VOLUME 97

   ISSUE 97

29 August 2019

Article of the Month   Around the World

 

CONNECTED DEVICE SECURITY IN IOT

 

IOT means internet of things and the concept is simply extending the power of internet beyond the smartphones and computers to whole range of other devices such as other everyday electronic objects. (Ex: Wearable devices, Sensor’s etc.) Internet gives us all sort of benefits that just weren’t possible before in earlier day’s mobile phones are used only for making call or texting but now, we can use them to connect to the internet and do incredible things like watching videos, reading book or pay our bills etc. The point is that we can have amazing benefits by connecting devices to internet. Connecting to the internet means it can send or receive information/data. In IOT it makes internet connectivity to computing and mechanical devices, objects even for animal or peoples and each object or device provide unique identifier and the ability to automatically transfer information’s over the network. But as we all know enabling a connection to the internet without proper security makes serious vulnerabilities.

 
There are many security frameworks and technologies that used in organizations when creating and deploying IoT devices. And also this area is ongoing development. In the given IoT security circumstance, it could be identified in better way to mitigate potential issue.[1] Ultimately it is possible to categorize as six main directories.

IOT Vulnerabilities

Vendors to enterprises and users to consumers are always concerned their IOT devices security could be compromised. With internet of things we must be prepared for new attacks that can happen any time unless we didn’t implement the required security procedures. For better understand about the security vulnerabilities to manufactures, developers and users OWASP (Open web application security project) releases top 10 vulnerabilities list annually. OWASP is an online community that produces free articles, documentation and tools in the field of web application security.

According to their updated top 10 IOT vulnerabilities list 2018[1] hardcoded or weak passwords, insecure network services are the most common threads to IOT devices. Following are some critical vulnerabilities in the IOT industry.

 

 

Weak, guessable/hardcoded passwords
If someone obtained the password, they can access the data on the device and change the information as they want. There are multiple ways an attacker can get the password.
(Ex: Social engineering, network intrusion) and there are many attack types as brute force attacks, offline dictionary attacks, backdoor in firmware or client software that can grants unauthorized access to systems.

Insecure network services
This vulnerable can result in data loss or corruption. If insecure network running on the device itself (those connected to internet) that compromise the authenticity, availability and confidentiality.


Lack of security update mechanisms
This includes lack of firmware validation, secure delivery issues, lack of anti-roll back mechanisms and lack of security changes due to updates. If software updates are not digitally signed or signature is not validated can allow an attacker to replace the update files with malware.


Use of insecure or outdated components
Use of insecure components/libraries, operating system platforms and third-party software or hardware components could allow the device to be compromised.


Insufficient privacy protection
Some IOT devices are stored users’ personal information such as health reports in the ecosystem that used improper security can be vulnerable for user’s confidentiality and integrity.


Insecure data transfer and storage
Encryption mechanism is often used in order to store critical information but lack of encryption to sensitive data including data at rest, transit or processing can cause attacker to obtain the data more easily. Manufactures must make sure If their device encrypting the correct data and do, they have proper key management and ensure that sensitive data cannot be overwritten.


Lack of physical hardening
Allowing potential attackers to gain information that can help to remotely attack or tacking control of the device or system.
 

Mitigation

Mitigation methods are important because the number of challenges increasing day by day due security issues. Basically, they can be divided into three parts as hardware and network devices security, security gateways, patches and updates, integrating terms and consumer education.


There are several options to protect hardware and network devices and security gateways patches and updates. But first of all, it is important to educate the consumers. If not all the technical methods fail as human errors are difficult to overcome.


Using strong password. Most manufacturers give default password for the devices. And consumers forgot or didn’t change them. So, consumers need to educate about them and encourage them to have strong passwords according to password policies. Also do not use hard code passwords.


At the future, IoT needs will be increased and innovate new solutions for consumers. According to that situation, IoT security vulnerabilities may increase a lot. Users must be practiced in relevant security methods and devices should be up to date with reliable patches. Security will be required to grow over the manufactures and provide stakeholders a fast connectivity reliable service. Government and security related organizations must place new security rules and develop trendy frameworks. Finally, consumers can operate trusted services and consume a consistence service by those practice.
 

By:

Supushpitha Atapattu

Supushpitha is an undergraduate of Sri Lanka Institute of Information Technology, Faculty of Computing who is currently following Bachelor of Science honors degree specializing in cyber security, currently, he is working as an Intern - Information Security Engineer at Sri Lanka CERT|CC

 





 





 

 

 

 

 

 

 

 

 

 


 




 

 

 

 

 

References

1 Statistics on the Internet growth in Sri Lanka
http://www.trc.gov.lk/images/pdf/
statis_sep_2012.doc
2.The Dragon Research Group (DRG)
http://www.dragonresearchgroup.org/
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
https://www.jpcert.or.jp/english/tsubame/
4.Shadowserver Foundation
http://www.shadowserver.org/wiki/
5. Team Cymru
http://www.team-cymru.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
   
  VA, IBM Unveil AI-Powered Mental Fitness App to Help Vets Transitioning to Civilian Life
   

   

"...The Veterans Affairs Department and IBM unveiled a new mobile application—called “Get Results in Transition”—specifically designed to help veterans, reservists and other service members better understand and boost their mental fitness and overall well-being......"

 

Microsoft warns of new BlueKeep‑like flaws

   

"...“An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” reads the advisory that is common to all four flaws......."

 

Six Hackers Have Now Pocketed $1M From Bug Bounty Programs

   

'...Six hackers in total have each now pocketed more than $1 million from finding vulnerabilities in bug-bounty programs – including one from the U.S. That figure comes as more bug-bounty programs bump up their rewards due to participants finding more high-severity vulnerabilities in their platforms, according to a new HackerOne report......'

6 ways cybercriminals use commercial infrastructure

   

   

'...When it comes to cybercriminal infrastructure, the dark web gets the glory with its secret criminal marketplaces, illegal money laundering services and botnets as a service. Criminals also get a lot of what they need from legitimate commercial infrastructure providers.....'

Breaker, breaker. Apple's iOS 12.4 update breaks jailbreak break, un-breaks the break. 10-4

   

'....iPhone hackers have discovered Apple's most recent iOS update, 12.4, released in July, accidentally reopened a code-execution vulnerability that was previously patched – a vulnerability that can be abused to jail-break iThings.........'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in July 2019
   

   

  Statistics - Sri Lanka CERT|CC
 

TikTok Scammers Cash In On Adult Dating, Impersonation Tricks

'...As social media platform TikTok becomes the top App Store download in 2019 – and the number three app download on Google Play and on platforms overall – scammers are looking to cash in on the troves of younger users of the popular platform....'

Botnet targets set-top boxes using Android OS

"...Not for the first time, cybercriminals are targeting an important part of Android’s core software called the Android Debug Bridge (ADB).

Normally the only people who pay any attention to the ADB are developers and device makers who use it as a terminal for debugging purposes....."

Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years

“...The story goes back to a widespread iPhone hacking campaign that cybersecurity researchers from Google's Project Zero discovered earlier this year in the wild, involving at least five unique iPhone exploit chains capable of remotely jailbreaking an iPhone and implanting spyware on it.....”
This Bluetooth Security Flaw Affects Tons of Devices

."..David Starobinski and Johannes Becker, researchers from Boston University, uncovered that popular Bluetooth devices including iPhones, iPads, Apple Watches, and FitBits—and workplace essentials including MacBooks and Microsoft tablets and laptops—have a flaw that exposes device users to the risk of being tracked by unwanted adversaries.. ..."

 
Notice Board
   

Training and Awareness Programmes - February  2019

   
Date Event Venue

Brought to you by: