IoT security issues, including hacking against networked security devices such as IP cameras and NVRs, have become more rampant, and addressing them requires the efforts of vendors and users alike.
IoT security issues, including
hacking against networked security devices such as IP cameras and NVRs, have become more rampant, and addressing them requires the efforts of vendors and users alike.
That was the point raised by Quan Heng Lim, Director of Cyber Operations at
Horangi Cyber Security, which develops various security solutions including network scanners, web scanners and endpoint detection software.
With the popularity of the Internet of Things (IoT), security issues have also arisen, affecting various devices connected to the web. These include security devices as well. One of the most severe security incident in recent times occurred in October 2016, when DDoS attacks were launched against Dyn, an Internet performance and management company based in New Hampshire, resulting in shutdowns of several famous sites. It was suspected that various networkable devices, including IP cameras and NVRs, were used as robotic attackers after being affected with the Mirai malware.
According to Lim, common vulnerabilities in IoT devices that his company has come across include legacy systems that are not designed to run outside of a restricted/closed network; susceptibility to denial of service by traffic flooding; the use of weak encryption algorithms, handshake or non-use of encryption in communication traffic; and hardcoded authentication keys/passwords.
“Over the past years, issues have stemmed from hardcoded (unchangeable) or default administrative passwords. Some manufacturers have taken measures to enable secure default configuration and recommendations. Vendors are aware of this, but we still see incidents and successful malware designs that utilize simple attack patterns targeted at security devices and IoT devices in general,” Lim said.
Two-way street
According to him,
cybersecurity is a two-way street, a responsibility that should be shared by both the device manufacturer and end user.
For vendors, they need to ensure there are appropriate guidelines provided to segment networks for the type of product, be it physical or virtual, Lim said. “They should also secure deployment locations, regularly update software and make sure that vulnerability management measures have been implemented,” he added. “Subsequently, vendors need to focus on their own cybersecurity. Attackers might not consider targeting the devices themselves, but rather go after the developer’s networks in hope of obtaining maintenance access credentials or other forms of sensitive data that can give them an edge when targeting specific products such as consumer-grade safes or biometric door locks.”
He further mentioned that encryption should be enforced both for data at rest and in transit. “Authentication, authorization and accountability should always be designed appropriately, to support functional groups of users if access is required and at the same time, maintain the confidentiality, integrity and availability of information within the company,” he said.
As for users, Lim provided the following suggestions:
- Run penetration tests on the products, especially if they are IoT-enabled.
- Ensure security patches related to all equipment used are regularly and diligently implemented.
- Closely monitor and track all maintenance access points and time tables.
- Ensure proper security of all data transmissions from their surveillance systems.
- If operating in an air-gapped environment, beware of unscheduled maintenance and ensure all brought equipment is properly scanned for malicious applications.
As for setting passwords, Lim notes that periodic password change and complexity requirements have been relaxed, as previous rules often led to weak passwords. “Passwords can be complex with periodic changes, but this can be easily supported by a robust password management system,” he said.
Lim offered some password tips which are summarized as follows:
- Screen new passwords against commonly used ones and compromised passwords.
- Ensure accounts are separated per user, and non-repudiation can be ensured.
- Passwords are not to be shared across different accounts, especially for those of different criticality.
- Passwords should not be reused, or follow a pattern, for example P@ssw0rd1, P@ssw0rd2.