Graphic of Internet of Things in a cloud

CISOs have lots on their plates but the expansion of the so-called Internet of Things will only add to their headaches.

That’s becoming clear with many reports that the software behind IoT devices often isn’t up to enterprise security standards. The latest is a research paper presented by European security researchers at last week’s DefCamp conference in Romania that found serious problems in Web interfaces of IoT devices.

Using a framework they created to analyze firmware, the researchers found serious vulnerabilities in at least 24 per cent of the Web interfaces they were able to emulate, including 225 high impact vulnerabilities by automatic analysis. Following up with static analysis, 9,271 issues were found in 185 firmware images. Devices tested included routers, DSL/cable modems, VoIP phones and IP/CCTV cameras.

The situation could be worse, they suggest, because the emulation quality of their scanner could be improved.

“These results show that some embedded systems manufacturers need to start considering security in their software life-cycle, e.g., using off-the-shelf security scanners as part of their product quality assurance,” the authors conclude.

Porous Web interfaces are a problem because they can be leveraged by SQL injection, cross-site scripting, cross site request forgery, command injection and HTTP response splitting. If the code creators have security in mind when creating their software that will help cut down the problem, but the researchers note that static analysis of code or dynamic analysis of Web interfaces against known attack patterns will be needed to discover vulnerabilities  and issue patches. So the tool the researchers invented, which emulates firmware, has a practical use.

In fact the implication of their work is that manufacturers of the tested devices could have found the vulnerabilities.

Manufacturers are aware of the potential problem. A number banded together in September to create the Internet of Things Security Foundation to promote best practices, although it will not set standards. Members include big names such as Siemens, Vodaphone, Webroot, BT (British Telecom). The organization’s first plenary meeting will be held Nov. 30 in London to firm up its constitution and structure. It can only be hoped that membership swells.

Still, it is the obligation of CISOs and security teams to question suppliers about the application development  of devices they buy. There are warning signs that can tip buyers off about potentially insecure devices, such as those that only demand four-digit PIN passwords, lack strong access control or have open inbound ports.

Whether IoT devices are a threat to an organization will depend on the device and its use — if it collects personal or financial information or to a network that has access to that data, for example. This research suggests small businesses may be the most at risk