U.S. Government Accountability Office highlights unsecured IoT risks

This entry was posted on Thursday, June 15th, 2017.

The United States Government Accountability Office (GAO) has published a detailed report that explores the rapidly evolving Internet of Things (IoT). As the report warns, the growing ubiquity and pervasive connectivity of IoT devices and networks may pose significant security risks. For example, unauthorized individuals and organizations could gain access to unsecured IoT devices and use them for potentially malicious purposes, including fraud or sabotage.

“Without proper safeguards, these systems are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks,” the report stated.

“The threat is substantial and increasing for many reasons, including the ease with which intruders can obtain and use hacking tools and technologies.”

As the U.S. GAO notes, threat actors make use of a variety of techniques that may compromise information or adversely affect devices, software, networks, an organization’s operations, an industry, or the Internet itself. Attack vectors include denial-of-service, distributed denial-of-service (DDoS), malware, passive wiretapping, structured query language injection, war driving and zero-day exploits. Therefore, says the U.S. GAO, designing and incorporating security controls into IoT devices from the initial design to the operational environment during development may help curtail vulnerabilities.

“Widespread concerns have been raised about the lack of security controls in many IoT devices, which is in part because many vehicles, equipment and other increasingly IoT-enabled devices were built without anticipating threats associated with Internet connectivity or the requisite security controls,” the report authors noted. “As the number of deployed IoT devices grows, the risk of exploitation also grows. Any device that is connected to the Internet is at risk of being attacked if it does not have adequate access controls. For example, as The Internet Society has suggested, an unprotected television that is infected with malware might send out thousands of harmful emails using the owner’s home Wi-Fi Internet connection.”

In addition, says the report, many IoT devices are configured with identical or near identical software and firmware, which can magnify the impact of successfully exploiting a technical vulnerability common to all of them. For example, security vulnerabilities that are identified for one type of IoT device might extend to all other IoT devices that use that same underlying firmware or share the same design characteristics. This significantly increases the potential for successful attacks.

It should also be noted that the U.S. Director of National Intelligence Daniel Coats recently testified before the Senate Select Committee on Intelligence (SSCI). Coats discussed a range of topics outlined in the Worldwide Threat Assessment of the U.S. Intelligence Community, including artificial intelligence, the slowdown of Moore’s Law and the Internet of Things (IoT).

According to the report, the widespread incorporation of smart devices into everyday objects is changing how people and machines interact with each other and the world around them, often improving efficiency, convenience and quality of life. However, the report also warns that the deployment of IoT devices has introduced vulnerabilities into both the infrastructure that they support and on which they rely, as well as the processes they guide.

“Cyber actors have already used IoT devices for DDoS attacks and we assess they will continue,” the report stated. “In the future, state and non-state actors will likely use IoT devices to support intelligence operations or domestic security or to access or attack targeted computer networks.”

Concerns over unsecured devices have also been articulated by the U.S. Department of Homeland Security (DHS), which has emphasized the importance of implementing security at the design phase by using hardware that incorporates security features to strengthen the protection and integrity of a device. This includes leveraging computer chips that integrate security at the transistor level – embedded in the processor itself – to provide encryption.

Building hardware that incorporates hardened security features would see devices protected throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning. This can be accomplished with a silicon-based hardware root-of-trust that offers a range of robust security options for IoT devices, including secure connectivity between the IoT device and cloud services.

In addition to implementing security at the design phase, the DHS recommends device manufacturers promote security updates and vulnerability management. To be sure, even when security is included at the very beginning of the design process, vulnerabilities may be discovered in products after they have been deployed. These flaws can be mitigated through patching, security updates and vulnerability management strategies.

Interested in learning more? The full text of the IoT GAO report (PDF) can be download here. Readers can also check out our CryptoManager platform which creates a trusted path from the SoC manufacturing supply chain to downstream service providers with a complete silicon-to-cloud security solution.

Download CryptoManager IoT Device Management