Network-connected Internet of Things (IoT) are growing in popularity in homes and businesses, from smart cities and buildings to cars and medical devices. Attempts to subvert or compromise critical functions in organizations due to insecure IoT devices and applications are on the rise and in the news. While the IoT has not introduced new technology per se, it has introduced a more complicated environment for developers and security teams. Understanding the complexities of the environment, adequate research of components, and development of a thorough assessment plan are the keys to success for securing the IoT. The progress can be hampered due to several challenges:
- Hurried development and release of devices and their respective user web and mobile applications creates numerous exploitable weaknesses.
- Those same mobile and web application interfaces have often been designed and built without knowledge of secure best coding practices.
- The time and labor to provision and efficiently manage an end-to-end security testing team within the organization is often cost prohibitive.
- Security experts with device and application penetration testing knowledge are difficult for organizations to find, attain, and maintain.
Vulnerabilities in IoT security assessments are inherently more complicated because there are more hardware, software, and communication protocols involved than simple web or mobile applications. This translates into a larger attack surface and a wider array of attack vectors.
A successful IoT security assessment requires that the electronic ecosystem for a specific IoT device be thoroughly mapped, and then a detailed assessment plan can be developed.
Mapping happens at a macro and then a micro level. From the macro perspective, the mapping needs the breadth to encompass all the devices and components that participate in the functionality of this ecosystem. This means everything. All devices, all communications, and all software components.
At the micro level, one must understand the depth of each component and the potential weaknesses. What kind of hardware, what kind of firmware, what kind of communications, what software language, what 3rd party add-ons? This requires significant research to understand weaknesses of individual components and weaknesses in the interaction of components.
At this point, the tester has completed the heavy lifting: They understand the IoT device, the landscape in which it functions, and have developed a comprehensive assessment plan which includes the specific tools for the job. Armed with this comprehensive map, the assessor has a blueprint to develop an assessment plan and chose the appropriate tools from their hacker tool box. Now the fun part begins – Executing your assessment plan and hacking that device!
The Internet of Things is expected to grow dramatically, ballooning to over 20 billion devices by 2020. Developing a good model for how you’ll approach your IoT security assessments can be the difference between success in the marketplace, and a very public, well-publicized failure.