Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

New year's resolution for IoT vendors: Start treating LANs as hostile

Lucian Constantin | Jan. 3, 2017
The prevalence of insecure default configurations for embedded devices suggests that vendors don't account for LAN-based threats

"Without adequately considering the trust model on the local network, each additional device installed presents a new way to compromise the network," Harrington said.

In 2016 there were approximately 100 reports of hardcoded or insecure default credentials in embedded devices, according to statistics from vulnerability intelligence firm Risk Based Security. Since 2013, there've been about 550 such weaknesses reported.

"Even before IoT became hugely popular, embedded devices had paltry security," said Carsten Eiram, the chief research officer at Risk Based Security. "These devices are often 10 years behind normal software when it comes to code maturity from a security perspective. A big part of that is the lack of scrutiny they received in comparison."

According to Eiram it's hard to say whether some IoT devices are plagued by insecure configuration issues because their creators don't account for local threats or because they're clueless about security in general.

"I think the call to action for embedded device/IoT vendors is not so much: 'You need to take security seriously by not viewing LAN-based attacks as minor' as much as 'You need to start caring about security; period.'," Eiram said. "But should some vendors consider LAN-based attacks to be outside of their threat model, they certainly have to start including it."

In Eiram's experience some vendors don't even consider the possibility of someone being able to discover their hardcoded passwords or to reverse-engineer their proprietary communications protocols.

It's worrying that many companies don't have policies for controlling who and under what circumstances can bring IoT devices into their networks, Eiram said. This creates a shadow IT problem where companies don't even keep track of such devices, making it even more important for them be developed with security in mind, Eiram said.

Consumers face a similar problem in enforcing access controls on their networks, according to Alex Balan, chief security researcher at antivirus vendor Bitdefender. They put these new devices -- from smart thermostats and sensors to Internet-connected doorbells and security cameras -- into their homes without restricting who can access them. They then share their Wi-Fi passwords with friends and family members who bring their own potentially infected laptops and smartphones into their networks.

"You should ask yourself one simple question: 'Can my home network be hacked ?'," Balan said. "If the answer is yes, then ask yourself why do you have such weak security policies considering all the sensitive data inside your network -- private photos, documents, files that you took home from work. If the answer is no then you’re either really awesome or severely misinformed."

Until vendors start locking down their devices properly there are a few things you can do. First, make sure you secure your router to the best that you can, as it's the gateway into your network and probably the most targeted type of embedded device. At the very least change its default admin password and try to change its default LAN IP address to make it harder for automated CSRF attacks.


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.