IOT
means internet of things and the concept is
simply extending the power of internet beyond
the smartphones and computers to whole range of
other devices such as other everyday electronic
objects. (Ex: Wearable devices, Sensor�s etc.)
Internet gives us all sort of benefits that just
weren�t possible before in earlier day�s mobile
phones are used only for making call or texting
but now, we can use them to connect to the
internet and do incredible things like watching
videos, reading book or pay our bills etc. The
point is that we can have amazing benefits by
connecting devices to internet. Connecting to
the internet means it can send or receive
information/data. In IOT it makes internet
connectivity to computing and mechanical
devices, objects even for animal or peoples and
each object or device provide unique identifier
and the ability to automatically transfer
information�s over the network. But as we all
know enabling a connection to the internet
without proper security makes serious
vulnerabilities.

There are many security frameworks and
technologies that used in organizations when
creating and deploying IoT devices. And also
this area is ongoing development. In the given
IoT security circumstance, it could be
identified in better way to mitigate potential
issue.[1] Ultimately it is possible to
categorize as six main directories.
IOT
Vulnerabilities
Vendors to enterprises and users to consumers
are always concerned their IOT devices security
could be compromised. With internet of things we
must be prepared for new attacks that can happen
any time unless we didn�t implement the required
security procedures. For better understand about
the security vulnerabilities to manufactures,
developers and users OWASP (Open web application
security project) releases top 10
vulnerabilities list annually. OWASP is an
online community that produces free articles,
documentation and tools in the field of web
application security.
According to their updated top 10 IOT
vulnerabilities list 2018[1] hardcoded or weak
passwords, insecure network services are the
most common threads to IOT devices. Following
are some critical vulnerabilities in the IOT
industry.

Weak, guessable/hardcoded passwords
If someone obtained the password, they can
access the data on the device and change the
information as they want. There are multiple
ways an attacker can get the password.
(Ex: Social engineering, network intrusion) and
there are many attack types as brute force
attacks, offline dictionary attacks, backdoor in
firmware or client software that can grants
unauthorized access to systems.
Insecure network services
This vulnerable can result in data loss or
corruption. If insecure network running on the
device itself (those connected to internet) that
compromise the authenticity, availability and
confidentiality.
Lack of security update mechanisms
This includes lack of firmware validation,
secure delivery issues, lack of anti-roll back
mechanisms and lack of security changes due to
updates. If software updates are not digitally
signed or signature is not validated can allow
an attacker to replace the update files with
malware.
Use of insecure or outdated components
Use of insecure components/libraries, operating
system platforms and third-party software or
hardware components could allow the device to be
compromised.
Insufficient privacy protection
Some IOT devices are stored users� personal
information such as health reports in the
ecosystem that used improper security can be
vulnerable for user�s confidentiality and
integrity.
Insecure data transfer and storage
Encryption mechanism is often used in order to
store critical information but lack of
encryption to sensitive data including data at
rest, transit or processing can cause attacker
to obtain the data more easily. Manufactures
must make sure If their device encrypting the
correct data and do, they have proper key
management and ensure that sensitive data cannot
be overwritten.
Lack of physical hardening
Allowing potential attackers to gain information
that can help to remotely attack or tacking
control of the device or system.

Mitigation
Mitigation methods are important because the
number of challenges increasing day by day due
security issues. Basically, they can be divided
into three parts as hardware and network devices
security, security gateways, patches and
updates, integrating terms and consumer
education.
There are several options to protect hardware
and network devices and security gateways
patches and updates. But first of all, it is
important to educate the consumers. If not all
the technical methods fail as human errors are
difficult to overcome.
Using strong password. Most manufacturers give
default password for the devices. And consumers
forgot or didn�t change them. So, consumers need
to educate about them and encourage them to have
strong passwords according to password policies.
Also do not use hard code passwords.
At the future, IoT needs will be increased and
innovate new solutions for consumers. According
to that situation, IoT security vulnerabilities
may increase a lot. Users must be practiced in
relevant security methods and devices should be
up to date with reliable patches. Security will
be required to grow over the manufactures and
provide stakeholders a fast connectivity
reliable service. Government and security
related organizations must place new security
rules and develop trendy frameworks. Finally,
consumers can operate trusted services and
consume a consistence service by those practice.
By:
Supushpitha Atapattu
Supushpitha is an undergraduate of Sri Lanka
Institute of Information Technology, Faculty of
Computing who is currently following Bachelor of
Science honors degree specializing in cyber
security, currently, he is working as an Intern
- Information Security Engineer at Sri Lanka
CERT|CC
|