The internet of things certainly brings a lot of excitement, positive energy and thoughts of increased convenience...
for the consumer, manufacturer, distributor, etc. Unfortunately, IoT also has its dark side, which we hear of too often.
One of the highest profile internet of things (IoT) attacks to date was the Mirai botnet beginning in August 2016, where hundreds of thousands of IoT devices were hijacked by an attacker simply taking advantage of the fact that the devices -- mainly security cameras and wireless routers -- still had their default usernames and passwords active. Hence, the attacker logged in to the devices with default authentication information and used them to perform a distributed denial-of-service attack against the Dyn domain name system, ultimately affecting Amazon, Spotify, Twitter, Netflix and other major sites.
In addition, cybersecurity journalist Brian Krebs recently raised concern about a new strain of IoT attack malware called Reaper -- also known as IoTroop -- which spreads via security holes in IoT software and hardware.
What is going on here? Why is IoT a successful target for the miscreants? The answer is that the systems are not being built securely.
IoT devices combine web and mobile applications and include locally stored and cloud-based data, yet security and privacy are a low priority for IoT manufacturers trying to get their devices to the market as quickly and cheaply as possible. Security is an afterthought -- if even a thought at all. Mirai showed us that vulnerability for certain ubiquitous devices.
Web application and SCADA security
In the "2015 Dell Security Annual Threat Report," Dell analysts observed attacks on industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems had doubled since January 2012. With this concern, why not establish an Open Web Application Security Project (OWASP) for ICS/SCADA to be implemented by manufacturers and users alike?
OWASP was started by Mark Curphey in 2001. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate and maintain web applications that can be trusted. All the OWASP tools, documents, forums and chapters are free and open to anyone interested in improving application security.
With its focus on improving the security of the web, OWASP released its first OWASP Top 10 list of application security risks in 2003. The list has been updated and released every three or four years since then, and it has been used by many organizations as a security awareness tool during code reviews and to ensure the riskiest vulnerabilities are mitigated.
Notably, OWASP security concepts have been adopted globally. OWASP boasts over 46,000 participants, more than 65 organizational supporters and even more academic followers.
The voluntary OWASP approach has been a proven foundation for improved web application security since 2001. With this success, Daniel Miessler and Craig Smith assumed project leadership roles to build the OWASP IoT Security Project.
OWASP IoT Project
According to OWASP, it's Internet of Things Project is "designed to help manufacturers, developers and consumers better understand the security issues associated with [IoT] and to enable users in any context to make better security decisions when building, deploying or assessing IoT technologies."
A key perspective Miessler and Smith offer is that IoT security is not about the thing, but is instead a holistic approach to security where all the elements need to be considered, from the IoT device to the cloud to the mobile application to the network interfaces. This security approach also includes the software, use of encryption and authentication, USB ports, and, of course, physical security.
In keeping with the classic Top 10 list tradition of OWASP, a "Top 10 IoT Vulnerabilities" list was published in 2014 pinpointing the following issues:
- Insecure web interface
- Insufficient authentication/authorization
- Insecure network services
- Lack of transport encryption/integrity verification
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configurability
- Insecure software/firmware
- Poor physical security
What's included in the OWASP IoT Project?
The OWASP Internet of Things Project provides information on the following topical areas:
- IoT framework assessment. Designing secure IoT systems should include the use of a secure IoT framework and ecosystem. The framework is intended to ensure developers do not overlook any security requirements or considerations, and even improves the pace of application development. This section of the OWASP IoT Security Project offers framework considerations for the edge, gateway, cloud and mobile components.
- Principles of IoT security. The principles of IoT security appear to be practical and readily digestible for any code review process. However, the guidance is very high-level, and it is simply that -- guidance.
It is a good idea to take the time to read the guidance OWASP offers under each principle. There is a wealth of information there that should be applied by users, integrators and manufacturers to improve IoT security and availability.
- IoT attack surface areas. The IoT attack surface areas subproject provides a list of attack surfaces that should be understood by manufacturers, developers, security researchers and IoT implementers.
In a talk given by Daniel Miessler at DEFCON in August 2015, he observed, "The IoT Attack Surface Area project is proposing a universal attack strategy for any kind of device." The intention is to make this IoT modeling applicable to as many devices as is practical.
- IoT testing guides. The testing guides are intended to help testers assess connected devices and applications in the IoT space, and they give testers basic guidelines for security.
- IoT security guidance. These guidelines help manufacturers with security in the IoT devices they build. Again, a practical guideline table is offered.
Plans are in place to expand and include information on the following IoT security topics in the OWASP IoT Security Project:
- IoT vulnerabilities
- Firmware analysis
- ICS/SCADA software weaknesses
- Community information
- Developer, consumer and manufacturer guidance
- Design principles
Next steps for the IoT security professional
In 2001, OWASP was just an idea. Since then, it has matured into a standard and methodology to ensure webpage security is incorporated into webpage design and code. The idea of the OWASP IoT Security Project is still in its early infancy; however, it is moving forward with some excellent ideas and references for security professionals worried about IoT availability, integrity and confidentiality.
Some practical steps you can take to take advantage of the OWASP IoT Security Project are to survey the current contents and links of the OWASP IoT Security Project webpages, sign up for the project mailing list to stay abreast of news and postings, and participate in the IoT security discussion.