Protection from Trojan horses
Not all routers, printers or smart devices are secure, and a large proportion put the entire IT at risk. IoT Inspector's IoT firmware analysts have some helpful tips on how to achieve adequate protection of the IoT infrastructure.
According to random samples from the IT consulting firm IoT-Inspector in Bad Homburg, Germany, 50 percent of devices often have glaring vulnerabilities that would allow a hacker attack on the entire system infrastructure. Particular care should be taken when procuring printers, routers, security cameras and lighting options, he said. Hackers know the vulnerabilities and like to exploit them. According to IoT-Inspector, on average, each device contains software components from more than ten different manufacturers, so-called OEM producers. In a detailed checklist, the IT consulting firm advises the following security tips:
- First, a protection needs assessment and threat analysis should take place to establish clear guidelines for IoT security.
- Definition of concrete technical security requirements for procurement. These are recorded in a security specification and must be verifiably implemented by the manufacturer. International specifications such as ISA/IEC 62443 or ETSI 303 645 provide orientation for this. There are also security-focused procurement platforms from which concrete procurement texts can be taken.
- Testing of the manufacturer with regard to trustworthiness and diligence in the context of hardware and software development. Orientation is provided by established maturity models such as OWASP SAMM or BSIMM. The manufacturer must demonstrate that it implements the required level of maturity - depending on the protection needs of the device - for all development activities.
- Perform automated security testing of device firmware, both at acceptance and at fixed intervals, to detect any new vulnerabilities introduced by firmware updates.
- Whitebox audits are recommended based on the OWASP IoT Testing Guides.
Requesting written assurance from the manufacturer that all defined safety requirements have been met. - Review of security documentation created during software development (e.g., security architecture documentation, data flow analyses, results of vendor's internal security tests).
- If an IoT device gains access to sensitive information or is deployed in particularly vulnerable areas, a full security source code review of the firmware should be conducted, as well as a physical security review of the IoT device itself, focusing on hidden backdoors in the software and hardware.
For interested parties, IoT Inspector offers a Whitepaper download.
Source: IoT Inspector GmbH
(Visited 32 times, 1 visits today)
