- Device discovery. You can't protect what you can't see.
- Authentication and authorization.
- Disruption, DDoS attacks and IoT botnets. ...
- IoT passwords. ...
- Encryption.
- Securing the network.
Most of the list is great for IOT risks. Some additional ones to consider:
- Data leakage: An unsecured IOT device can contain data unintended for others. Consider medical IOT containing patient information and patient medical images.
- Asset leakage: An unsecured IOT device can leak private IP or other intranet device information.
- Pivot attacks: An IOT device can allow an attacker to pivot from a public IP addressed printer to the internal network of an organization. Printer's don't have antivirus, security logging, firewalls and rarely are they security monitored.
- Exhaustion: An IOT attacker can exhaust the physical components and cause a DDoS on the network resulting in latency.
- Stored XSS and similar attacks: Most IOT are not security tested in a basic manner which can allow an attacker to find stored XSS and similar exploitable vulnerabilities. The attacker can remotely embed and execute code allowing credential theft or delivery of malware.
- Weaponization: Malware delivery mechanism or create a bot network of exploitable IOT to turn into internet or external attack devices.
I would add the following:
- Inability to patch/upgrade many IoT devices to prevent and remediate problems because of inaccessibility or lack of facilities to do patches/upgrades
- lack of standardization - forces many custom built solutions per vendor and/or forces use of network isolation
- Obsolescence of devices from long life time, leading to being vulnerable to vendors going out of business.
Chris Kubecka , Jeff Sedayao thanks for your detailed answers, I am thankful to you.
I am overwhelmed with your insights. Since I am currently working on the risks in the IoT domain.
Again thanks for adding such great thoughts and answers. Most of the things that you put forward really were out of my focus.
Yes, according to Chris Kubecka , pivot based attacks are very critical. They are also contagious in some sense. Printers which are rarely secured can expose the area network address using which it is possible to dig even deeper; the IoT devices that are present inside that area. This is like parent directory, and sub-directories. An interrogation such as this can prove to be dangerous. As a result, access to many private entities might be possible. We can also call this as the Internet of Unintended Things (IoUT).
- Badges
- Science topic