igor - Fotolia

Testing is key to IoT security, says researcher

Building an effective testing process across all elements associated with a product is key to securing the internet of things, according to a researcher in the field

Testing is the only way to ensure organisations using internet of things (IoT) devices remain secure, but that cannot be confined to internet-connected devices alone, warns Deral Heiland, IoT research lead at Rapid7.

“The most important point is that when we are thinking about security in IoT, let’s not over-focus on the embedded technology hardware, which is what researchers, testers, companies and customers tend to do,” he told Computer Weekly.

“It is important to include the whole ecosystem of a product. All the pieces that make an IoT solution work need to be considered, not just the device hardware, when we are thinking about the overall security model and risk of the product.”

These elements typically include things like network communications, the radio frequency communications, cloud APIs (application program interfaces), mobile apps, cloud services, and command and control applications found in the mobile and cloud-based pieces of an IoT system.

According to Heiland, it is not uncommon to find issues with every one of these elements making up an IoT system, but they are typically at different levels of severity.

Device manufacturers are the most obvious organisations to have security testing processes in place to assess products and services before going to market, which can alleviate “a massive amount” of the risk, said Heiland.

Allied to this, manufacturers need to ensure they have effective patching or software updating mechanisms and processes in place, so problems can be fixed when they arise.

“Vulnerabilities are never going to go away, but – like Microsoft did – this problem can be tackled by having an effective patching process to greatly reduce the risk, which consumers, both organisations and individuals, should expect and demand from manufacturers,” said Heiland.

“Before organisations commit to particular devices and services, they should demand proof that the products have been security tested to avoid exposing the organisation to unnecessary risk.

“Large organisations working on larger implementation projects should also ensure they have an effective testing process, and some are already following this approach.”

Discovered security issues

Heiland has worked with several organisations on testing IoT systems and has helped them to work with manufacturers to resolve and disclose discovered security issues.

One example of this was a GPS-style tracking device to enable parents to find their children if they became lost.

“The cloud APIs tied into this product had more security issues than you could imagine,” said Heiland, which meant total strangers could access all the GPS tracking data from the device, phone numbers associated with the device, other contact information, and even the international mobile equipment identity (IMEI) number of the device.

Anyone with an account on the system could also access other accounts and alter or reconfigure devices remotely because of the poor security of communications via APIs from the device to the associated web interface.

“The cloud APIs and the web services suffered a number of security vulnerabilities that allowed pretty much anyone to get access to the data and anyone with an account to alter the data,” said Heiland.

Although smaller companies are unlikely to have the skillset required to do security testing, he said that just being aware of the potential risks attached to all the components of an IoT system can help them implement IoT systems in a more secure way.

“By thinking about the pieces making up the ecosystem, smaller companies can identify appropriate ways of mitigating the risks of their particular environment by following best practice and mandating specific policies and processes,” said Heiland, adding that it is rare for just one piece to have a vulnerability.

In order to develop an effective testing process, organisations must first understand the structure of a typical IoT ecosystem, learn general testing methodologies of IoT systems, and be familiar with common vulnerabilities in IoT systems, he said.

Read more about IoT security

Although Heiland believes an effective security testing process is essential and should be implemented as soon as possible, he also feels that the security fears around the IoT have been over-hyped.

“In the short term, there is certainly the huge risk to life and limb as some have suggested, but as IoT systems become more common, especially in healthcare and private vehicles, we need to ramp up the way we approach security,” he said.

Heiland described many of the security issues currently being discovered in IoT systems as “typical growing pains” associated with any new technology.

The big difference with IoT, however, is that the volumes involved are much greater than ever before. The number of IoT devices and systems is expected to grow rapidly in the coming years, and the IoT is likely to be found in just about every area of life in the not-too-distant future.

“There are security challenges, just like with any technology, but it is not the end of the world because there are solutions around the corner that the industry is working on,” said Heiland.

Effective patching mechanisms

He believes effective patching mechanisms and processes are perhaps the best and quickest way to resolve many of the security risks in IoT systems, particularly once systems have been implemented.

“Most of the vulnerabilities that I and others have found follow pretty much the same pattern,” he said. “They are typically things that could have been resolved easily and that should have been picked up in testing so that they never made it on to the market in the first place.”

An effective testing process would get rid of all the common, easily-resolved security risks, which would enable researchers to concentrate on finding less-obvious, harder-to-find, more complex risks, he said.

“Security researchers want to dig deeper without wasting time finding all the simple stuff that a good testing process will find, so they can find the more hardcore stuff to make IoT systems and devices even more secure,” said Heiland.

Finally, he said organisations need to ensure they have an effective scanning system in place to enable them to identify any rogue or unauthorised IoT devices that may be connected to the company network, so they can assess and mitigate any associated risk.

IoT Security – Executing an Effective Security Testing Process will feature at Infosecurity Europe 2017 in London from 6-8 June.

Read more on Hackers and cybercrime prevention

Data Center
Data Management