Identification of the Issues in IoT Devices with HSTS Not Enforced and Their Exploitation

Abstract

An emerging paradigm that brings with it an approach that is responsible for translation of traditional style of living into a high tech life, that’s IoT. The rapid development of IoT is accompanied with the challenges of security, it’s uses, infrastructure, data and devices. Consequently, securing the websites has become the prior concern as it holds the sensitive information. Internet has become the part and parcel of our life. But one thing to which attention is never paid is IoT devices’ web servers that are used in daily life by everyone. Web servers in IoT devices are configured to provide remote access, systematic management and better accessibility. HTTP is a great language for computers through which communication between web servers and browsers are made, but it’s not encrypted. So if someone manages to hack in, everything going in the browser can be read. One alternative for this communication between servers and browsers is HTTPs, which is an encrypted form of HTTP. This necessitates the use of HSTS, to provide the encryption using SSL/TLS and by configuring security headers. In this paper, we have identified the issue of not implementing HSTS policy in the web server of IoT devices. For more clarification, issues are categorised into two major categories. It also provides a study of exploitation of these issues by simulating the IoT environment on the local system.