3 October 2024

The importance of input validation in IoT security

Nazli Kuran, cybersecurity expert at Kiwa


Cybersecurity has been a passion of mine for years. My journey in this field began out of curiosity, leading me to specialize in web penetration testing. Since joining Kiwa, my focus has shifted to IoT security, with an emphasis on testing against standards like ETSI EN 303645. One topic that consistently fascinates me is input validation—an area where web penetration testing and IoT security assessments often intersect.

Input validation is specifically addressed in provision 5.13-1 of the ETSI EN 303645, making it a key focus of my work. Let’s explore why it’s so crucial for securing IoT devices and how it fits into broader cybersecurity efforts.

What is input validation?

Input validation acts as a gatekeeper for the data entering your IoT device, ensuring it’s safe and correctly formatted. Imagine it as a security guard at a building entrance - only allowing in individuals who meet the requirements. For example, an IoT thermostat expecting a temperature input between -20°C and 40°C should not accept absurd values like 10,000°C, which could crash the system or create opportunities for attacks. Without this verification, IoT devices become vulnerable to a wide array of threats, including injection attacks.

Why is input validation crucial in IoT?

IoT devices often operate in environments where they process data from numerous sources: user inputs, sensors or even internet traffic. Without rigorous input validation, attackers can manipulate these inputs to execute harmful commands or gain unauthorized access to the device. Take buffer overflow attacks, for example. If a device expects 16 bytes of data but receives 64 bytes without proper validation, the excess data could overflow into other parts of the system's memory. This not only risks a system crash but could also allow for remote code execution, a severe security breach.

Are HTML tags in an embedded control unit a hidden threat?

Now, let’s imagine you’re working with an embedded control unit that unexpectedly starts processing HTML tags. It might seem like an odd quirk, but could it actually lead to a security risk, such as Cross-Site Scripting (XSS)? Let’s unpack this scenario. HTML tags function like instructions for web browsers, telling them how to display content. However, when an embedded control unit begins processing HTML, it is likely doing something it wasn’t designed to do. This deviation can lead to serious security concerns.

What’s the risk?

If an embedded control unit can process HTML tags, there’s a chance it could also execute scripts, such as JavaScript, within those tags. This is where vulnerabilities like XSS come into play. Imagine an attacker injecting a script like this: <script>alert('You’ve been hacked!')</script> If the system executes this code, a pop-up saying ‘You've been hacked!’ appears—indicating an XSS vulnerability. Hackers could exploit this to run malicious code, steal data or alter the device’s behavior.

Risks beyond XSS

Even if JavaScript isn’t executed, HTML tags still pose a risk. Here are a few potential concerns:

  • UI manipulation: Attackers could modify the device’s user interface, potentially displaying false or misleading information.
  • Misuse of features: HTML tags could be used to inject undesirable content or cause abnormal device behavior.
  • Unauthorized access: If the system processes HTML tags, it might allow certain functions, such as form submissions, that could send or manipulate sensitive data.

Key techniques for effective input validation in IoT

Now that we understand the potential dangers, how can we ensure proper input validation? Below you find a few key techniques:

  • Data type validation: Ensure that incoming data matches the expected type (e.g., numbers, text, booleans). For instance, a numerical password field should reject any string input.
  • Input length check: Set limits on the length of the input to prevent buffer overflow attacks. If a device expects an 8-character password, inputs longer or shorter than that should be rejected.
  • Range validation: For numerical inputs, ensure the data falls within an acceptable range. For example, a smart thermostat should only accept temperatures between -20°C and 40°C.
  • Whitelisting and blacklisting: Define acceptable (whitelisted) inputs and block unacceptable (blacklisted) ones. For instance, only allowing commands like ‘turn on’ or ‘turn off’ ensures invalid commands are ignored.
  • Input sanitization: Dangerous characters such as `‘`, `;`, `<`, or `>` could be used for injection attacks. Sanitizing inputs means removing or neutralizing these risky characters before the system processes them.

Secure smart devices top priority

In the ever-expanding world of IoT, input validation remains a cornerstone of security, protecting devices from a wide variety of attacks. By ensuring that only valid, safe and correctly formatted data enters a device, you shield it from risks like buffer overflows, injection attacks and crashes. Implementing simple yet effective techniques—like data type checks, input length restrictions and sanitization - can significantly enhance the security of IoT systems. As smart devices continue to integrate into every aspect of our lives, securing them through robust input validation must be a top priority.

At Kiwa, we are dedicated to helping organizations meet the highest standards of cybersecurity. Our services include thorough assessments against the ETSI EN 303645 standard, comprehensive penetration testing, and expert guidance in securing IoT devices. We work closely with clients to ensure their products are resilient against emerging threats, enabling them to build trust with their customers and stay ahead of cybersecurity challenges.