Written by: Krzysztof Labuda, security test consultant
IoT has become such a significant part of the IT world that the OWASP Foundation’s list of security tips and advice for these systems could not miss these. Krzysztof Labuda, security engineer and participant in the Certified Ethical Hacker CEH v11 program, will tell you more about the threats listed in the OWASP TOP 10 IoT.
The OWASP Foundation produces guides and tips for enhancing the security of various systems, including IoT.
Today I will focus on encryption protocols in IoT security systems. This is a topic that is highly relevant, yet infrequently talked about, but considered one of the most significant ones in the OWASP listings. There have been two iterations of such lists since 2014, and the current one can be found here.
For more on the OWASP Foundation, read the post: OWASP TOP 10 and STRIDE – support in penetration test plan development
When approaching the issue of ensuring cyber-security in an IoT system, it is imperative to make sure that the data stored both on devices and in the cloud uses protocols that perform encryption operations at the presentation layer. In encryption protocols for the IoT, one should pay attention to which versions of the interdependencies one is using – OpenSSL or SSH servers in vulnerable versions can allow attackers to gain access to sensitive data (for instance, the widely-known Heartbleed vulnerability). It is a sound and desirable practice for IoT security that encryption operations for data stored on devices be performed by dedicated cryptographic systems such as TPM or HSM.
Ensure data confidentiality is maintained by using and configuring error-free cryptographic mechanisms that provide encryption.
They should also rule out connection renegotiation scenarios, devaluing them to schemes with known vulnerabilities (Downgrade Cryptographic Attack). Encryption schemes must keep pace with the exponential growth of computer processing power (according to Gordon Moore’s Law). Some older cryptographic techniques have been withdrawn and deemed unsafe due to increased computing power, among other reasons.
The weak point of the oldest SSL schemes – (SSlv2 DROWN attack, SSLv3 – Poodle attack) is the vulnerabilities in the very architecture of these solutions. These paved the way for TLS schemes – of the four available today (October 2022), versions 1.0 and 1.1 have already reached cryptographic retirement status. The direst case under consideration is allowing the renegotiation of a communication form without encryption.
So what is renegotiation all about? An example: before we connect, there is a kind of ‘connection negotiation’ at one of the layers, as the protocols have to come together. The same applies whenever we call someone to announce our visit. We make the call – if no one picks up, the chances are that nobody will be there when we turn up, but if someone does pick up, chances are that the meeting will take place.
It is pretty similar to encryption protocols for IoT devices. If the client gets a query with some encryption from the server, but it doesn’t support it – we propose a different one, i.e., we renegotiate. Nevertheless, a risk may arise here since we have to be assertive towards the client on the server side when they propose encryption methods that appear unsafe for the time being (or, in extreme cases, with no encryption at all).
It is imperative to avoid using protocols that communicate without encryption as much as possible when setting up IoT systems. This is the case for Telnet, FTP, HTTP or SMTP. You might also want to consider using VPN (Virtual Private Network) technology. It goes without saying that such an approach will enhance network security and data privacy.
Are you looking for a technology partner to create a cyber-secure IoT solution? We have successfully completed many projects requiring the highest level of system security, and we would be happy to tell you how this can be done. Set up a free consultation!
Krzysztof Labuda, a participant in the Certified Ethical Hacker CEH v11 program, teaches the latest commercial-grade hacking tools, techniques, and methodologies used by information security professionals.