Shulou(Shulou.com)06/01 Report--

Foreword:

As more and more employees have a variety of home Internet of things devices, they often connect to the corporate network to complete their work. This means that the enterprise network is facing a huge threat.

1. Bad user interface

Everyone likes the friendly Web user interface. For Internet of things applications, they can achieve control functions, configure devices, and integrate into the application system faster and easier than any other way. However, it is equally easy to use for criminals.

In most cases, the problems with the Web interface of the Internet of things are as troubling to enterprises as the problems with Web applications. While SQL injection is not a big problem in Internet of things applications, command injection, cross-site scripting, and cross-site request forgery are all programming flaws that allow criminals to access devices and the entire system at any time to control, monitor, and access user operations.

Fortunately, the remedies for most Web interface security problems are basically the same as those provided to web security developers over the years, including validating input, requiring a strong password, and not allowing the initial setting of the first phase of the default password, not exposing credentials, restricting password retry attempts, and ensuring the robustness of the username and password recovery program.

two。 Lack of authentication

Verifying the identity of a user for an Internet of things application is a good thing. Authentication seems "necessary" when the application can control the access and environment control of the building, or provide access to audio and video devices that may monitor users of the building, but in some cases, even the most basic authentication is omitted in the implementation.

For Internet of things applications, two types of authentication are very important. The first is user authentication. Given the complexity of many IoT environments, the question is whether each device requires authentication, or whether a single system authentication is sufficient to support every device on the network. The consideration of ease of use makes most system designers choose the latter, so strong authentication for access devices or control centers is very important.

The single sign-on of the system also makes another type of authentication-device authentication-more important. Because users do not authenticate on each device interface, devices in the Internet of things should require authentication between them, so that attackers cannot use implicit trust as credentials to enter the system.

As with Web interface security, the premise of closing this security vulnerability is to treat the Internet of things as a "real" application network. Because many devices do not have a native user interface (depending on the browser UI or applications for human-computer interaction), there is a special question of "how to do it", but the lack of authentication on any device makes the security around the Internet of things even more fragile.

3. Use default configuration

Do you know the default user name and password that comes with the IoT device? Everyone can do Google search. This is a real problem for devices and systems that are not allowed to change the default settings.

The default user credentials (such as the commonly used user name "admin") are a warning on the security settings of the Internet of things, but this is not the only important setting. Including the ports used, setting users with administrator privileges, logging and event notifications, these network parameters are security settings that should be of concern, and should be used to meet deployment requirements.

In addition to allowing the security settings to be more fully integrated with the existing security infrastructure of the environment, changes to the default settings reduce the attack surface of the IoT and make it more difficult for intruders to break into the system. However, like other security issues, this is not something that users can easily change. Another solution is to conduct additional reviews of the security infrastructure deployed on the Internet of things.

4. Firmware update issu

Firmware evolves like bacteria and peas. Developers will notice what went wrong, where there are vulnerabilities, and how to do better, and release new firmware that is better than the original version. The problem with many Internet of things devices is that the firmware cannot be upgraded. This makes the firmware a serious vulnerability.

One of the advantages of constantly updating firmware is that it makes the system a mobile target. When the firmware on the device is fixed and immovable, attackers can analyze it in their free time, develop vulnerabilities in their own free time, and attack these vulnerabilities with confidence. The VPNFilter attack that broke out in May is an example of what can happen when the firmware of these devices cannot be updated, or even if there is an updated firmware, users are unwilling to use it or cannot update it at all.

Obviously, if the device can be updated, then according to best security practices, the device should keep up-to-date versions and patches; if the device cannot be updated, then focus on known vulnerabilities, and take other security measures to ensure that these vulnerabilities are shielded in the peripheral security environment.

5. Cloud platform interface problem

Few commercial automation systems can enhance their processing power and command knowledge base without relying on the cloud. Especially when voice processing and command conversion are used, the connection between the system and the cloud can become a major loophole.

Think of the types of messages that are passed back and forth between an instance of the Internet of things and the cloud on which it depends. Simple control packets, of course, that may be used to record voice and video, task lists, calendar events, and instructions from DevOps frameworks and tools. Do you know if these sensitive data streams are transmitted through encrypted tunnels?

Like many other aspects of the security of the Internet of things, the real problem is that, in most cases, users have no say in how to secure cloud interfaces. In addition, most users do not know where the cloud computing infrastructure is located, and there may be issues of security responsibility division and regulatory attribution. So you should understand the functions of Internet of things devices, where they send data, and how to use firewalls, intrusion prevention systems (IPS) and other security tools to close security holes in cloud interfaces.

6. Low-level network security design

A poorly written Internet of things device application can expose your network from the inside out, and attackers can infiltrate your system through these vulnerabilities and attack Internet of things devices and general-purpose computers. Allow users to install Internet of things devices in the home network, but do not update the configuration of the firewall to enhance protection, causing attackers to take advantage of this weakness of the firewall.

In many cases, firewalls respond to external attacks; that is, they focus on external traffic trying to enter the network. Internet of things devices stay connected to the internal control server through regular heartbeat transmissions, and attackers can take advantage of vulnerabilities in unencrypted and unauthenticated traffic to send malicious traffic back to the network when the connection is opened.

Some people may say that attackers must know the connection and type of device to exploit vulnerabilities, but they may not have heard of Shodan. Using a simple Shodan search, you can find a variety of devices, communications, and open ports without too much effort and time. Once found, a simple script automatically handles the problem. Attackers can easily use the search function of the Internet to find the vulnerability of the Internet of things.

Problems of 7.MQTT Communication Protocol

Finally, problems arise when system designers or developers completely forget about security. For the communication protocol MQTT from the industrial control field, tens of thousands of deployed systems lack even the most basic security.

For many years, the safety model of industrial control has been too simple. First, the system is rarely connected to any broader area network; second, who would want to attack and control those networks? There is nothing of value there!

Of course, today's systems rely on the Internet, and all kinds of attackers want to gain access or control over Internet of things devices, because they can generate data and serve as a springboard to other systems. It is important to note that for MQTT and other protocols, the vulnerability may not exist in the protocol itself, but in the way these protocols are implemented.

The key to ensure the security of the Internet of things is to master the role of devices deployed on the Internet of things, control the flow of data, and ensure the security of the Internet of things through cloud platform analysis, monitoring and early warning.

This article is reproduced from Jinri Toutiao "e-an Education".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.