Before we get into this details here is the background. This project was conducted under the Cyber Security Cooperation Program (CSCP) under Public Safety Canada. The primary goal of this project was to evaluate IoT technologies to better understand the risk involved when using or implementing the technology and to ensure that both Canadian users and businesses are protected. This included creating an IoT Grading Matrix and Evaluator’s Guide for each IoT market. IoT security is in its infancy and needs to be addressed. The intent of IoT security is to safeguard connected devices and networks around them. There is no single way to mitigate the threats involved with IoT devices. Every aspect of an IoT system must be evaluated.
IoT Defense and Research
IoT from a security sense has been referred to as “Internet-of-Insecurity” and other terms that clearly reflect the current nature of security of IoT devices and services. The road of how we got to this level is long and winding however over the course of one year we conducted testing and evaluation of multiple products and solutions to determine how bad is it really?
Project Background
Markets at Risk
Three distinct markets have been identified in relation to IoT technology, they are Consumer Solutions, Business Solutions and Industrial Control Systems. All three of the markets investigated showed poor insight in design. Looking at all aspects of design we found that many products attempted to secure network traffic but did not go far enough. Manufacturers need to investigate their hardware components and their supply chains.
Findings
- The firmware on the devices are not secure and if access is gained it is very easy to open vulnerabilities.
- Device tampering protection was non-existent.
- It was simple to open up any of the consumer devices and gain access to main boards and all the components.
- After putting the devices back together the device functioned normally and if a change was made to either hardware or software on the device it would not be known.
- Authentication was simple on most devices. No devices tested implemented two-factor authentication. Two-factor authentication is a simple yet effective way of securing the device and data.
Mobile and Software Applications
Mobile and software applications have a plethora of vulnerabilities. There is a significant amount of code and if the application is not designed with security in mind then it will be vulnerable. Previous mobile application testing we have performed demonstrated a variety of design flaws and vulnerabilities in applications. Applications need to implement security from the start of the life cycle. The designers need to be educated and experienced in secure software design. Most times it is an afterthought. Mobile applications in particular need to be securely designed for iOS, Android and Windows mobile. They cannot simply be ported over to another operating system and expect security to follow.
Conclusion
The deficiencies found in devices/solutions across these three markets, emphasizes the need for guidance when designing, testing and selecting services for IoT. We have created a matrix and evaluator’s guide that assist in the decision making process. In doing so we hope to help consumers and manufacturers make better decisions when it comes to IoT.