Skip to main content
banner image
venafi logo

The Internet of Things and Machine Identity Management: The Lack of Security

The Internet of Things and Machine Identity Management: The Lack of Security

Internet of Things and Machine Identity Management
June 25, 2018 | Guest Blogger: Haydn Johnson

IOT by the Numbers

According to statistica the number of devices connected in the IoT in 2018 will be 23 billion.

A factor contributing to this boom has been demand from consumers, who seem to love purchasing new devices with ‘never knew I needed this’functionality. It’s also been boosted by the rush of companies eager to meet this perceived demand—cars, fridges, lighting, home security and even industrial machines. If you can name it, there’s a good chance there’s a ‘smart’ version on the market today.

The Insecurity of the Internet of Things

The issue with so many of these devices on the market is that each has a relatively short life span. This usually means there is little to no plan for support or upgrades once the device comes off the assembly line. Once purchased, these IoT devices are rarely updated, whether that is for compatibility or security. Of course, this creates potential vulnerabilities in every network with an IoT device, whether at home or at work.

Too often the manufacturers creating these devices are working within a very tight profit margin, so the focus is on making a product as cheap as possible. This effort to keep production costs down is why many of these companies only consider security as an afterthought. The result is that many of these devices leave the assembly floor with hundreds of exploits waiting to be found.

This issue is increased when these devices are placed in a corporate environment. Securing common devices is mostly completed through a patch management lifecycle. These tasks include: maintaining current knowledge of available patches, deciding which patches to apply for which systems and when, testing the patches to ensure there are no issues causing business disruption. Unfortunately for IoT devices, the manufacturer is unable to supply patches and businesses are unable to take of advantage of their patch management lifecycles.

As IoT was initially consumer focused security wasn’t the primary concern, and that trend followed into the Industrial IoT. The distributed nature of the Industrial IoT makes it open to many security threats, as the pervasiveness allows any interruption in the network to affect systems over large distances. This becomes extremely difficult to remediate over a distributed network because of different stakeholders controlling different devices and the nature of coordinating patching.

Encryption is also a weakness for the IoT, even if the algorithm is strong, the implementation may be insecure, such as sending the shared keys in clear text; as an exposed decryption key can render an IoT device vulnerable to attack. Many IoT devices are lower powered and thus can only use ‘lower level’ algorithms that do not require as much processing power.

Hacking Internet of Things devices

Penetration testers are given a wide range of protocols and applications to attack IoT devices. The threat surface is quite large thanks to the network, the applications, firmware, encryption and hardware that are all related to the IoT device. Architectures (such as ARM, MIPs, Power PC etc.) as well as different communication protocols like ZigBee, Software Defined Radio (SDN), and Near Field Communication (NFC) provide many different avenues to evaluate and potentially exploit.

Distributed Denial of Service attacks (DDoS) are one of the most popular methods of exploiting IoT devices. DDoS attacks aim to take websites, servers and other internet connected devices offline by overloading the victim’s device with too much network traffic for it to process.

The most famous DDoS attack that made headlines is the infamous Mirai botnet attack; Mirai is malware that targets networked devices running Linux. Each system it controls can then be used as part of a DDoS attack. To spread the Mirai malware, attackers targeted web cameras and other IoT devices. One of the exploits used was an SSH vulnerability over a decade old, something which could and should have been fixed with a patch. Mirai became a worldwide issue as a result IoT manufacturer’s consistent disregard for security.

Another notable attack on IoT is that Medical Devices were targeted for the first time in 2017 with Ransomware. The Ransomware was WannaCry, an advanced and extremely widespread ransomworm. WannaCry was estimated to have affected more than 300,000 devices according to Wikipedia. This was not unexpected, as many hospitals do not have the money or funding to update their devices, many are also running Windows XP and other legacy systems. Security Researchers have been identifying numerous vulnerabilities in Medical IoT devices—such as pacemakers—for a while now.

However, criminals do not discriminate on who or what they attack, whether it is a hospital as in the WannaCry instance, or attacking banks. Security needs to be considered for every device that can be accessed remotely. The future does not look bright for IoT devices. Secure IoT devices do not seem to exist.

Related posts

Like this blog? We think you will love this.
Featured Blog

IoT and Machine Identity Management in Financial Services

How is IoT changing the financial sector?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Haydn Johnson
Guest Blogger: Haydn Johnson
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more