Comprehensive Review of IoT Threats and Vulnerabilities
As defined by the International Engineering Task Force (IETF), a cyber threat is actually “a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability”. At the same time, a vulnerability is the weakness of a system that can be exploited intentionally by malicious actors for personal gains. IoT threat is always there, and the consequences can be fatal if IoT-based systems such as autonomous cars, sensor-guided weapons, and large-scale industrial systems are compromised.
We will briefly describe the OWASP top 10 IoT security vulnerabilities:
1. Weak and guessable default password
According to OWASP, easy default passwords by manufacturers are among the top vulnerabilities of IoT devices. These passwords can easily be guessed even by naïve hackers. Almost all the manufacturers send their devices encrypted with easy passwords such as admin, 123, or the device name.
2. Insecure Network Services
IoT devices are not capable of installing traditional intrusion detection systems on them. Hence unauthorized access is not very difficult on these devices. This vulnerability is easily exploited by hackers who execute DOS attacks that populate the devices’ bandwidth capacity, resulting in the failure of the services.
3. Insecure Ecosystem Interfaces
Usually, the web, API, or cloud interface is not encrypted, solid, or secured. Therefore, making the IoT device vulnerable to cyber-attacks. The device can completely lack authorization if the interface is compromised.
4. Lack of Security Update Mechanisms
One of the major backdrops for IoT devices is not having regular security updates. Unfortunately, these do not offer this facility by default providing any guarantee of the security for the end-user. Therefore, OWASP placed it at the 4th position.
5. Use of Outdated Components
It can be understood from this vulnerability that IoT isn’t only vulnerable at the interface level. The insecure or outdated software system is also equally dangerous and open to exploitation and can completely block the production system.
6. Insecure Privacy Protection
Device privacy and the user’s data privacy is also the main elements in making IoT devices secure. The IoT data traffic can be analyzed or saved without permission.
7. Insecure Data Transfer Storage
It is obvious that data transfer and storage of the data must be secure and safe. Its access must not be allowed to unauthorized actors without permission. Therefore, encryption of data is essential in this case. Plain data transfer and storing it without proper security measures can be harmful.
8. Lack of Device Management
This vulnerability has been placed on number eight by OWASP, but it is also crucial to keep device management intact. Proper management of the devices with monitoring control should be the primary concern of the users.
9. Insecure Default Setting
As already mentioned, any default setting such as the default username, password, or IP address of IoT devices can become a vulnerability and be exploited by hackers. Therefore, the default setting must be updated regularly.
10. Lack of Physical hardening
Last but not the least on the list is the lack of hardening of an IoT device. This means the debugging of the ports, securing boots, and removing cards can be a vulnerability
