Barracuda Networks’ Fleming Shi provides some tips to both manufacturers and consumers
IoT devices were popular gifts again this holiday season. An acronym for internet of things, IoT is more than a buzzword. The trend represents a huge shift in how products are made and used, as network connectivity is added to products that were not previously intended to have this functionality. So, your refrigerator that sends you a text message when you're out of milk: IoT. Your thermostat that provides usage graphs on your phone: yep, IoT. Basically, any consumer device capable of connecting to a network other than a computer, phone, tablet, or router is considered an IoT device.
Security has been a big concern with IoT devices, though. Although improvements have been made, new types of vulnerabilities remain. For example, IoT credential compromise.
Attackers can use vulnerabilities in the web applications and mobile applications used by certain IoT devices to acquire credentials, which can then be used to view the video feed, set/receive/delete alarms, remove saved video clips from cloud storage, and read account information. Attackers can also use the credentials to push their own firmware update to the device, changing its functionality and using the compromised device to attack other devices on the same network.
To illustrate this threat, the Barracuda Labs team recently conducted research on a connected security camera and identified multiple vulnerabilities in the camera’s web app and mobile app ecosystem. The team managed to compromise an IoT device without any direct connection to the device itself.
This makes life easier for attackers. No more scanning on Shodan for vulnerable devices. Instead, the attack will be performed against the vendor’s infrastructure. It’s a threat that could affect other types of IoT devices as well, regardless of their function, because it takes advantage of the way the device communicates with the cloud.
After all, bugs are not inherent to products, rather to processes, skills, and awareness of the developers. As access and access controls for IoT devices shifted to cloud services, so did the vulnerabilities, making possible the types of attacks uncovered by the Barracuda Labs team.
Lessons for IoT manufacturers
Vendors creating IoT solutions need to protect all aspects of the applications used to run those devices.
Firstly, a web application firewall, one of the most critical protections IoT vendors need to put in place, is designed to protect servers from HTTP traffic at layer 7. Manufacturers also need to ramp up protection against network layer attacks and phishing.
Secondly, cloud security is important as it provides visibility, protection, and remediation of IoT applications and the infrastructures they run on. The potential for lateral-movement exposure is large and complex, so taking proper security precautions is key.
How to protect yourself as a consumer
1. Research the device manufacturer
2. Look for existing vulnerabilities in a vendor’s other devices
3. Evaluate responses to past vulnerabilities
Unfortunately, the amount of information available about the security posture of IoT devices is astonishingly low. Ideally, we need to get a world where IoT products are all scored with a safety rating, just like cars. Consumers should be informed before they invest in IoT devices.
Fleming Shi is the chief technology officer at Barracuda Networks