Top 10 IoT Vulnerabilities


Remember that brand new thermostat you bought?  You know, the one that you can control from your smartphone?  What if I told you that the thermostat, or any other IoT smart device in particular, is the reason a hacker was able to obtain all your personal sensitive information.  As the world transitions into smart homes and businesses, the new technologies advance faster than the security measures to protect them.  According to the Open Web Application Security Project (OWASP), here are the top 10 IoT vulnerabilities you can look for to secure your network.


1. Weak Guessable, or Hardcoded Passwords

Most IoT devices come manufactured with default passwords and login credentials.  If left unchanged, an attacker could easily make a quick internet search to find those credentials.  With those credentials, they log into your device, access your network, and escalate their privileges.  Additionally, these default credentials sometimes remain unchangeable.  However, if the default logins can’t be found online, they can be easily bruteforced.


2. Insecure Network Services

The more features included in any device means the more exploit and access points for an attacker.  A lot of IoT devices come equipped with features that the user does not even need.  If not in use, they should be disabled to keep access points for an attacker at minimum.  Furthermore, most of the time the manufacturer invests the money into building these features; however, they fail to ensure their security.


3. Insecure Ecosystem Interfaces

The network containing the IoT devices can lead to breaches.  Whether it’s backend systems, the cloud, or a web application, if an attacker breaches anywhere in the network, they gain access to those IoT devices.


4. Lack of Secure Update Mechanism

Like a regular PC or desktop, IoT devices obtain firmware and system updates.  However, IoT devices lack the ability to securely obtain and implement those manufacturer updates.  This means attackers can potentially install malicious updates.  Furthermore, if the user receives no alerts regarding security feature changes, how should the user ever know if the device is secure or not?


5. Use of Insecure or Outdated Components

Since manufacturers mainly invest in usability compared to security, they build their devices using insufficiently secured hardware and software.  This includes the hardware that constructs the device to the operating systems and software that run the device.  Insecure components and software leads to higher likelihood of an attacker breaching the system.


6. Insufficient Privacy Protection

If the IoT device stores user information, the data is generally mishandled.  A user’s personal data can be stored improperly or used in an unsecure environment.  Additionally, the IoT device can mishandle the data and process the personal information without user permission.

7. Insecure Data Transfer and Storage

When the IoT device needs to transmit a user’s personal information, the device sends data without any protection.  Whether the device stores or transmits the data, with no encryption or access control performed on the data, an attacker gets free access to the information


8. Lack of Device Management

Manufacturers tend to invest most of their money into the usability and convenience of an IoT device.  Most of the time they ignore investing any resources into implementing security functions during production.  These features include but not limited to: asset management, update management, secure decommissioning, system monitoring, and response capabilities.


9. Insecure Default Settings

Devices ship from the production line with default system settings.  Although, these system settings lack the ability to control and configure settings.  With the inability to configure settings, users can not configure security to adhere to the environment they implement the device in.


10. Lack of Physical Hardening

When shipped, IoT devices can lack any physical hardening controls.  Attackers can gain access to the devices, implement back doors or even malware to assist in future attacks.  Additionally, without physical hardening, an attacker can take remote access and control the IoT device.


Source: OWASP


Staying aware of your network environment can be the first step in staying secure.  By watching for these top 10 IoT device vulnerabilities, anyone can securely implement a new device on their network.


Cyber Protection Group wishes everyone a safe and secure day!