The world is increasingly interconnected through the internet. More and more “smart” devices and appliances are now online 24 hours a day. But what are the real implications of the development of IoT and home automation? Are users really safe? What is the level of protection for their data? And what are the biggest risks to privacy?
During Codemotion Milan 2018, Guy Rombaut, CTO at OneFit, spoke to us in depth about these issues.
There are now many low-cost devices always connected and already installed in the workplace and home. Exposing these devices to the internet without precautions and without sensitising the users to their implications is a big risk. In addition to the possible violations of individual privacy, there is also a more relevant aspect concerning security.
In the absence of the necessary countermeasures, malicious users could take possession of our “smart” car, or turn off the electricity of a home remotely, or lock us out of the house. This is the potential downside of the domotics and IoT devices.
The well-known Ransomware WannaCry is a striking example of how cybersecurity is a topic too often ignored today. Although there is a lot of work being done in schools to make students aware of cybersecurity, very often the most basic security rules are not applied as much by individual users as by companies. So can a secure smart system be implemented? Obviously, yes. Just follow some basic rules that should be applied by all manufacturers on the market:
Always employ staff specialised in web security during development. Working with developers already accustomed to the use of normal security protocols will improve the security of your project and your service. This is because having a good knowledge of the rules of cybersecurity will mean you implement them during the early stages of development. Present the project in production, already prepared for the implementation of the right security protocols.
Prioritize security and security features of the device before sending it to production. This will protect not only the end user but also the company itself from possible future security problems. Another important factor in ensuring the security of an IoT system is to ensure constant updates, for the entire lifecycle of the device. Moreover, it’s very important to ensure that the device updates automatically without requiring user intervention. Eliminating the need for manual intervention for the update allows you to not only improve the user experience but also to prevent the user from postponing the update.
Security obviously goes through cryptographic algorithms. Use data encryption algorithms during communications to and from the device and to store passwords; it’s key to ensuring that user data is kept and stored in a stable and secure manner. For example, you can create web apps for your IoT device which always use the HTTPS protocol, so as to protect its users with an SSL or TLS certificate.
Although it is possible to implement a vast array of protocols, one of the main security risks remains the user themselves. That’s why you have to oblige the user to set a strong password, to change it at least once a year and to activate the two-factor verification. The development team will also have to implement and use smart methods to recover login credentials.
Once you get to the stable version of the software, it is good to perform, as well as during the whole life cycle of the device, various penetration tests to ensure that the implementing security protocols work well.
In addition, a company that makes IoT devices should never use a “default” password in the factory settings. This is because users often do not change the password if not forced. Leaving a standard password on the device is like leaving the door open at home day and night. Another fatal mistake that a development team can make is to implement secret and undocumented remote access methods such as backdoors. This hidden remote access does nothing but make the attack platform wider and, if discovered by a hacker, can lead to intrusions against which you can not defend.
At the end of his talk, Guy Rombaut showed us how easy it is to get the password of a device that has not been designed with the right security protocols. He looked for a simple target like a public webcam and, after finding the public IP, he used logic and an open source tool, nmap, to understand the username and password to access the webcam control panel.
Nmap can be used to discover hosts and services on a computer network, thus building a “map” of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host(s) and then analyses the responses. For example, Rombaut scans the network in this way:
nmap -T4 -A -v 192.168.0.0/24 -p 21, 75-100,443, 554, 22222, 3322,3333, 5000, 5550, 8080, 8081, 100002
With this simple command, he scanned the network, looking for a web server that queried then returned the password and the username set by default (admin/1234). But it is also possible to exploit the simpler bugs of JavaScript code on the access page of these devices. For example, by connecting to a web page using the browser’s developer tools, you can invoke the GetCurPwd () function and return the corresponding value “admin123345”.
Now imagine that this system is not a simple public webcam but for your car or the door of your home. Can you comprehend how great the risks of an IoT ecosystem without security standards are?
So a truly safe IoT system should always have three characteristics:confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organisation. The model is also sometimes referred to as the AIC triad (availability, integrity and confidentiality) to avoid confusion with the Central Intelligence Agency. The elements of the triad are considered the three most crucial components of security.
In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorised people.
In addition, our devices should always be able to be controlled by something that can be directly associated with us, such as another device or biometric values (fingerprints or face ID).
In conclusion, Guy Rombaut hopes that all developers and users will start to become more aware of the risks of the IoT world and put pressure on companies to implement ever better security systems.
