes and businesses. However, unless these devices are properly secured, they can open up our personal lives and private information to hackers and potentially allow them to control parts of our "smart homes" from the comfort of theirs.
Case Study: Ring Doorbell Hacked
Ring Doorbell is a "smart" IoT doorbell for your home or business. Ring is a WiFi connected doorbell that sends a push notification to your phone or tablet with a live video feed, allowing you to see who is standing at your front door. This device is not ground breaking technology, but it was one of the first to make it big in the market due to its simplistic setup procedure.
The vulnerability occurs when someone comes along, removes the bell from the wall, and presses the orange button again (after it's already been set up). A hacker can connect to the device via a Web browser and gain access to all configuration information, including the WiFi SSID and passcode. A hacker then can gain access to the wireless network, which would allow them to perform attacks on any device on the network or allow them to monitor all network traffic to collect personally identifiable information, credit card numbers, or login credentials.
This was an extremely well thought out product that was successful in the consumer market; however, it had that one vulnerability, which has since been fixed by the company. Consider that well planned consumer products can have major vulnerabilities. It makes it clear that amateur do-it-yourself Internet of Things devices also may have vulnerabilities that can put your personal information at risk!
Top 5 IoT Vulnerabilities
- Insecure Web Interface
- Poor Authentication
- Poor Network Services
- Lack of Encryption
- Poor Physical Security
I'll cover each of these items in the upcoming sections of this article.
Insecure Web Interface
Many IoT devices contain some type of basic Web interface for displaying information. Some of this information is mundane (like weather information), which poses no real danger if a hacker is able to view it. However, a DIY burglar alarm may have a Web interface that allows users to arm and disarm, as well as see any type of movement that may be in a location. Hackers can use this to their advantage to disarm and burglarize your home while you are away.
It is important for any type of Web interface to have proper security measures in place to prevent unauthorized personnel from gaining access. If this device will be accessed only from within the house, configure your router to allow access only from devices connected to the network. If the device is to be accessed from outside of the network, consider setting up a VPN connection from your device to your home network. If that is not feasible, the bare minimum should be a username and password with proper authentication techniques used.
For devices that do include authentication, it's important that they contain basic authentication procedures to prevent any unauthorized access with brute force or other attack methods. Devices should always allow users to change the default username and password to increase security. Devices should not allow more than 3-5 failed attempts before implementing a time out for retrying. Devices should provide vague error messages when incorrect information is entered. For example, they should use "Username or Password is incorrect" as opposed to "Username incorrect" or "Password incorrect." Vague error messages should be used to not give the hacker any clue that they may have correctly guessed a part of the login credentials.
Proper authentication techniques will improve security of the device significantly. Proper authentication is important for any device that may provide private information or allow an outside party to control any part of an automation system. You wouldn't want a hacker to control your window shades or alarm system!
Poor Network Services
Devices that connect to a network obviously have network services running on them. Network services require open ports for transferring data or allowing users to connect to the device. During development, it is easy for developers to open many or all of the ports on a device for testing purposes. It is important for developers to secure any unused ports on a device to ensure that hackers are unable to gain unauthorized access via forgotten ports.
Buffer overflow occurs when a device (or program) receives more information than it was expecting and doesn't know what to do with it, thus causing it to perform unpredictably. Buffer overflow is a common vulnerability and can cause data to be leaked or unauthorized access to be granted. Buffer overflow and poor network services are a bad combination. A hacker may see that a port is open and start sending unexpected data to the device on the open port. Unless the program is expecting data and knows what to do, it may act unpredictably and allow the hacker to gain access to protected information.
Lack of Encryption
Number 4 on the list is lack of encryption. Any device that is transmitting data across the Internet (or even a local network) should be encrypted. Unencrypted data allows anyone using network sniffing tools to see what information is being transmitted, even if it is mundane (such as weather information). Unencrypted data is subject to man-in-the-middle attacks or to be changed in transit. Fake data also can be injected into the stream to alter any stats that may be tracked.
A weather station located on the top of the building may give tenants more accurate and reliable weather information than a Web site or news report. However, if the weather station is sending the data in an unencrypted form, a "script kiddy" could manipulate the data and alter the weather report for the tenants. This is a silly example, but it is real world and can apply to any device.
Poor Physical Security
The last item on our list is poor physical security. Physical security is just as important for Internet of Things devices as is logical security. My first example was of the Ring Doorbell that has poor physical security by nature because it resides outside of a house and is meant for the public to interact with it. In addition, the logical security was not strong enough to make up for the poor physical security.
Assuming the IoT device is developed using a prototyping board similar to Arduino or Raspberry Pi, it means that anyone with physical access to the board can make any type of change that they want, as long as they are familiar with the technology. Depending on what purpose the device serves, a hacker can create their own firmware to be programmed on the device. A hacker could fabricate firmware that replicates the original but includes malicious features to report back to them or enable a backdoor for future exploits.
The top five vulnerabilities may seem like no brainers for some developers; however, they are easily missed by DYIers or developers who put products into testing without ensuring their security and forget about it. Perhaps the data on the device itself has no importance, but it may open up an exploit to another device or your entire network. Protect your and your family's private information and ensure you are securing your Internet of Things devices!