The appetite for Internet of Things security is going stronger than ever, with shadowy botnet armies lurking around the globe and vigilante gray-hat actors inoculating susceptible devices.
Information security professional Jason Kent said "If you throw IoT on a con talk, you've got a pretty good chance to get in,”, as he began his presentation at Chicago's Thotcon hacking and security conference recently.
While the researchers didn’t find the vulnerabilities most thrilling that he described, they served to illustrate just how much work remains to be done to shore up simple, but devastating, security holes.
Also Read: Making IoT The Secured Gateway To Success
With the likes of the Mirai and Hajime botnets preying on swaths of IoT devices that have weak root account passwords and open telnet ports, security professionals are understandably keen on nudging the industry away from these pitfalls.
However, there are serious shortcomings in SSL implementation and information security practices found in many IoT companion mobile apps, Kent pointed out in his talk, "IoT Web of Intrigue."
Personal Data Exposed
SSL misconfigurations might seem mundane compared to other threats, but the example of a simple BURP proxy collecting data transferred between a mobile app and its corresponding server for a slew of devices, highlighted just how pervasive and potentially devastating for users, such vulnerabilities can be.
Kent presented numerous examples that showed how splitting the full SSL certificate into packets captured from the app can allow anyone to send commands on behalf of the user who initially sent it, as many IoT device servers will accept any packet bearing the right encryption key, regardless of whether or not the certificate portion accompanies it.
In many cases, it gets worse. Once the certificate is split, the often excessive or creepily invasive data contained within it is plain for all to see. With home security camera, revealed not only the username and password in plaintext, but also a variable setting the homeowner's insurance provider for the user, on examining the packet.
Another camera's packets contained a GET request sent upon authentication, listing other family members, and their corresponding email addresses and user IDs, who were authorized to access the camera.
It was more than understandable if any of the conference's attendees left the talk feeling deeply uneasy with the state of IoT practices.
So, where did all those gaping holes come from?
Also Read: Latest Trends In CyberSecurity
Cracks in the Foundation
Kent told Linux Insider following his talk, The problem stands in part from an under appreciation of just how many security implications are raised by connecting IoT devices to the Internet, or failure to raise them at all.
"I was reporting a problem and never met their security team," he said, recounting a disclosure phone call with one company. "I met their PR team, their lawyers -- no one from security. Why? Because this company [made] a machine and then put it on the Internet, not realizing they needed to change their business a bit when that happened."
Although IoT manufacturers can benefit by making more a concerted effort to keep pace with modern network security practices, there are industry-wide challenges associated with the use of SSL to bolster insecure underlying architectures, Kent pointed out.
"The mobile apps are really just Web browsers with premade pages," he said. "The app asks for data from the API and displays that data to the user."
Properly implemented SSL certainly can go a long way toward fortifying underlying processes, but "we are building on a foundation that wasn't secure to begin with," Kent observed.
Also Read: Cybersecurity All About WannaCry Ransomeware
Working Under the Radar
Kent said, still, the outlook is not entirely pessimistic, noting that there are many resources developers can tap in order to up their game.
He advised "Every app dev should be a participating member of OWASP", referring to the Open Web Application Security Project, a nonprofit dedicated to aggregating security best practices into comprehensive guides for developers at all levels.
Kent also appreciated the previous set by DEVSECOPS for its effectiveness instilling security consciousness into the development process so that developers can learn to spot vulnerabilities themselves.
Software development hygiene may seem like an annoyance at times, but it goes a long way toward preventing big headaches down the road and users certainly will benefit, even if they don’t know about backstage practices.
Read More At: The IoT's Scramble to Combat Botnets