Call Us: 1.877.487.8550

Credentials, control and compromise: Today’s Top 10 IoT vulnerabilities

by Christina Juarez

February 12, 2019

Automation and control. Saving time and money. Transparency. Connectivity. Efficiency.

These are just a few of the advantages of the Internet of Things (IoT), which has already made a profound impact on the way we live, work and travel through the interconnectivity of tech-embedded objects exchanging massive amounts of data.

With reward, of course, also comes risk. Security concerns go hand-in-hand with the development of IoT-enabled products and systems, with hackers and botnets seemingly lurking around every corner.

Should we be worried? How much or how little? The Open Web Application Security Project (OWASP) is way ahead of us.

This international not-for-profit was established to provide unbiased and practical information about application security. And the OWASP Internet of Things Project was launched in 2014 to help users—whether they’re vendors, enterprise users or consumers—“make better security decisions when building, deploying or assessing IoT technologies.”

So what are the biggest gaps in the IoT security armor, so to speak? Near the end of 2018, OWASP released its list of Top 10 IoT vulnerabilities—many of which are entirely preventable—along with some additional commentary:

  • Weak, Guessable or Hardcoded Passwords: “Use of easily bruteforced, publicly available, or unchangeable credentials.”
  • Insecure Network Services: “Especially those exposed to the internet, that compromise confidentiality, integrity/authenticity, or availability of information.”
  • Insecure Ecosystem Interfaces: “Common issues include a lack of authentication/authorization (and) lacking or weak encryption.”
  • Lack of Secure Update Mechanism: “Includes lack of firmware validation on device, lack of secure delivery (and) lack of anti-rollback mechanisms.”
  • Use of Insecure or Outdated Computers: “Includes insecure customization of OS platforms, and use of third-party software . . . from a compromised supply chain.”
  • Insufficient Privacy Protection: “User’s personal information stored on the device . . . that’s used insecurely, improperly or without permission.”
  • Insecure Data Transfer and Storage: “Lack of encryption or access control of sensitive data.”
  • Lack of Device Management: “Lack of security support on devices deployed in production.”
  • Insecure Default Settings: “Lack the ability to make the system more secure by restricting operators from modifying configurations.”
  • Lack of Physical Hardening: “Allowing potential attackers to gain sensitive information that can help in a future remote attack, or take local control of the device.”

OWASP will be updating this list every two years in response to technological advances and industry adaptations.

In the interim, what can you and your company do to bolster security—whether it’s IoT-related or otherwise? Knowledge is power, and at Graycon, we pride ourselves on our hard-won expertise and our ability to keep our clients and their important data safe.

We know that one-size-fits-all security doesn’t work. We create security plans that are tailored specifically to your business–plans that keep you from losing time, money or reputation because of a breach.

Contact us today to learn more.