Skip to main content
banner image
venafi logo

Top 10 Vulnerabilities that Make IoT Devices Insecure

Top 10 Vulnerabilities that Make IoT Devices Insecure

March 15, 2021 | Anastasios Arampatzis

Smart and connected IoT devices introduce several ways of improving processes and productivity, enhancing user experience and lowering costs in a variety of industries and environments. While the benefits of IoT devices can be observed in factories, hospitals, cars, homes and cities, their inherent vulnerabilities do create new security risks and challenges. These vulnerabilities leave networks open to cyberattacks, which can disrupt industries and economies in dangerous way.

Impact of IoT Device Vulnerabilities

IoT devices are vulnerable mostly because they lack the necessary built-in security controls to defend against threats. The key reason is the constrained environment and the limited computational capacity of these devices. IoT devices are usually low-power devices, and their abilities permit only certain functions to be executed. As a result, they cannot withstand the inclusion of security controls and mechanisms and data protection schemes.

Vulnerabilities in IoT device may allow cyber criminals to hijack them and to further launch attacks against other critical systems. The criticality of connected devices and the impact an attack against them determines the importance of manufacturing these devices with a security-by-design approach.

Cyber criminals are keen on exploiting known IoT device vulnerabilities and turning them into zombies, or IoT botnets. In 2016, the Mirai botnet attack took down high-profile sites and services (following a DDoS campaign) by hijacking thousands of compromised household IoT devices. Other than security breaches, IoT vulnerabilities are the root cause for many privacy breaches, entailing huge legislative penalties for the violation of regulations such as the GDPR, CCPA, HIPAA and PCI DSS.

The IoT Cybersecurity Improvement Act of 2020

To address the expanded threat landscape and to limit the exposure of federal agencies and services to the vulnerabilities of IoT devices, the U.S. government signed into law the IoT Cybersecurity Improvement Act of 2020. The Act mandates NIST to create cybersecurity standards for connected devices purchased and used by federal agencies.

According to the Act, NIST is to develop and publish “standards and guidelines on the appropriate use and management” of IoT devices “owned or controlled” by federal agencies which are connected to federal networks. These guidelines should also include “minimum security requirements for managing cybersecurity risks” inherent with these devices.

Additionally, the Act dictates that federal agencies refrain from “procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device” if the device is not compliant with the guidelines issued by NIST.

In response to the IoT Cybersecurity Improvement Act, NIST released four new publications:

The objective of these four documents is to establish a common cybersecurity framework between the government and IoT device manufacturers for IoT devices procured and used by federal agencies. 

What Are IoT Vulnerabilities?

The Open Web Application Security Project (OWASP), a non-profit foundation for improving software, has published the IoT Top 10 vulnerabilities, which is great resource for manufacturers and users alike.

  1. Weak, Guessable, or Hardcoded Passwords
    Use of easily brute forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.

    Weak, default, and hardcoded passwords are the easiest way for attackers to compromise IoT devices and further launch large-scale botnets, and other malware. Managing passwords in a distributed IoT ecosystem is a time-consuming and difficult responsibility, especially since IoT devices are managed over-the-air.

  2. Insecure Network Services
    Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.”

    Adversaries are to seeking to exploit weaknesses in the communication protocol and services running on IoT devices to compromise and breach sensitive or confidential information exchanged between the device and a server. Man-in-the-Middle (MITM) attacks aim to exploit these vulnerabilities to capture credentials used to authenticate these endpoints and further leverage these credentials to launch greater scale malicious attacks. It is therefore imperative to secure the IoT communications with industry best practices.

  3. Insecure Ecosystem Interfaces
    Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.

    A strong authentication and authorization mechanism needs to be in place to mitigate insecure web, backend API, cloud, or mobile interfaces in the IoT ecosystem. Several solutions have been developed to safeguard the identity of IoT devices, which consider the constraint nature of these endpoints. With the use of effective device identity mechanism, whenever a server communicates with an IoT device, the server will be able to differentiate between a valid endpoint and a rogue one by forcing the endpoint to authenticate itself.

  4. Lack of Secure Update Mechanism
    Lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.

    Unauthorized software and firmware updates are a major threat vector for launching attacks against IoT devices. A corrupted update can disrupt the operations of critical IoT devices and have physical consequences in sectors like the healthcare or energy. To secure the firmware and software updates, we need to secure the access to the updates and verify the source and the integrity of the updates.

  5. Use of Insecure or Outdated Components
    Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms, and the use of third-party software or hardware components from a compromised supply chain.”

    The security of IoT ecosystem may be compromised by vulnerabilities in software dependencies or legacy systems. The use of outdated or insecure software, including open-source components by manufacturers to build their IoT devices creates a complex supply chain that is difficult to track. These components might inherit vulnerabilities known to the attackers creating an expanded threat landscape waiting to be exploited.

  6. Insufficient Privacy Protection
    User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.”

    Many deployed IoT devices collect personal data that need to be securely stored and processed to maintain compliance with the various privacy regulations, such as GDPR or CCPA. This personal data might be anything from medical information to power consumption and driving behavior. Lack of appropriate controls will jeopardize users’ privacy and will have legal consequences.

  7. Insecure Data Transfer and Storage
    Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.”

    The protection of IoT data—either at rest or in transit—is of great importance to the reliability and integrity of IoT applications. This data is used in automated decision-making processes and controls that can have serious physical repercussions. It is critical that we effectively protect this data. The use of strong encryption throughout the IoT data lifecycle and adaptive identity and access control will help secure IoT data from compromise and breaches.

  8. Lack of Device Management
    Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.”

    One of the most important tasks and one of the most significant security challenges in the IoT ecosystem is managing all devices throughout their lifecycle. If unauthorized devices are introduced in the IoT ecosystem, they will be able to gain access and surveil corporate networks and intercept traffic and information. The key concerns of IoT device management are the provisioning, operation and updating of devices. The discovery and identification of IoT devices is a necessary first step in the monitoring and protection of these devices.
  9. Insecure Default Settings
    Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.”

    IoT devices are shipped with default, hardcoded settings that are easy insecure and easy to be breached by attackers. Once these settings are compromised, adversaries can either seek for hardcoded default passwords, hidden backdoors and vulnerabilities in the device firmware. At the same time, these settings are difficult for a user to change. Having a deep understanding of these settings and the security gaps they introduce is a first step to implementing the appropriate controls for hardening these devices.

  10. Lack of Physical Hardening
    Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.”

    IoT devices are deployed in dispersed and remote environments—not kept in any controlled environment, but exposed in the filed to perform their operations. An attacker may disrupt the services offered by IoT devices by gaining access and tampering the physical layer. Such actions could prevent, for example, sensors from detecting risks like fire, flood, and unexpected motion. We should ensure that the hardware is safe from tampering, physical access, manipulation, and sabotage.
Certificates as a Solution for Secure IoT devices

The well-established, PKI-managed digital certificates can help organizations address many of the aforementioned vulnerabilities.

The key to securing the proliferation of IoT devices is being able to identify them. Digital certificates are great for the provisioning of machine identities and for authenticating the distributed IoT ecosystem. Many IoT manufacturers and organizations are already leveraging the benefits of digital certificates for device identity, authentication, and encryption. However, issuing and managing the thousands of digital certificates across the entire corporate IoT ecosystem can be challenging if the solution for certificate management does not allow for automation and scalability.

A machine identity management solution will help organizations secure their IoT ecosystem by provisioning unique, strong identities, defining and enforcing security policies and standards, scaling security, and maintaining robust and effective security without jeopardizing the efficiency and operation of constrained IoT devices.

As IoT expands, no company can discount the tremendous security risks associated with having a multitude of possible infrastructure weaknesses. Digital PKI certificates with automated management will not resolve all security problems, but they are an important part of the equation that you need to assess and tailor to your organizational needs.


Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is an SSL Certificate and How Does it Enable Security

SSL Nomenclature

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more