Embedded Wireless Devices IoT Security Vulnerabilities

Embedded-Wireless-Devices

Embedded Wireless devicesonce thought to be too small to include their own security, undergo a more thorough analysis beginning with firmware testing. The software inside the chip is just as important as the application controlling it. Both need to be tested for security and quality. Some of the early IoT botnets have leveraged vulnerabilities and features within the device itself.

Embedded wireless devices really are one of the most common devices on the Internet, and the security of these devices is terrible.” Those were the words of network security expert H.D. Moore, the developer of the penetration testing software Metasploit Framework, when discussing an illicit attempt to survey the entire internet.

Consumer Based Embedded Wireless Devices

 

Dan Goodin of Ars Technica tells the tale of a guerrilla researcher who collected nine terabytes of data from a scan of 420 million IPv4 addresses across the world. “The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices,” wrote the anonymous researcher in his 5,000-word report. “A lot of devices and services we have seen during our research should never be connected to the public Internet at all.”

embedded-wireless-and-IoT-devicesHackers can do a lot of damage, and with billions of IoT devices forecast to be connected in the next few years, embedded devices security should be more than an afterthought.

In 2015, two white hat hackers demonstrated that they could break into late model Chrysler vehicles through the installed UConnect, an internet-connected feature that controls navigation, entertainment, phone service, and Wi-Fi.

By rewriting firmware on a chip in an electronic control unit (ECU) of a Jeep Cherokee, they were able to use the vehicle’s controller area network (CAN) to remotely play with the radio, windshield wipers, and air conditioning — even kill the engine.

The cybersecurity risks are real.  Alan Grau writes on the IEEE Spectrum website about three significant incidents affecting the health care industry. A report by TrapX Labs called “Anatomy of an Attack–Medical Device Hijack (MEDJACK)” describes how hackers were able to target medical devices to gain entry to hospital networks and transmit captured data to locations in Europe and Asia. “Stopping these attacks will require a change of mindset by everyone involved in using and developing medical devices,” says Grau.

Another notorious embedded wireless devices security intrusion is described in an article on The Verge, “Somebody’s watching: how a simple exploit lets strangers tap into private security cameras” . Strangers were able to watch live streams of unwitting security camera owners within their homes. The vulnerabilities of existing firmware allowed for egregious invasion of privacy.

Embedded Wireless Devices and IoT Vulnerabilities

 

Many of the hackable embedded wireless devices now on the market were created without much consideration for security. “Security needs to be architected from the beginning and cannot be made an option,” says Mike Muller, CTO of ARM Semiconductors, at a seminar he gave at the IoT Security Summit 2015.  Muller believes that very few developers have any real understanding of security. ·“We cannot take all of the software community and turn them into security experts.  It’s not going to work.” The answer is that best practices for embedded security must be established and followed. That includes splitting memory into “private critical and private uncritical” and creating device-specific encryption keys. “You have to build systems on the assumption that you’re going to get hacked,” warns Muller.

 

Identifying potential IoT vulnerabilities requires robust testing before putting devices into production. In 2014, the Open Web Application Security Project (OWASP) published a list called Internet of Things Top Ten:  A Complete IoT Review. They recommend testing your IoT device for:  

  1. Insecure Web Interface (OWASP I1)
  2. Poor Authentication/Authorization (OWASP I2)
  3. Insecure Network Services (OWASP I3)
  4. Lack of Transport Encryption (OWASP I4)
  5. Privacy Concerns (OWASP I5)
  6. Insecure Cloud Interface (OWASP I6)
  7. Insufficient Security Configurability (OWASP I8)
  8. Insecure Software/Firmware (OWASP I9)
  9. Poor Physical Security (OWASP I10)

 

As with any testing, well-written test cases will help manufacturers ensure the security of embedded wireless devices. Better to run through possible scenarios in the lab that to have major issues with customers later.   In November 2016, Dan Goodin of Ars Technica reported that a “New, more-powerful IoT botnet infects 3,500 devices in 5 days”. Goodin writes that “Linux/IRCTelnet is likely only the beginning of what could be a long line of next-generation malware that steadily improves its capabilities.” And he laments the defenselessness of IoT devices that proliferate across the web. It’s a sentiment that’s shared by many.

What about your experiences with IoT security and embedded wireless devices? Any stories to tell? What are your recommendations for making things safer? Feel free to post your comments here.

 

Share:

I am excited to add the Diversity Sourcing designation to my toolkit. With the fast-growing demand for diversity, equality, and inclusion in the workplace HR,

Corporate data security certification is a higher priority than ever and there are ways of making this significant investment pay additional dividends. Here are some

Applications and use cases include utility, military, financial, and end-user interoperability. IOT has new protocol stacks that help device manufacturers create and cooperate. This includes:

What is CBRS and how can you use it to benefit your organization? In 2017, the US Federal Communications Commission introduced a 150 MHz wide

By definition, “Internet of things” is the concept of devices connected by a series of protocols in order provide greater interoperation, capacity, and sense of

Internet of things (IOT) devices according to Gartner (Gartner IOT) will reach close to 25 billion activation’s by 2023. Many of these devices will support

By definition, “Internet of things” is the concept of devices connected by a series of protocols in order provide greater inter operation, capacity, and sense

Popular News

I am excited to add the Diversity Sourcing designation to my toolkit.

Corporate data security certification is a higher priority than ever and there

Applications and use cases include utility, military, financial, and end-user interoperability. IOT

What is CBRS and how can you use it to benefit your

By definition, “Internet of things” is the concept of devices connected by

How to Evaluate an Executive Search Firm
Receive the latest news

Subscribe To Our Newsletter

Get notified about new articles, videos, seminars and all the breaking industry news as it happens