• CERT Admin
  • Thu Aug 29 2019
  • Cyber Guardian Blog



IOT means internet of things and the concept is simply extending the power of internet beyond the smartphones and computers to whole range of other devices such as other everyday electronic objects. (Ex: Wearable devices, Sensor’s etc.) Internet gives us all sort of benefits that just weren’t possible before in earlier day’s mobile phones are used only for making call or texting but now, we can use them to connect to the internet and do incredible things like watching videos, reading book or pay our bills etc. The point is that we can have amazing benefits by connecting devices to internet. Connecting to the internet means it can send or receive information/data. In IOT it makes internet connectivity to computing and mechanical devices, objects even for animal or peoples and each object or device provide unique identifier and the ability to automatically transfer information’s over the network. But as we all know enabling a connection to the internet without proper security makes serious vulnerabilities. 


There are many security frameworks and technologies that used in organizations when creating and deploying IoT devices. And also this area is ongoing development. In the given IoT security circumstance, it could be identified in better way to mitigate potential issue. Ultimately it is possible to categorize as six main directories. 


IOT Vulnerabilities 

Vendors to enterprises and users to consumers are always concerned their IOT devices security could be compromised. With internet of things we must be prepared for new attacks that can happen any time unless we didn’t implement the required security procedures. For better understand about the security vulnerabilities to manufactures, developers and users OWASP (Open web application security project) releases top 10 vulnerabilities list annually. OWASP is an online community that produces free articles, documentation and tools in the field of web application security. 

According to their updated top 10 IOT vulnerabilities list 2018 hardcoded or weak passwords, insecure network services are the most common threads to IOT devices. Following are some critical vulnerabilities in the IOT industry. 


1. Weak, guessable/hardcoded passwords 

If someone obtained the password, they can access the data on the device and change the information as they want. There are multiple ways an attacker can get the password. 

(Ex: Social engineering, network intrusion) and there are many attack types as brute force attacks, offline dictionary attacks, backdoor in firmware or client software that can grants unauthorized access to systems. 


2. Insecure network services 

This vulnerable can result in data loss or corruption. If insecure network running on the device itself (those connected to internet) that compromise the authenticity, availability and confidentiality. 


3. Lack of security update mechanisms 

This includes lack of firmware validation, secure delivery issues, lack of anti-roll back mechanisms and lack of security changes due to updates. If software updates are not digitally signed or signature is not validated can allow an attacker to replace the update files with malware. 


4. Use of insecure or outdated components 

Use of insecure components/libraries, operating system platforms and third-party software or hardware components could allow the device to be compromised. 


5. Insufficient privacy protection 

Some IOT devices are stored users’ personal information such as health reports in the ecosystem that used improper security can be vulnerable for user’s confidentiality and integrity. 


6. Insecure data transfer and storage 

Encryption mechanism is often used in order to store critical information but lack of encryption to sensitive data including data at rest, transit or processing can cause attacker to obtain the data more easily. Manufactures must make sure If their device encrypting the correct data and do, they have proper key management and ensure that sensitive data cannot be overwritten. 


7. Lack of physical hardening 

Allowing potential attackers to gain information that can help to remotely attack or tacking control of the device or system. 



Mitigation methods are important because the number of challenges increasing day by day due security issues. Basically, they can be divided into three parts as hardware and network devices security, security gateways, patches and updates, integrating terms and consumer education. 

There are several options to protect hardware and network devices and security gateways patches and updates. But first of all, it is important to educate the consumers. If not all the technical methods fail as human errors are difficult to overcome. 

Using strong password. Most manufacturers give default password for the devices. And consumers forgot or didn’t change them. So, consumers need to educate about them and encourage them to have strong passwords according to password policies. Also do not use hard code passwords. 


At the future, IoT needs will be increased and innovate new solutions for consumers. According to that situation, IoT security vulnerabilities may increase a lot. Users must be practiced in relevant security methods and devices should be up to date with reliable patches. Security will be required to grow over the manufactures and provide stakeholders a fast connectivity reliable service. Government and security related organizations must place new security rules and develop trendy frameworks. Finally, consumers can operate trusted services and consume a consistence service by those practice. 




Supushpitha Atapattu 

Supushpitha is an undergraduate of Sri Lanka Institute of Information Technology, Faculty of Computing who is currently following Bachelor of Science honors degree specializing in cyber security, currently, he is working as an Intern - Information Security Engineer at Sri Lanka CERT|CC  

Last updated: Thu Aug 29 2019