The Internet of Things(IoT) is actually much bigger than anyone realizes. IoT revolves around machine to machine communication. It is built on networks of sensors gathering data. These are virtual, mobile with instantaneous connectivity. The real value of the Internet Of Things is in the collection of data and leveraging it. The cloud based applications help in the interpretation and transmission of data from these sensors.
Of all the current technology trends going on today, the Internet Of Things is the biggest one and hence it will also be the biggest one to give the most disruption. With IP and personal data accessible through connected devices, hackers have the potential to bring an organization or even a government to a standstill. Hence, we need to start with building new security approaches. Continuous monitoring, threat mitigation, secure operating systems are a few approaches to start with.
Some of the aspects for Security Testing of IoT devices are as follows:
- Web Interface security: Most of our devices now have an inbuilt Web Server. Hence, cover the following points in this regard:
- Clear default login credentials while the initial setup
- Ensure complex passwords
- Check for Cross Side Scripting
- Check for SQL Injection
- Check for vulnerabilities of Cross Site Request Forgery(CSRF)
- Authorization and Authentication: Authentication is much weaker in smart devices. Often limited to four digit codes. Check for weak passwords during the initial installation, use client side Java codes, send for authentication without using HTTPS transports or ask for no password at all.
- Network Services: The IoT devices mostly use insecure services like Telnet, FTP, TFTP etc. Penetration testing tools like Nessus, OpenVAS can check the use of such dangerous services.
- Privacy Concerns: Three areas of concern that need to be covered here are
- Ensuring collection of minimal data.
- Ensuring encryption of data
- Ensuring protection of data.
- Transport Encryption: Failure in Transport Encryption exposes all the data and credentials at the same level of risk as an insecure web application. Hence, this aspect needs to be covered for complete security testing.
- Mobile Interface: IoT devices can also act as wireless access devices. Here security specialists lack in a concrete security checking methodology.
- Cloud Interface: Most of the IoT devices need to connect to the cloud server. These web services, may carry certain vulnerabilities. Hence, focus should be put on situations such as username harvesting, no lockout after brute force guessing attempts etc.
- Security Configuration: This generally involves features such as password enforcement, data encryption and access through different levels. One additional aspect is to check the multiple user level access(full administrator/root permissions) of the operating system in use. Privilege Escalation attacks need to be attempted if they exist in the device.
- Software Security: Two main threats to data sent over the network is that it could be changed and sensitive data can be intercepted. To cover these two contexts of insecurity ensure cryptographic signature for all updates, use of only the HTTPS ports and a cryptographic identity of the server provided.
- Physical Security: Five things to over for ensuring physical security of these devices are encryption of stored data, physical protection of the USB ports, ease of dissembling and removing of unnecessary ports and ease of storage media removal.
Conclusion:
According to recent studies, majority of the IoT devices have security vulnerabilities. With millions of new smart devices, hardware endpoints, innumerable lines of coding and more complex infrastructure to cope up with the load, an extensive set of challenges has been created. Instead of researching on testing techniques, a clear mandatory emphasis on security from day one is a better approach, especially when dealing with such immature miniature technologies.
Source : articlesbase.com
0 comments:
Post a Comment