Page 37 - Cyber Warnings
P. 37
planning, design, testing and implementation. In other words, security best practices are an
afterthought. The main goal for these manufacturers is to maximize profit while leaving end
users vulnerable and leaving end users to deal with threats from cyber-attacks. The relationship
between threats and risk is very simple: risk is the likelihood that a threat agent (attacker) will
take advantage of existing weaknesses or vulnerabilities in these devices by exploiting them.
Types of Vulnerabilities Defined
We have spoken about types of vulnerabilities and in this next section major
vulnerabilities to watch out for are defined.
Lack of patch updates:
Now that we know most of these IoT devices have little or no security which makes them
vulnerable to all forms of attacks, how do we mitigate these vulnerabilities? One way is to keep
patches updated. Patch management is a security control that can be employed to resolve
known vulnerabilities in IoT devices. In the ideal world, the patch management process goes
like this: vendors release patches that can be identified and downloaded via connection to the
vendors’ update server. The patches are tested in a non-production environment, deployed and
verified to ensure known vulnerabilities have been mitigated then the patch is deployed to
production. However, in the IoT world, end users do not have a test server to test their patches
on to ensure vulnerabilities are fixed. In fact, end users are at the mercy of whatever patch is
pushed to their devices from vendors. IoTs are “live production devices”. Bear in mind a bad
patch can completely render these IoT devices un-usable. I remember downloading a patch for
my iPhone 6 plus and shortly after the download my phone went into a perpetual sleep mode
and never came back to live, I had to performed a factory reset to get rid of the bad patch
update, which meant I had to make this change to make my device secure and efficient. I know
other people have similar stories to tell about patch updates gone bad on their devices.
Lack of or Absence of Encryption:
Absence of encryption or a weak encryption on IoT devices means all activities or transactions
performed on these devices are done in a plain text format which makes them susceptible to all
forms of cyber-attacks. Encryptions convert plain text into a cipher-text which prevents
unauthorized disclosure of sensitive information such as personal information (e.g. social
security number, driver’s license information, home address and phone numbers) and protects
confidentiality by keeping sensitive information private.
Digital signatures will be encrypted with sender's private key to validate the integrity of
information from the sender and none-repudiation. In this way, the sender is unable to deny
sending sensitive information across a network to a device. For example, Digital certificate, an
x509 v3 established and defined by International Telecommunication Union, is used to encrypt
email messages. Tools such as Pretty Good privacy can be used to validate the identity of
remote computers or other IoTs to ensure only the devices that have a valid certificate are
allowed access, and those detected without a valid certificate are denied access to the network
(Lu, Qu, Hui, 2016).
37 Cyber Warnings E-Magazine January 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide