Security researchers have made it crystal clear over the years that most Internet of Things devices come with security standards so low that it’s no surprise that they’re quickly compromised. The blame does not always fall with the manufacturer, though, as users often fail to take the minimum precautions to make their gadgets more secure.
A report from the Open Web Applications Security Project (OWASP) on the security of IoT devices shows the top 10 problems. The list is aimed particularly at manufacturers, but a couple of high-placed entries could help consumers make their gadgets less vulnerable.
OWASP’s top tip is getting rid of weak, guessable, or hardcoded passwords. While users can make sure they lock access to their device with a strong, unique password (or passphrase, if supported), manufacturers should not plant access credentials in the firmware or client software – someone will eventually find them and use them for their gain.
Ranking second are “unneeded or insecure network services running on the device itself,” with an emphasis on those that allow connection from the internet. OWASP is not explicit on this, but many devices come with active Telnet and Universal Plug and Play (UPnP) services. If the smart gadgets that have them turned on are also reachable from the internet, they become a target in just a matter of minutes.
If a password is easy to change, disabling insecure or unneeded services involves tinkering with the configuration of the product. More often than not, finding and recognizing the features that pose a risk is deemed too complicated by many users. Many abandon the mission of getting stronger security due to the false belief they could not possibly become victims of a hacker.
“What could a hacker possibly do with my device?” Well, the always-on state and the internet connection are enough. From running bad traffic, to launching attacks on other systems, or just storing malware, IoT hardware is the perfect means to these ends. If they come with the bonus of sensitive information, all the better.
The rest of the entries in OWASP’s 2018 list of security risks in IoT systems highlight issues on the maker’s side, which could be addressed in new firmware. For that to happen, though, an update mechanism that is also convenient for the user needs to exist. Unfortunately, such examples are few and typically from companies with plenty of resources. Such a benefit is also often reflected in the price of the product.
Image credit: kalhh
tags
November 14, 2024
September 06, 2024