Internet of Things Only Add To CISO's Woes

by CXOtoday News Desk    Nov 26, 2015

confused

While CISOs are spending quality time and effort in strengthening their company’s security strategies, what’s adding to their owes is the uncontrollable expansion of Internet of Things devices. Reports suggest, the software behind IoT devices often isn’t up to enterprise security standards. According to a research paper presented by European security researchers at last week’s DefCamp conference in Romania, security executives are facing serious problems in Web interfaces of IoT devices.

The researchers found serious vulnerabilities in at least 24 percent of the Web interfaces they were able to emulate, including 225 high impact vulnerabilities by automatic analysis. According to the report, 9,271 issues were found in 185 firmware images, where the devices tested included routers, DSL/cable modems, VoIP phones and IP/CCTV cameras. The situation could be worse, they suggest, because the emulation quality of their scanner could be improved, tipped off researchers.

“These results show that some embedded systems manufacturers need to start considering security in their software life-cycle, e.g., using off-the-shelf security scanners as part of their product quality assurance,” said the authors.

The study further showed that porous Web interfaces are a problem because they can be leveraged by SQL injection, cross-site scripting, cross site request forgery, command injection and HTTP response splitting.” If the code creators have security in mind when creating their software that will help cut down the problem, but the researchers note that static analysis of code or dynamic analysis of Web interfaces against known attack patterns will be needed to discover vulnerabilities  and issue patches. So the tool the researchers invented, which emulates firmware, has a practical use,” they said.

Despite these developments, CISOs and security teams need to question suppliers about the application development  of devices they buy. “There are warning signs that can tip buyers off about potentially insecure devices, such as those that only demand four-digit PIN passwords, lack strong access control or have open inbound ports,” said the study.

It warned that whether IoT devices are a threat to an organization will depend on the device and its use, if it collects personal or financial information or to a network that has access to that data, for example. The research suggests small businesses may be the most at risk.

The good sign is that manufacturers are aware of the potential problem and leading firms joined hands to create the Internet of Things Security Foundation to promote best practices. Members include big names such as Siemens, Vodaphone, Webroot, BT (British Telecom), among others.