Weekly IoT Worries: Insecure Network Services
This flaw includes those network services running on connected devices that are either unnecessary or insecure. This issue is especially concerning if those services are exposed in any way to the internet. Either way, insecure network services can provide unauthorized access to malicious actors allowing them to compromise the confidentiality, integrity, or availability of information stored or processed by these endpoints.
IoT and other non-traditional connected endpoints quickly gain recognition as adversaries’ prime targets. Attackers seek to exploit weaknesses in IoT and other connected devices so they can compromise and exfiltrate sensitive information stored on and communicated by these endpoints. Man-in-the-Middle (MITM) attacks are common in these attacks, allowing credentials to be captured in transit, giving malicious actors the leverage they need to launch larger-scale attacks on even more sensitive endpoints like servers and laptops.
Because of these risks and how IoT devices are designed, it becomes imperative that IoT and other connected endpoint communications are secured with industry best practices – which specifically state that any extraneous protocols or services should be disabled. In fact, according to IEEE’s IoT Best Practices: “Even if device passwords are secure, communications between devices may be hackable. In the IoT, there are many protocols, including Bluetooth, Zigbee, Z-Wave, 6LoWPAN, Thread, Wi-Fi, cellular, NFC, Sigfox, Neul, and LoRaWAN.”