Of all the current technology trends going on today, the Internet Of Things is the biggest one and hence it will also be the biggest one to give the most disruption. With IP and personal data accessible through connected systems, hackers have the potential to bring an organization or even a government to a standstill. Hence, we need to start with building new security approaches. Continuous monitoring, threat mitigation, secure operating systems are a few approaches to start with.
Some of the aspects of security testing of IoT systems are as follows:
Web Interface security: Most of our systems now have an inbuilt Web Server. Hence, cover the following points in this regard:
Clear default login credentials while the initial setup
Ensure complex passwords
Check for Cross Side Scripting
Check for SQL Injection
Check for vulnerabilities of Cross Site Request Forgery(CSRF)
Authorization and Authentication: Authentication is much weaker in smart systems. Often limited to four digit codes. Check for weak passwords during the initial installation, use client side Java codes, send for authentication without using HTTPS transports or ask for no password at all.
Network Services: The IoT systems mostly use insecure services like Telnet, FTP, TFTP, etc. Penetration testing tools like Nessus, OpenVAS can check the use of such dangerous services.
Privacy Concerns: Three areas of concern that need to be covered here are
Ensuring collection of minimal data.
Ensuring encryption of data
Ensuring protection of data.
Transport Encryption: Failure in Transport Encryption exposes all the data and credentials at the same level of risk as an insecure web application. Hence, this aspect needs to be covered for complete security testing.
Mobile Interface: IoT systems can also act as wireless access systems. Here security specialists lack in a concrete security checking methodology.
Cloud Interface: Most of the IOT systems need to connect to the cloud server. These web services may carry certain vulnerabilities. Hence, a focus should be put on situations such as username harvesting, no lockout after brute force guessing attempts, etc.
Security Configuration: This involves features such as password enforcement, data encryption and access through different levels. One additional aspect is to check the multiple user level access(full administrator/root permissions) of the operating system in use. Privilege Escalation attacks need to be attempted if they exist in the device.
Software Security: Two main threats to data sent over the network is that it could be changed and sensitive data can be intercepted. To cover these two contexts of insecurity ensure cryptographic signature for all updates, use of only the HTTPS ports and a cryptographic identity of the server provided.
Physical Security: Five things to over for ensuring the physical security of these systems are encryption of stored data, physical protection of the USB ports, ease of dissembling and removing of unnecessary ports and ease of storage media removal.
According to recent studies, the majority of the IoT systems have security vulnerabilities. With millions of new smart systems, hardware endpoints, many lines of coding and more complex infrastructure to cope up with the load, an extensive set of challenges has been created. Instead of researching on testing techniques, a clear mandatory emphasis on security from day one is a better approach, especially when dealing with such immature miniature technologies.