IoT Security Challenged By Evolving Threat Landscape

Many IoT devices on the market today lack effective security, making them vulnerable to attackers and easily compromised. This is problematic, because an unsecured IoT ecosystem introduces real-world risks that include malicious actors manipulating the flow of information to and from network connected devices or tampering with the devices themselves.

This salient lack of IoT security was illustrated in July when the Federal Bureau of Investigation (FBI) issued a public service announcement that encouraged consumers to carefully consider cyber security before introducing smart, interactive, internet-connected toys into their homes.

According to the FBI, smart toys and entertainment devices for children typically contain sensors, microphones, cameras, data storage components and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.

As such, says the Bureau, communications connections where data is encrypted between the toy, Wi-Fi access points and Internet servers that store data or interact with the toy are crucial to mitigate the risk of hackers exploiting the toy or possibly eavesdropping on conversations/audio messages. Unfortunately, connected toys that do not have authentication requirements could pose a risk for unauthorized access to the toy and allow communications with a child user. Moreover, unauthorized users could potentially remotely gain access to the toy if the security measures used for these connections are insufficient or the device is compromised.

In addition to the above-mentioned FBI public service announcement, security researchers at Senrio identified a stack buffer overflow vulnerability (CVE-2017-9765) in the M3004 Axis Communications security camera. Known as “Devil’s Ivy,” the vulnerability, found in an open source third-party code library, results in remote code execution. When exploited, Devil’s Ivy allows an attacker to remotely access a video feed or deny the owner access to the feed. Since more and more people use security cameras to monitor their homes and small children, compromised cameras can lead to serious invasions of privacy. In addition, since security cameras are used to monitor sensitive locations such as a bank lobby, an exploit like Devil’s Ivy could help enable the collection of information or prevent a crime from being observed or recorded.

In conclusion, as the IoT threat landscape continues to evolve, it is critical for OEMs to consider practical security solutions that are easy to implement and do not disrupt profitability or time to market. Such solutions should allow only legitimate, verified cloud services to “talk” with each other (mutual authentication) by detecting and thwarting unauthorized communication attempts.