IDC estimates that there will be 41.6 billion connected IoT devices by 2025, opening up opportunities for increased efficiencies and innovation across industries. Yet, lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices, and the networks they operate on, open to large-scale attack.
Last summer, the FIDO Alliance announced a new standards initiative to tackle these security issues in IoT. The Alliance’s IoT Technical Working Group aims to provide a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the Alliance – passwordless authentication. These webinar slides provide an update on this new work area, including:
--How FIDO Authentication and existing specifications fit into the IoT ecosystem today
--The charter and goals of the IoT TWG, including development of specifications for IoT device attestation/authentication profiles to enable interoperability between service providers and IoT devices; automated onboarding, and binding of applications and/or users to IoT devices; and IoT device authentication and provisioning via smart routers and IoT hubs
--The progress of the working group to date, including the use case and target architectures the IoT TWG is looking at as a foundation for its specifications and certification program
You might remember the distributed denial of service attack in 2016. It was powered by lots of small IoT devices – cameras and DVRs.
They could be hacked because of weak authentication. These devices had hardcoded usernames and passwords allowing attackers to get misuse those device for running an attack were the issue. More than a hundred thousand devices have been used in the botnet (see https://twitter.com/olesovhcom/status/778830571677978624).
Left: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
https://www.zdnet.com/article/hacker-leaks-passwords-for-more-than-500000-servers-routers-and-iot-devices/
[click]
But cameras and DVRs are not the only vulnerable device type. HP analyzed home security systems and found that none of them required a strong password and that traditional two-factor authentication was supported by only one.
Right: HP Enterprise IoT Home Security Systems, 2015 https://s3.amazonaws.com/storage.pardot.com/28912/69170/IoT_Home_Security_Systems.pdf
[click]
And this issue is so general that OWASP included „insufficient authentication and authorization“ in their top 10 IoT vulnerabilities list in 2014.
Middle: OWASP Top 10 IoT Vulnerabilities 2014
several different orgs banding together on standards but nothing for everyone
Each sector’s needs are different, and each company may have different systems and needs around protecting their systems and data.