Tackle IoT application security threats and vulnerabilities

IoT devices might seem too small or specialized to pose a risk to enterprises,
but that couldn't be further from the truth.

IoT devices are network-connected, general-purpose computers that can be

hacked and hijacked by criminals, leading to problems beyond IoT security.

Even if an organization has locked down the physical devices and enacted basic
IoT security measures, systems remain vulnerable. Many cybersecurity experts
forget IoT application security when designing a security strategy.

Gartner estimates there will be approximately 25 billion IoT connections by

2025, making each IoT sensor, endpoint, connection, network layer and UI a
vulnerability for enterprises using them. The IoT application security presents a
massive area of vulnerability and one in which organizations should consider
making equal investments from now on.

Vulnerabilities of IoT applications

IoT applications suffer from various vulnerabilities that put them at risk of
being compromised, including:

 Weak or hardcoded passwords. Many passwords are easy to guess,

publicly available or can't be changed. Some IT staff don't bother changing
the default password that shipped with the device or software.
 Lack of an update process or mechanism. IT admins unintentionally
exclude many IoT apps and devices from updates because they are invisible
on the network. Also, IoT devices may not even have an update mechanism
incorporated into them due to age or purpose, meaning admins can't update
the firmware regularly.
 Unsecured network services and ecosystem interfaces. Each IoT app
connection has the potential to be compromised, either through an inherent
vulnerability in the components themselves or because they're not secured
 from attack. That includes any gateway, router, modem, external web app,
API or cloud service connected to an IoT app.
 Outdated or unsecured IoT app components. Many IoT applications use
third-party frameworks and libraries when built. If they're obsolete or have
known vulnerabilities and aren't validated when installed in a network, they
could pose security risks.
 Unsecured data storage and transfer. Different data types may be stored
and transmitted between IoT applications and other connected devices and
systems. All must be properly secured via Transport Layer Security or other
protocols and encrypted as needed.
Threats to IoT applications
Threats to IoT applications fall into several general categories: spoofing,
information disclosure, distributed denial of service (DDoS), tampering and
elevation of service. Attackers typically use these threats as an entry point to a
network and then move on to other areas to cause problems, such as stealing
data, blocking connections or releasing ransomware.

Four threats that target IoT app vulnerabilities.

Spoofing threats. Attackers intercept or partially override the data stream of an

IoT device and spoof the originating device or system, which is also known as a
man-in-the-middle attack. They intercept shared key information, control
devices or observe sent data.

Information disclosure threats. Attackers eavesdrop on broadcasts to obtain

information without authorization, jam the signal to deny information
distribution or partially override the broadcast and replace it with false
information. They then threaten to release or sell the data.

Tampering threats. Attackers can gain access to the firmware or OSes of the

devices running an IoT app and then partially or completely replace it on the
device. They then use the genuine device and application identities to access the
network and other connected services. For example, SQL or XML injection
attacks and DDoS attacks are tampering threats for IoT apps.
Elevation of privilege threats. Attackers use unsecured IoT apps to change the
access control rules of the application to cause damage. For example, in an
industrial or manufacturing environment, an attacker could force a valve to open
all the way that should only open halfway in a production system and cause
damage to the system or employees.

How to protect IoT applications

Protecting IoT applications isn't a one-and-done activity. It requires planning,
action and regular monitoring. Get started with these nine ways.

1. Learn the most likely threats

Threat modeling can identify, assess and prioritize the potential IoT app
vulnerabilities. A model can suggest security activities that will ensure IT
admins include IoT apps in overall security strategies. The model should
continue to evolve and grow to reflect the state of the IoT app accurately.

2. Understand the risks

Not all risks are the same when it comes to IoT apps and an organization.
Prioritize risks in order of concern and act accordingly. Many tech teams forget
to align the risk with business scenarios and outcomes. A failure or breach in
one IoT app may seem innocuous to IT but have serious financial implications
for the company.

3. Update apps regularly

IT admins must deploy updates to IoT apps as quickly as possible to ensure the
safety of the entire network. Use only approved and authenticated updates and,
if updating apps over the air, use a VPN to encrypt all update data streams.
Secure public key infrastructures (PKIs) can also authenticate devices and
systems.

4. Secure the network

Firewalls, encryption and secure communication protocols protect IoT apps
from unauthorized access. Regularly review the various standards, devices and
communication protocols used on the network to ensure adequate security. Add
IoT apps to any application security testing.

5. Enable strong authorization

Strong password protection is essential for IoT applications and that includes
developing a secure password process for those creating passwords. Change the
default passwords on IoT devices and apps and ensure they're changed
regularly. Deploying a two- or three-way authentication model with TLS
communication protocols reduces the chances that authentication data can be
compromised at any point.

6. Secure communication
Encrypting data between IoT devices, apps and back-end systems keeps data
safe from attackers. That includes encrypting data at rest and in transit
and adopting PKI security models to ensure both senders and receivers get
authenticated on the system before transmitting.

7. Secure control applications

Applications and systems that have access to IoT apps should also be secured.
When they are secure, it stops the client IoT system from being compromised
by outside attacks and prevents it from propagating attacks downstream.

8. Secure API integrations

APIs are often used to push and pull data between applications and systems.
They are another way for attackers to connect to IoT apps and cause problems.
Only authorized devices and applications must communicate with APIs, making
it easier to detect threats and attacks immediately. IT admins must also use API
version management with old or redundant versions identified and removed
regularly.

9. Monitor IoT apps

Monitoring IoT apps is the final step in protecting them. Ensure they're tested
and scanned like the rest of the network to get alerts and address IoT security
issues quickly.
 IoT devices and applications pose a significant risk to organizations today. With
hundreds or even thousands of devices connected to an enterprise network, not
applying the same level of security measures to each component of IoT
deployments can lead to problems beyond the individual device or application.

Cryptography and Security in the Internet of Things

Cryptography is the process of securing information by transforming the
information into a secure format and vice versa. In other words, encrypting and
decrypting the formation to secure it. Firstly, let’s understand the security issues
in IoT to understand the role of cryptography in securing IoT devices.
IoT Architecture
In short, IoT has three layers of architecture i.e., the Perception layer, the
Network layer, and the Application layer.
 Firstly, The Perception layer is concerned with collecting and sensing the
information on IoT objects. The collection of information is done in this layer
with the help of different devices such as sensor nodes, smart cards, and RFID
tags.
 Secondly, The Network layer is concerned with managing wireless and wired
connections. that is to say, It transfers the gathered data through the sensors and
computers across the wired and wireless networks.
 Finally, The Application layer is the interface between the applications and the
end-users. Certainly, It provides the means for communication between them.
Security Concerns at Perception layer
Due to physically capture or logic attacked, the
Unauthorized access sensitive information at the
end-nodes is captured by the attacker

The end-node stops to work since physically captured

Availability
or attacked logically

Routing attack Certainly, Attacks on a routing path

Denial of Services In short, an attempt to make an IoTend-node resource

(DOS) unavailable to users

Transmission threats Threats in transmission, such as interrupting, blocking,

 data manipulation, etc.

Security Concerns at Perception layer

Information release of secure information to an
Data breach
untrusted environment

Threats in transmission, such as interrupting, blocking,

Transmission threats
data manipulation, etc.

Denial of Services In short, an attempt to make an IoTend-node resource

(DOS) unavailable to users

Routing attack Certainly, Attacks on a routing path

For example Virus, junk message that can cause

Malicious code
software failure

Security Concerns at the Application layer

Remote
In short, Fail to configure at interfaces
configuration

To sum up, Mis-configuration at remote IoT end-node,

Misconfiguration
end-device, or end-gateway

Security
Logs and keys leakage
Management

Management
Failure of the management system
system

 Above all, the area of use of cryptography in the internet of things is in securing
the communication channels.
 IoT-centric communication protocols, for example, MQTT and AMQP allow
developers to use Transport Layer Security (TLS) to ensure all data sent over
the network is unreadable to outside parties.
 TLS is the rightful heir to the better-known standard known as Secure Sockets
Layer (SSL), which was the long-time standard for web encryption (see
HTTPS) but is now considered insecure.
 TLS ensures that data between two entities is not readable nor prone to
manipulation by third parties.
 In addition to encrypting the main data connections, it’s also important to
encrypt any available secondary communication channels such as those use for
maintenance or customer features.
 For instance, if an IoT device comes with a web portal for use by consumers
(think of a web interface for a printer) that should also come encrypted by
default.
 That is to say, anyone on the same network could intercept usernames,
passwords, or use session data to impersonate those logged in to control these
devices. For the same reason, insecure maintenance interfaces like telnet should
be shuttered in favor of secure approaches like Secure Shell (SSH).
According to recent research, Cryptography (or more specifically, Symmetric
Cryptography) will be a key point in order to provide security for IoT
environments. Therefore, in addition to confidentiality, integrity, privacy,
availability, suitability, non-repudiation, and trust, security technologies
including cryptography have also become relevant in this domain.