The US Federal Bureau of Investigation has issued a warning about Internet of Things device security issues, the latest in a continuing string of IoT attack and security vulnerability warnings from the US’s top law enforcement agency.
Attackers are using compromised IoT devices as proxies to mask various illicit activities, the FBI said, citing spamming, click-fraud, illegal trade, botnets for hire, and other crimes being committed using IoT devices.
The Bureau said IoT device vulnerabilities are being exploited by these attackers, naming routers, media streaming devices, Raspberry Pis, IP cameras, network attached storage (NAS) devices as among the types of products covered by the warning.
“Cyber actors typically compromise devices with weak authentication, unpatched firmware or other software vulnerabilities or employ brute force attacks on devices with default usernames and passwords.”
The FBI’s warning highlights some end-user actions that can mitigate the risk of IoT device compromise. They include rebooting devices regularly, changing default passwords, ensuring devices are updated and that security patches are applied and isolating IoT devices from other network connections.
While mainly end-user focused, the FBI’s defense and mitigation recommendations also point to requirements that device developers and manufacturers should consider as they bring IoT products to market for end-users.
Such requirements can include:
- Monitoring and flagging vulnerabilities particular to your devices, so that patches can be developed and applied quickly to devices in the field. With thousands of CVE notifications being released each year, CVE monitoring can seem to be a daunting task. Our CVE monitoring service can significantly simplify and streamline the job of keeping up to date on CVE notifications that matter to your products.
- Enabling security updates to be handled quickly and efficiently such as via over-the-air updates, especially when exploit alerts and patches have been issued, while at the same time denying unauthorized software installs.
- Ensuring your device is not running tampered software by implementing Secure Boot / Chain of Trust, to verify software authenticity before execution.
- Disabling or removing functions and interfaces that are not needed in a given device and ensuring basic security protocols and functions are present. So, depending on your device and its application, this may include disabling serial console access and ensuring that encrypted protocols such as TLS are being used. Our Secure by Design offering provides access to proven design best practices for embedded system security involving open source components.
Of course, every product destined for an IoT deployment should also be subjected to security testing, vulnerability assessment, and composition analysis to generate a Bill of Materials to inventory open source components.
Our Threat Resistance Security Technology (TRST) Solutions can help you to design more secure products and confirm your device’s security posture with security auditing.
Our TRST offering also enables you to maintain product security throughout the product lifecycle, including aiding your end-customers with mitigating security issues and risks such as those identified by the FBI.
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.