Our smartphone is an integral part of everyday life. Already 57 million Germans own a smartphone.
Whether young or old-the smartphone is ubiquitous and rightly so.
Our smartphone is much more than a device we communicate or play with. Today, we do our shopping via the smartphone, open the front door or adjust the temperature of the heating on the go. For virtually every application, there’s an app and most are connected-with IoT.
IoT-What is it?
IoT stands for Internet of Things. So the Internet of Things. Basically, this is quite simply explained.
Take a light switch and connect it to the internet and provide a programming interface and we already get a remote-controlled light switch that can be controlled with the smartphone. Since 2015, this
trend has been rising massively. More such devices are developed, produced and distributed from year to year.
We can connect and control almost anything. This is wonderful. Now in 2019, we have an approximate 26 billion connected devices. The forecast for 2025 is 75 billion.Co
nnected devices thus bring us a whole new way to master our everyday lives. Combined with our smartphone, this is the ultimate mix to control “things” from anywhere.
Being connected everywhere means, conversely, that we are accessible, controllable, vulnerable and unsafe from anywhere.
But why is that?
Many of these connected devices are poorly implemented and very poorly implemented. Customers are actively misled about the supposed security. Not because companies want to give customers a false sense of security, but because there is a very large shortage of security skills around the world. As a result, companies are actively promoting supposedly secure apps. JTNDYSUyMGhyZWYlM
Most Services provide some kind of API interface.
At Liasoft, we create security analytics of apps. Before each analysis, we start an automated short analysis. Here we check in any cases that we have analyzed and been able to categorize at least once manually.
Massive automated analysis of apps
Up to and including the 15th century. On April 1, 2019, we analyzed 15,000 apps with API access automated. These apps are just apps from German manufacturers, from all industries, from small business owners to large corporations. We contacted 900 of these companies immediately because we discovered very fatal security vulnerabilities there. After four weeks, we received 32 feedback.
Why? Good question. Security does not seem important.
In 14320 cases, the following criteria are correct:
- App requires a user login.
- App provides an API with two or more endpoints.
- App has SSL, but no certificate pinning.
In 12602 cases, intellectual property is not protected. That is, the source code of the app is immediately easy to recover and simplifies the analysis of a reverse engineer and attack.With Let’s
Encrypt, anyone can create an SSL certificate (even in low budget range) and have been through the browser manufacturer SSL more or less mandatory. This is good.
Our result of the analysis is, in any case, terrifying. Unfortunately, an SSL certificate does not necessarily protect against man-in-the-middle attacks. Especially on the go, we are logged into mobile Wi-Fi hotspots and if they formally force us to install a self-signed root certificate, all traffic can be read along.
3 steps to make communication really secure.
There are more connected devices every day. Hypercapitalism in our society ensures that services, apps and software are developed quickly and unwisely. This results in too many case studies an implementation of a RESTful service with SSL and-nothing, right. The service is done with that. A supposedly safe new service is then marketed.
In fact, there are only three steps to really secure services.
- Activate HSTS headers on the web interface as a browser header,
- Activate certificate pinning in the client,
- 2 factor implementation of sensitive API calls.
These three small steps have a big effect. The communication between client and server is usually really secure! Of course, there are also ways and means to intervene here, but this requires advanced attack scenarios.
We hope that this trend in security will improve over the next few months.
Update and addendum from the 20.04.2019:
We have formulated a paragraph better in order to avoid misunderstandings with self-signed certificates.