IoT Devices – Areas of Security concern

The Internet of Things(IoT) is actually much bigger than anyone realizes. IoT revolves around machine to machine communication. It is built on networks of sensors gathering data. These are virtual, mobile with instantaneous connectivity. The real value of the Internet Of Things is in the collection of data and leveraging it. The cloud based applications help in the interpretation and transmission of data from these sensors. 

Of all the current technology trends going on today, the Internet Of Things is the biggest one and hence it will also be the biggest one to give the most disruption. With IP and personal data accessible through connected devices,  hackers have the potential to bring an organization or  even a government to a standstill. Hence, we need to start with building new security approaches. Continuous monitoring, threat mitigation, secure operating systems are a few approaches to start with. 

Some of the aspects for SecurityTesting of IoT devices are as follows:

 -          Web Interface security: Most of our devices now have an inbuilt Web Server. Hence, cover the following points in this regard:

- Clear default login credentials while the initial setup

- Ensure complex passwords

- Check for Cross Side Scripting

- Check for SQL Injection

- Check for vulnerabilities of Cross Site Request Forgery(CSRF)

-          Authorization and Authentication: Authentication is much weaker in smart devices. Often limited to four digit codes. Check for weak passwords during the initial installation, use client side Java codes, send for authentication without using HTTPS transports or ask for no password at all. 

-          Network Services: The IoT devices mostly use insecure services like Telnet, FTP, TFTP etc. Penetration testing tools like Nessus, OpenVAS can check the use of such dangerous services.

-          Privacy Concerns: Three areas of concern that need to be covered here are

-  Ensuring collection of minimal data.

- Ensuring encryption of data

- Ensuring protection of data.

-          Transport Encryption: Failure in Transport Encryption exposes all the data and credentials at the same level of risk as an insecure web application. Hence, this aspect needs to be covered for complete security testing.

-          Mobile Interface: IoT devices can also act as wireless access devices. Here security specialists lack in a concrete security checking methodology. 

-          Cloud Interface: Most of the IoTdevices need to connect to the cloud server. These web services, may carry certain vulnerabilities. Hence, focus should be put on situations such as username harvesting, no lockout after brute force guessing attempts etc.

-          Security Configuration: This generally involves features such as password enforcement, data encryption and access through different levels. One additional aspect is to check the multiple user level access(full administrator/root permissions) of the operating system in use. Privilege Escalation attacks need to be attempted if they exist in the device.

-          Software Security: Two main threats to data sent over the network is that it could be changed and sensitive data can be intercepted. To cover these two contexts of insecurity ensure cryptographic signature for all updates, use of only the HTTPS ports and a cryptographic identity of the server provided.

-          Physical Security: Five things to over for ensuring physical security of these devices are encryption of stored data, physical protection of the USB ports, ease of dissembling and removing of unnecessary ports and ease of storage media removal.

Conclusion:

According to recent studies, majority of the IoT devices have security vulnerabilities. With millions of new smart devices, hardware endpoints, innumerable lines of coding and more complex infrastructure to cope up with the load, an extensive set of challenges has been created. Instead of researching on testing techniques, a clear mandatory emphasis on security from day one is a better approach, especially when dealing with such immature miniature technologies.  

Security Testing in Software Development Lify Cycle.

Security Testing ensures the confidentiality of the data. It can be started right from the requirement gathering phase of the Software Development Life Cycle. This can verify the fact that any intentional or unintentional actions are not able to stop or delay the system. The complexity of security testing is different in different phases. 

1. Requirement Gathering:In this phase, we need to determine the level of security that the system may require while we assess the requirements. The level of security can vary through government level, bank level, e-commerce level, simple information level confidentiality, etc. Another consideration is the effort that can be invested with respect to security testing.
2. Design Phase: Here, a detailed plan for Security testing needs to be created. This involves listing of the testing tools, manual approaches and the list of vulnerabilities that will be covered.

The different types of vulnerabilities can be defined as 

-      Data confidentiality

-      Authentication

-      Authorization

-      Integrity

-      Availability

-      Non-repudiation

The different types of techniques that can be applied are:

-      SQL Command Injection

-      Cross Site Scripting

-      Session Management and broken authentication

-      Insecure direct object references

-      Exposure of sensitive data

-      Security misconfiguration

-      Function level access control

-      Cross Site Request Forgery

-      Invalid redirects

-      Using vulnerable components.

- Development Phase: Here tools for static analysis can be used for security testing. This tool helps in identifying the security loop holes based on patterns and rules. Testing in this phase is the most recommended, as it involves unit level testing. Here, each code block is tested for potential bugs. These bugs if left unchecked, result in a bigger error at the later stages. Examples of such bugs 

-      Exception Handling

-      Ignored Return Values

-      Buffer Overruns

-      Complicated Functions

- Integration Phase: As the code blocks are integrated one by one to form the whole system, integration testing is performed. This is also known as black box testing. These tests are performed to eliminate security vulnerabilities before deployment. These uncovers errors that were missed out or were nonexistent in the unit level testing. It also detects configuration errors, potential security inconsistencies with third party applications and the overall system. 

- System Testing Phase: Here vulnerability scanners are used extensively. They have a predefined set of security rules, adhering to which they crawl through the entire application finally creating a comprehensive report on the system vulnerabilities. It clearly defines the cause, severity and the solution for each case.  However, the scanner should be used with a manual check as it may generate many false positives due to its pre-defined set of rules and no knowledge of the business logic.

- Deployment Phase: Here, PenetrationTesting is performed where a hacking attack is simulated on the system. This is performed to uncover all the remaining security threats. Performing penetration tests avoid network costs as well as regulatory requirements. 

- Support/Maintenance Phase: All the above testing were pre-production testing. After deployment, post production testing need to be performed. This can be done more efficiently by using a Software Security Assurance Program.

Conclusion:

Security Testing is not something which can/needs to be only performed in the production environment. It should be performed through every phase of the SDLC. As it covers all the security issues right from initiation, it also reduces the cost, time and effort for future fixings.