Tackle IoT application security threats and vulnerabilities

Vulnerabilities of IoT applications

IoT applications suffer from various vulnerabilities that put them at risk of being compromised, including:

  • Weak or hardcoded passwords. Many passwords are easy to guess, publicly available or can’t be changed. Some IT staff don’t bother changing the default password that shipped with the device or software.
  • Lack of an update process or mechanism. IT admins unintentionally exclude many IoT apps and devices from updates because they are invisible on the network. Also, IoT devices may not even have an update mechanism incorporated into them due to age or purpose, meaning admins can’t update the firmware regularly.
  • Unsecured network services and ecosystem interfaces. Each IoT app connection has the potential to be compromised, either through an inherent vulnerability in the components themselves or because they’re not secured from attack. That includes any gateway, router, modem, external web app, API or cloud service connected to an IoT app.
  • Outdated or unsecured IoT app components. Many IoT applications use third-party frameworks and libraries when built. If they’re obsolete or have known vulnerabilities and aren’t validated when installed in a network, they could pose security risks.
  • Unsecured data storage and transfer. Different data types may be stored and transmitted between IoT applications and other connected devices and systems. All must be properly secured via Transport Layer Security or other protocols and encrypted as needed.

Threats to IoT applications

Threats to IoT applications fall into several general categories: spoofing, information disclosure, distributed denial of service (DDoS), tampering and elevation of service. Attackers typically use these threats as an entry point to a network and then move on to other areas to cause problems, such as stealing data, blocking connections or releasing ransomware.

IoT app threats
Four threats that target IoT app vulnerabilities.

Spoofing threats. Attackers intercept or partially override the data stream of an IoT device and spoof the originating device or system, which is also known as a man-in-the-middle attack. They intercept shared key information, control devices or observe sent data.

Information disclosure threats. Attackers eavesdrop on broadcasts to obtain information without authorization, jam the signal to deny information distribution or partially override the broadcast and replace it with false information. They then threaten to release or sell the data.

Tampering threats. Attackers can gain access to the firmware or OSes of the devices running an IoT app and then partially or completely replace it on the device. They then use the genuine device and application identities to access the network and other connected services. For example, SQL or XML injection attacks and DDoS attacks are tampering threats for IoT apps.

Elevation of privilege threats. Attackers use unsecured IoT apps to change the access control rules of the application to cause damage. For example, in an industrial or manufacturing environment, an attacker could force a valve to open all the way that should only open halfway in a production system and cause damage to the system or employees.

How to protect IoT applications

Protecting IoT applications isn’t a one-and-done activity. It requires planning, action and regular monitoring. Get started with these nine ways.

1. Learn the most likely threats

Threat modeling can identify, assess and prioritize the potential IoT app vulnerabilities. A model can suggest security activities that will ensure IT admins include IoT apps in overall security strategies. The model should continue to evolve and grow to reflect the state of the IoT app accurately.

2. Understand the risks

Not all risks are the same when it comes to IoT apps and an organization. Prioritize risks in order of concern and act accordingly. Many tech teams forget to align the risk with business scenarios and outcomes. A failure or breach in one IoT app may seem innocuous to IT but have serious financial implications for the company.

3. Update apps regularly

IT admins must deploy updates to IoT apps as quickly as possible to ensure the safety of the entire network. Use only approved and authenticated updates and, if updating apps over the air, use a VPN to encrypt all update data streams. Secure public key infrastructures (PKIs) can also authenticate devices and systems.

4. Secure the network

Firewalls, encryption and secure communication protocols protect IoT apps from unauthorized access. Regularly review the various standards, devices and communication protocols used on the network to ensure adequate security. Add IoT apps to any application security testing.

5. Enable strong authorization

Strong password protection is essential for IoT applications and that includes developing a secure password process for those creating passwords. Change the default passwords on IoT devices and apps and ensure they’re changed regularly. Deploying a two- or three-way authentication model with TLS communication protocols reduces the chances that authentication data can be compromised at any point.

6. Secure communication

Encrypting data between IoT devices, apps and back-end systems keeps data safe from attackers. That includes encrypting data at rest and in transit and adopting PKI security models to ensure both senders and receivers get authenticated on the system before transmitting.

7. Secure control applications

Applications and systems that have access to IoT apps should also be secured. When they are secure, it stops the client IoT system from being compromised by outside attacks and prevents it from propagating attacks downstream.

Not applying the same level of security measures to each component of IoT deployments can lead to problems beyond the individual device or application.

 

8. Secure API integrations

APIs are often used to push and pull data between applications and systems. They are another way for attackers to connect to IoT apps and cause problems. Only authorized devices and applications must communicate with APIs, making it easier to detect threats and attacks immediately. IT admins must also use API version management with old or redundant versions identified and removed regularly.

9. Monitor IoT apps

Monitoring IoT apps is the final step in protecting them. Ensure they’re tested and scanned like the rest of the network to get alerts and address IoT security issues quickly.

IoT devices and applications pose a significant risk to organizations today. With hundreds or even thousands of devices connected to an enterprise network, not applying the same level of security measures to each component of IoT deployments can lead to problems beyond the individual device or application.

S.No Vulnerability Exploit
1. Vulnerability is a weakness in a system that can be exploited. Exploit is a tool that can be used to take advantage of a vulnerability.
2. Vulnerabilities can exist without being exploited. Exploits are created through the use of vulnerabilities.
3. Vulnerabilities can be exploited for a variety of purposes. Exploits are often used to execute malicious code.
4. Vulnerabilities can remain open and potentially exploitable. Exploits are often patched by software vendors once they are made public.
5. Vulnerability can allow the attacker to manipulate the system Exploits take the form of software or code which helps us to take control of computers and steal network data
6. Vulnerability can cause by complexity, connectivity, poor password management, Operating system flaws, Software Bugs, etc. Exploits are designed to provide super user-level access to a computer system.

 

Analysis of a cyberattack.

a. Who were the victims of the attacks?
b. What technologies and tools were used in the attack?
c. When did the attack happen within the network?
d. What systems were targeted?
e. What was the motivation of the attackers in this case? What did they hope to achieve?
f. What was the outcome of the attack? (stolen data, ransom, system damage, etc

 

A malware attack is a common cyberattack where malware (normally malicious software) executes unauthorized actions on the victim’s system. The malicious software (a.k.a. virus) encompasses many specific types of attacks such as ransomware, spyware, command and control, and more.

Criminal organizations, state actors, and even well-known businesses have been accused of (and, in some cases, caught) deploying malware. Like other types of cyber attacks, some malware attacks end up with mainstream news coverage due to their severe impact.

There are three main types of malware attack vectors:

  • Trojan Horse: This is a program which appears to be one thing (e.g. a game, a useful application, etc.) but is really a delivery mechanism for malware. A trojan horse relies on the user to download it (usually from the internet or via email attachment) and run it on the target.
  • Virus: A virus is a type of self-propagating malware which infects other programs/files (or even parts of the operating system and/or hard drive) of a target via code injection. This behavior of malware propagation through injecting itself into existing software/data is a differentiator between a virus and a trojan horse (which has purposely built malware into one specific application and does not make attempts to infect others).
  • Worm: Malware designed to propagate itself into other systems is a worm. While virus and trojan horse malware are localized to one infected target system, a worm actively works to infect other targets (sometimes without any interaction on the user’s behalf).

 

Security Operations Center (SOC)

The major elements of a SOC, are people, processes, and technologies.

  • Tier 1 Alert Analyst – These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.
  • Tier 2 Incident Responder– These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.
  • Tier 3 Threat Hunter – These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed. They are also deeply involved in hunting for potential threats and implementing threat detection tools. Threat hunters search for cyber threats that are present in the network but have not yet been detected.
  • SOC Manager – This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.

 

SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats.

 

SIEM and security orchestration, automation and response (SOAR) are often paired together as they have capabilities that complement each other.

Metrics or Key performance indicators (KPI) define SOC performance.

five metrics are commonly used as SOC metrics

  • Dwell Time – the length of time that threat actors have access to a network before they are detected, and their access is stopped.
  • Mean Time to Detect (MTTD) – the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.
  • Mean Time to Respond (MTTR) – the average time that it takes to stop and remediate a security incident.
  • Mean Time to Contain (MTTC) – the time required to stop the incident from causing further damage to systems or data.
  • Time to Control – the time required to stop the spread of malware in the network.