Application Security Flaws in the Internet of Things
While we have researched and documented many examples of hardware security issues with IoT devices, the most common source of IoT security flaws lies within the apps that are used to manage them.
In this session we’ll explore and examine the reasons for that, be it commercial pressure, code re-use, or even simple ignorance of the importance and brand benefits of securely coded apps. We’ll also explain and offer advice that applies equally to IoT device manufacturers, app developers and anyone else in the IoT supply chain.
By far the most common source of compromise in our experience is the mobile app that your customer uses to interact with your IoT device. Decompiling the app is usually trivially easy and allows the hacker to understand exactly how your device interacts with the mobile app and then interacts with your online services.
The most common flaws we find are:
• Failing to implement SSL or implementing it badly. This can allow the attacker to intercept your customer’s data.
• Using static credentials in the mobile app. Putting a password to your API or any other resource in the mobile app is asking for trouble
• Insecure storage of data in the mobile app. It is perfectly possible to store data safely on a mobile device, it’s just that many mobile app developers don’t.
API / web services
Most mobile apps interact with a web service to send data to servers. Developers and manufacturers often seem to forget that they are publishing their APIs to the public internet. even though you only intended it to interface with your mobile app. This means that anyone who can reverse engineer a mobile app can work out how to interact with those web service.
Critical issues with web services include:
• Failing to enforce strong session management. One user can see another users data
• Not implementing encryption properly. Sounds familiar, doesn’t it!
• Injection attacks. Anyone can extract all the customer data that the web service has access to, or worse
- Discover why application security flaws in IoT devices exist
- Learn about the failures and successes in this space
- Understand the security techniques that IoT devices, and the public, deserve