Published May 26, 2020
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
The internet of things (IoT) refers to the network capability that allows smart devices to communicate with other objects or devices. The “things” are devices such as sensors, lights, or security systems. Most IoT devices have targeted the consumer, but more devices are being deployed in companies as they move forward with their digital transformation.
According to McKinsey, the worldwide number of internet-connected devices is projected to increase to 43 billion by 2023. That’s almost three times as many devices as in 2018. From a security perspective, that’s 43 billion opportunities for hackers to compromise a network because every device is a potential access point for a cyber-criminal.
IT personnel have raised concerns about IoT security. Yet, companies continue to manufacture and sell devices. Consumers continue to buy them and corporations are starting to deploy them in larger numbers. Why aren’t more consumers and companies concerned about IoT security? The IoT has a powerful value proposition, which makes it difficult to ignore. Consumers demand connectivity and companies are realizing the cost-effectiveness of IoT. At the same time, the associated risk is equally compelling. Right now, it is a balancing act, but the ability of IoT to scale will most likely be restricted until security vulnerabilities have been resolved.
A 2019 report on internet security found that routers and cameras were the most common targets for an IoT attack; however, hackers are becoming more sophisticated. Mirai and its 16 plus variants continue to unleash distributed denial of service attacks at a rate of 16% of all IoT threats in 2018. Industrial control systems (ICS) and VPNs are becoming more of a target. The VPNFilter is a widespread IoT threat, especially since it can survive a server reboot. Attacks on ICS could cripple an entire power plant, industrial complex, or satellite array.
Security experts agree that IoT is under secured and are concerned that a successful attack will have catastrophic results as businesses incorporate devices into all aspects of their enterprise. No security standards exist. Vendors struggle to embed security, intelligence, and control into devices that were never designed with processing power. At the same time, cybercriminals continue to collaborate, resulting in more sophisticated threats.
As is often the case with technology, a concept becomes a reality, but the reality is not exactly what the designers had in mind. IoT followed this path. Compact devices were created with minimal processing power or memory. They were designed for a single function. Few individual devices were built to be deployed in massive numbers across international enterprises with the expectation of decades of use. As a result, companies are faced with trying to secure a device with significant constraints.
IoT devices are connected to the internet and will encounter daily threats. Hackers can access search engines that troll the internet looking for devices such as webcams and routers. Robust cybersecurity was not included as part of the design. As a result, these devices cannot provide the needed security. In many cases, the connectivity protocols do not support end-to-end encryption. Developers are constrained by the lack of processing power and memory, making it difficult to add comprehensive security. IoT devices were simply not designed to withstand consistent threats.
Adding security to devices costs money. If the business model was to based on volume sales at a competitive price, adding security may break the business model. For example, remote updating may not be a feature on many devices. Updates must either be done manually or not at all. That creates a weaker link in the network when devices cannot be patched to protect against new threats.
Most devices come with default passwords that are available online. If changing the default password is not a mandatory part of the installation, many devices are deployed with default passwords in place. Putting security capabilities in place takes processing power and memory, which are in limited supply on most IoT devices.
Depending on the type of device, there may be regulations and standards in place. The FAA regulates drones, the traffic safety administration oversees vehicles, and the FDA controls IoT medical devices. But what about all the other devices that are used in manufacturing or by consumers? As of 2020, no standards exist for IoT devices outside of select industries.
If history repeats itself, a standard will develop in one of two ways:
- Customers will refuse to support multiple interfaces and demand a standard be created, such as happened in the financial services sector.
- One or two companies come to dominate, making their solutions the de facto standard such as Apple and Microsoft.
The current landscape doesn’t support either approach. There’s no clear leader within the industry and customers are not clamoring for a standard. It may be the security sector that ultimately forces a resolution as a way to mitigate risk.
In the meantime, what do consumers and companies do? Companies and consumers will need to follow the best security practices when adding IoT devices to their networks. They must change all default passwords and user names, making sure that passwords are created using the recommended mix of numbers, characters, symbols, and length. Before purchasing a device, check to see if the manufacturer will assume liability for the device. Most companies will take on some liability for the hardware but not for the software.
What should manufacturers do? They need to ensure their devices are as secure as possible using Kiuwan tools such as SAST and SCA analysis to identify application vulnerabilities. Pursuing a good faith effort can help mitigate liability should an attack prove successful. Contact us to discuss how our solutions can help deliver a secure application for the IoT.