There’s a storm brewing for embedded Internet of Things (IoT) and network-attached storage (NAS) devices after the recent discovery of 125 IoT and NAS device vulnerabilities. IoT devices have opened the door to new and better ways to manage data, improve communication and increase profits. Similarly, NAS devices have enabled new ways of remote working. Although these devices are a godsend for home-based workers and forward-thinking enterprises, they also carry a lot of security risk.
Research team Independent Security Evaluators (ISE) recently assessed the security of 13 small office/ home office (SOHO) and NAS devices. They aimed to gain remote root-level access – they achieved this feat in 12 out of the 13 devices, circumventing the security controls which had been put in place by the manufacturer.
The fact that the vast majority of these devices don’t have sufficient security controls and are laden with vulnerabilities should be a red flag for an organization’s CISO and their security team. If there was any doubt about whose responsibility it is to secure IoT, SOHO and NAS devices, that should now be dispelled. The manufacturer cannot and should not be trusted: the buck stops with the CISO.
Why Are IoT and NAS Device Vulnerabilities so Prevalent?
As IoT product creators race to release new products ahead of their competitors, product cycles are being shortened. This has led to security issues being given lower priority. The default passwords on the devices are often weak and are even frequently posted online for faster device setup. If a customer fails to rapidly change to more secure passwords, potential attackers will be easily able to remotely hack the IoT products.
Manufacturers’ default settings are far too loose: this means that untrained users gain access to a far bigger attack surface than necessary straight out of the box. They also rely far too heavily on cookie-based authentication, have limited bug reporting protocols, rarely have standard protocols with in-built encryption or are actively implementing standard means of encryption on top of proprietary protocols, and lack normative web application security practices including the implementation of anti-CSRF tokens. There are a lot of things that manufacturers could do to improve the security of their devices but, in a lot of cases, they’re not.
This apparent lack of desire for manufacturers to improve their security can feel jarring. The research undertaken by ISE was a follow-up to an almost identical investigation which it ran back in 2013. The types of bugs that they found and published back in 2013 are still present in 2019: while the security of software development, in general, has greatly improved over the last six years, IoT devices have faltered. This is a reality that security teams need to be aware of so that they can circumnavigate the devices’ flaws.
What Can Manufacturers do to Improve Security of IoT and NAS Devices?
Thankfully, there are some steps which can be taken by organizations to improve the security of these devices. If a business is looking to install and/or manage a new IoT or NAS device, it’s critical that proper firewall security is in place between an organization and all of its remote end-points. On top of this, the organization needs to have full visibility of its entire security infrastructure.
This visibility is imperative – IoT devices are often remotely exposed and can be used as a foot in the door to enter an organizational network, so it’s even more important than usual to ensure the security of all ingress and egress points. With visibility of their entire infrastructure, organizations are able to evaluate and manage any risk.
Further, they need to establish a rapid patch management process. The ISE research shows just how many vulnerabilities exist in these devices: in order to stay on top of any new flaws and to ensure the security of any new device added to the network, it would be a wise idea to automate the patching processes.
Finally, because remote workspaces are so ripe for attack it’s important that controls are put in place to limit their risk. Remote workers should be required to use a VPN as an additional layer of security. Additionally, the business should ensure that the closest support contact to the remote worker is trained in patching procedures from the outset so that they know what to do when the need arises. And deployed devices should be configured for minimal privilege, minimal external access, and minimal overall functionality.
The benefits of IoT and NAS devices are clear. The path to securing them can be less so – but its importance cannot be downplayed.
Vulnerability and Threat Trends Report Mid-Year Update: Key Findings – Understand how and why the vulnerability and threat landscape has changed over the first half of 2019.
Capitol One Data Breach: What Went Wrong for the Financial Giant – A cautionary tale about the importance of strong cyber hygiene.