30-11-2020 | By Robin Mitchell
Once again, another IoT device that has been recently developed and sold commercially leaves users extremely vulnerable to cyberattacks through sheer stupidity. What security flaw does the Victure VD300 expose its customers to, what common practices can help strengthen IoT devices, and why is it so important?
If it’s one topic that has been at the heart of IoT and IIoT technologies for the past two years, it’s security. The vast number of IoT devices being produced is creating a network numbering in the billions. Such quantity of data is helping to drive next-generation technology, including AI, and the use of IoT devices in everyday life helps to improve it, even if it’s only a small improvement.
The more devices that are present on a system, the more likely it is to be attacked, and this is why activists and companies alike are becoming increasingly concerned about IoT security. Some governments are taking IoT security so seriously that they are bringing in laws to prevent potentially weak devices onto the market. You would think that all of these warnings to IoT developers to secure their products would result in safer products with security at the centre of their design? Well, the Victure VD300 would prove you wrong!
According to Which?, multiple IoT doorbells were tested for security, and some were found to be incredibly lacking in even the most basic security measures. However, the Victure VD300, a doorbell with a camera system, was found to be one of the most frightening as the homeowner’s Wi-Fi credentials were transmitted unencrypted to servers in China. Sending such data unencrypted allows for an attacker to monitor the outgoing traffic of the doorbell and easily extract the data. But what is more frightening is why a doorbell is sending such information to China in the first place.
When developing an IoT device, the foundation of that design should be security. From the booting of software to the reading of external sensors, security should be the centre of concern. So, what common practices can help to significantly improve security without impacting the cost of the design?
Common Default Passwords – No!
The first, and most obvious step, is to remove any common default passwords. While there is nothing wrong with an initial default password, this should still be unique to each device, and the first booting of the device using this password should initiate a request to the user to change it. This prevents attackers from using commonly used passwords such as “admin” and “password”, one of the easiest hacks.
The next step is to ensure that any communication outside the device is secured. This means that any IoT devices that communicate over the internet MUST do so using encryption. Sending plaintext over the internet opens a device to man-in-the-middle attack whereby an eavesdropper can simply read the data to and from the device.
Custom encryption – No
It is amazing that there a number of designers who believe they can develop custom encryption methods that are stronger than established systems. Unless you have a maths PHD specialising in encryption then NEVER develop your own encryption method, library, or even implementation. There are researchers who never see daylight dedicated to such tasks, and if they have come to the conclusion that SSL works, then use SSL. If a new encryption method is discovered, these will be the individuals who will make that discovery, not you.
Memory and Code Protect
Whenever producing an IoT device that uses an off-the-shelf microcontroller, check to see if it includes memory protection areas as well as code protection. Not only does this help to protect your intellectual property, but it also provides an on-chip solution to storing sensitive information such as login details. Never store these details off-chip unless external memory encryption is possible.
No Reset Button
While this may not always be possible, factory reset buttons can introduce complications at times. Such buttons allow a user to reset the system as if it was fresh off the production line, but this can provide attackers with an entry point. Unless a factory reset completely wipes data stored, an attacker may be able to reset a device, configure a new password, but utilise old credentials for network access.
It is essential that any system which has the ability to update its firmware should do so. However, while new versions of firmware can patch previous holes in security, it can also open the device up to infiltration with the use of fake firmware updates. This may allow an attacker to inject malware into the firmware to take control of the device, and thus use it for their own malicious purposes.
One common trend that is showing in consumer electronics is that devices produced by far east manufacturers generally lack to meet even the most basic safety standards. However, what makes the Victure VD300 particularly worrying is the transmission of private user data to a server found in China. Why does an IoT device need to transmit Wi-Fi credentials to a remote server?
This is not the first time that Chinese equipment has been found to be transmitting data to servers held in China. One major example was when tech experts found servers in the African Union to be transmitting information to a remote server in China around midnight every night, for five years.
Of course, only buying from “popular brands” doesn’t necessarily mean that you are more protected from cyberattacks; the most popular operating system, Windows, is notorious for being vulnerable to malware. The Apple cloud, where many users have uploaded personal content, has been attacked before, and many other companies have faced similar issues in the past. But, if one has the choice to choose either a company that can easily be held accountable for its actions and one that lacks even a basic website, it is arguably better to go for the former.