OWASP For IoT Security - 4

I4: Lack of Secure Update Mechanism

Lack of ability to securely update the device. This includes lack of firmware validation on the device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.

Unauthorized software and firmware updates are a common way for hackers to access IoT devices. A faulty update can cause important IoT devices to stop working and have tangible effects in industries like healthcare and energy. To ensure the security of firmware and software upgrades, we must restrict access to them and verify their source and integrity.

IoT products are designed with connection and ease of use in mind. They may be secure at the time of purchase, but hackers can exploit new security flaws or defects. IoT devices become vulnerable over time if they are not patched with frequent updates. Responsible manufacturers should go above and beyond to ensure that the embedded software or firmware in their products is completely safe. When vulnerabilities in their IoT devices are discovered, they will issue security upgrades. IoT devices in the field can then receive essential security upgrades from enterprises. Network administrators should pay special attention to update procedures, which should include only signed updates and encrypted exchanges.

Anyone is at risk of being a victim of an evil grade attack if they have a single application with an insecure update mechanism. That is, during the software update procedure, you may unintentionally install malicious code. Due to the fact that software updaters typically run with administrative privileges, the attacker's code will also run with administrative privileges. This can happen without any user engagement in some instances. The dangers of an insecure update process are much more severe than an individual user being compromised while on an untrusted network. The absence of digital signatures can allow an attacker to replace a software update with malware if it is not digitally signed or if the software update mechanism does not authenticate signatures. When evaluating software updates, an easy test to perform is to see if the software downloads and installs calc.exe from Windows instead of the intended update. It is said to have evidence of a susceptible update mechanism if calc.exe appears when the update occurs.

To determine whether an application validates the digital signatures of updates or not requires more complex mechanisms. Essentially, you need to intercept the update and redirect it to an update under your control that is either unsigned or signed by another vendor.

The recommendation for users is to be wary of automatic updates when using an untrusted network. When feasible, download updates from the vendor's HTTPS website using your web browser. Popular apps from large suppliers are less likely to include insecure update mechanisms, although any software update mechanism is subject to attack.

Ensure that the code signing key is not present on the update server itself to safeguard your users from an update server compromise. Ensure the code signing key is offline or otherwise unavailable to an attacker to boost security against malicious updates.

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.