Endpoint Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
GAO Assesses IoT VulnerabilitiesReport Identifies Risks of Cyberattacks, Cites Mitigation Advice
Internet of things devices are vulnerable to an array of potential cyberattacks, including zero-day exploits, distributed denial-of-service attacks and passive wiretapping, according to a new Government Accountability Office report, which cites mitigation advice from experts.
See Also: A Guide to Passwordless Anywhere
The report, Internet of Things: Status and Implications of an Increasingly Connected World, which was released on May 15, was requested by several members of Congress.
To create the report, the GAO reviewed other key reports and scientific literature; convened two meetings of experts with the assistance of the National Academies of Sciences, Engineering and Medicine; and interviewed officials from the Federal Trade Commission and the Federal Communications Commission.
While the GAO stops short of offering specific recommendations for addressing IoT risks, the watchdog agency notes that 10 federal agencies and a dozen experts reviewed the draft report "and some provided technical comments, which were incorporated as appropriate."
For instance, agencies recommended that user organizations should carefully assess risks that may be introduced when information systems are connected IoT devices and that product manufacturers should build security into their IoT devices from the outset.
Significant Security Risks
The connectivity of IoT devices may pose significant security risks, the GAO concludes in its report. "Unauthorized individuals and organizations may gain access to these devices and use them for potentially malicious purposes, including fraud or sabotage. As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT products and services is also magnified."
IoT devices, the report says, are vulnerable to attacks involving DDoS, structured query language injection, passive wiretapping, malware, zero-day exploit, and war driving, which the GAO describes as "the method of driving through cities and neighborhoods with a wireless-equipped computer - sometimes with a powerful antenna - searching for unsecured wireless networks."
Without proper safeguards, IoT devices and networks are vulnerable to individuals and groups with malicious intentions who can intrude and use their access to obtain and manipulate sensitive information, commit fraud, disrupt operations or launch attacks against other computer systems and networks, the GAO writes. "The threat is substantial and increasing for many reasons, including the ease with which intruders can obtain and use hacking tools and technologies."
Internet-connected devices are diverse, ranging from from wearable fitness trackers and other health-related devices to "smart" cars, tractors, houses, energy and manufacturing systems, the GAO notes.
"Adoption of the IoT across different sectors has amplified the challenge of designing and implementing effective information security controls by bringing the potential effects of poor security into everyday situations in homes, factories and communities," the GAO writes. "The rapid and pervasive adoption of IoT devices, the lack of attention in designing them to be secure, and the predominant use of cloud computing to provide connectivity with these devices pose unique information security challenges that may limit broader adoption of the IoT."
Consumer and Corporate Risks
Privacy attorney Kirk Nahra says companies and individuals "need to think about two kinds of risks ... data risks - traditional privacy issues - and substantive risks, like health risks. Security controls matter for both of these."
The real issue for consumers, he says, is to "understand what the 'device' is being used for. If it is something that directly impacts your health, I would pay particular attention to security controls. If it is a data device then the risk is somewhat more manageable. But the challenge for companies is how to appropriately describe what data is being gathered and what is being done with it."
Also, for many health-related IoT devices, "gaps in HIPAA mean that there really isn't a regulatory structure around these issues - which makes it even harder for all participants in this process," Nahra says.
Cyberattacks against internet-connected devices, he says, could include attacks by "disruptor hackers, who just want to mess with the systems" as well as "hackers going after broad- scale data collections - the same kinds of attacks we see today against hospitals and others."
Mitigating the Risks
The GAO acknowledges that addressing the risks posed by IoT devices is complicated. "While experts agree that the growing number of IoT interconnections presents significant security challenges, they do not agree on how to address the issue," the report says.
For instance, the FTC has recommended that companies "prioritize and build security into their devices from the outset, conduct security risk assessments as part of the design process, test security measures before products are launched and consider encryption for the storage and transmission of sensitive information."
In addition, other experts the GAO consulted suggested applying access controls to IoT devices, such as role-based access controls that can be used to limit the privileges of device components and applications.
"Thus, if an intruder successfully gains access to a specific device, they should have limited access to other parts of the system," the report notes. "Nevertheless, establishing limits on access controls presents its own challenges for suppliers, because the functionality and flexibility of their devices could be affected if access controls are too restrictive."
The GAO notes that the National Institute of Standards and Technology recommends that organizations "carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls.
"NIST also points out that organizations typically do not have control over the external networks - for example, the internet - with which their devices directly connect, and suggests that they apply boundary protection devices, such as firewalls and routers, to mediate between the devices and the external networks. Such advice can also apply to IoT devices that are connected through the internet to their manufacturer or their cloud service provider."
Keith Fricke, principle consultant at tw-Security advises healthcare organizations to put IoT devices "on separate VLANs" to the extent possible. "In addition, when evaluating new devices / technology falling into the IoT category, review the security features as part of the decision-making process. Also, consider investing in some of the newer technology available that discovers, inventories, and baselines IoT device behavior. Such technology can help manage risk and identify IoT devices that may be compromised."