How has the security of the Internet of Things evolved in recent years? TechBeacon last visited the topic in 2017 and found the picture to be troubling at best. Now, for the first time since 2014, OWASP has updated its own Top Ten list of IoT Vulnerabilities.
While the present state of IoT security remains poor, a reading of the draft reveals some shifts in thinking about how to shore up IoT devices’ spotty security. For example, “weak, guessable, or hardcoded passwords” now top the list, replacing insecure web interfaces, which drop to No 3. Insecure networks also rank higher, now up a spot, to second on the list.
The updated list reminds us how slapdash security can be in the exploding world of IoT. Here's what experts say about the state of IoT security today—and what to expect to see from the industry in the coming year.
Why is IoT security still so bad?
IoT security remains atrocious, and it’s arguably getting worse. In the first half of 2018, researchers discovered there were three times as many malware samples attacking smart devices than in all of 2017—and 10 times the 2016 total, noted Carolyn Crandall, chief deception officer for Attivo Networks.
As sobering as that stat is, it should not be surprising, Crandall said.
“IoT devices are not designed with security in mind, but rather for easily communicating with other devices. And since most IoT devices are rarely moved once installed, they are seldom patched.”
—Carolyn Crandall
Because they’re primed to be easily compromised, Crandall said they are increasingly being used to mine cryptocurrencies, execute distributed denial-of-service (DDoS) attacks, impact services, or steal user data. Additionally, tools such as Shodan are playing into the hands of attackers by empowering them to find exposed IoT devices that they can exploit.
IoT’s startlingly bad security record has often been chalked up to a hype-fueled market. “Startups and entrepreneurs have a mantra to get a cool idea, define a minimum viable product, and launch it faster than competitors,” as Netwrix vice president of product management Ilia Sotnikov puts it.
In that breathless rush, security is often an afterthought or falls by the wayside altogether. The problem gets exponentially worse when companies from other markets where cybersecurity has never been a consideration start building smart devices.
Now your robot vacuum is an attack vector.
But the very real consequences of IoT’s security vulnerabilities are pretty clear. In the year following 2016’s infamous Mirai botnet—which hijacked 100,000 IoT devices in a DDoS attack that temporarily took Netflix, Twitter, Amazon, and The New York Times offline—IoT-enabled DDoS attacks increased 91%. So why hasn’t IoT security improved?
Matt Wilson, chief information security advisor at BTB Security, said it comes down to incentives and responsibility. Manufacturers and vendors have no incentive to deliver secure products and every incentive to outpace the competition with new features. Consumers, cybercrime victims, and regulators have no clear line drawn for responsibility or accountability when it comes to IoT vulnerabilities.
“Who can hold the vendor responsible? How can they do so?”
—Matt Wilson
“The massive IoT-powered DDoS botnet that targeted cybersecurity journalist Brian Krebs consisted mostly of network-enabled cameras, digital video recording systems, and routers that contained significant and mostly known vulnerabilities,” Wilson continued. “And yet there's been zero backlash against the manufacturers of those systems and fairly limited discussions on the level of responsibility that owners of those systems bear when it comes to updating or patching for security.”
Technology troubles
To be fair, securing IoT devices poses a unique set of challenges. Particle senior product manager Jonathan Beri said one of the biggest is that the devices themselves are simple computers, significantly less robust than even a basic laptop. Security best practices require resources that might not be available on these tiny devices. And Crandall says that architecting security into the device is challenging because it can compromise communications with devices that do not have compatible secure communications protocols.
But perhaps the biggest challenge is that a single IoT device encompasses so many advanced technological fields, said Nabto founder and CEO Carsten Rhod Gregersen. Getting an IoT solution up and running successfully requires at minimum expertise in embedded software development, client-device development, server/cloud operation and system administration, Internet protocols, and, yes, security protocols and security design best practices.
Setting up a team that spans all these fields is very hard—gained from experience—and if you are on a tight deadline, security easily becomes the least of your concerns, Gregersen said.
“A good security design is not necessary to ship a working product, but lack of it will be fatal once the product hits the market and somebody looks into it.”
—Carsten Rhod Gregersen
Still no standards?!
But these very real hurdles aside, Crandall believes that IoT manufacturers aren’t making security more of a priority because they don’t have to. Without any compliance standards, they can choose speed-to-market and cost savings over security, with emphasis on interoperating with the widest number of devices.
“It won’t change until they are forced to comply or there becomes a benefit for implementing a security-first approach or a penalty for a security-last mentality. Think about it: We have UL standards for a light bulb but not for IoT. How does this make sense?”
—Carolyn Crandall
In the wake of the high-profile security incidents of the last couple of years, governments have started incentivizing manufacturers to take IoT security more seriously. Last year Congress introduced the IoT Cybersecurity Improvement Act of 2017, which leverages the buying power of the US government to require security features in any Internet-connected device it acquires.
And in September, California Governor Jerry Brown signed into law SB-327, which requires manufacturers to equip connected devices with a “reasonable security feature or features that are appropriate to the nature and function of the device.”
Across the pond, the UK government has issued the Code of Practice for Consumer IoT Security, and the EU has reached agreement on the Cybersecurity Act to strengthen the General Data Protection Regulation laws. None of these efforts is a cure-all, and the California law has received criticism from security experts, but they do at least represent a needed step toward addressing IoT’s security ills.
While governments work out how to create standards and roll them out, various organizations are advancing policy and guideline documents. Larry LeBlanc, chief security engineer at Sierra Wireless, noted that in 2016 the GSMA introduced a set of IoT Security Guidelines, and this year the CTIA published an IoT Cybersecurity Test Plan that may be integrated into the certification process for cellular IoT devices.
Additionally, the Council for Securing the Digital Economy (CSDE) published an “Anti-Botnet Report,” which outlines a set of processes and capabilities for components of the IoT ecosystem, including devices, infrastructure providers, and both small office/home office and enterprise operators.
The challenge here, LeBlanc noted, is that IoT cuts across every industry: consumer devices, medical devices, industrial controls, and automotive, to name a few. And while there will be some common themes, such as no globally shared default passwords, keeping software/firmware up to date, and secure-by-default design, specific standards will have to be tailored to each industry vertical. And even then they will face the difficulty of keeping up with the rapidly evolving threat landscape.
Looking ahead
This story of IoT security follows the model of most security stories, with experts cautioning that things will get worse before they get better. And that’s undoubtedly true as IoT penetrates deeper into industries such as healthcare and device innovation continues to outpace security measures in the coming year. But there’s room for a little optimism.
The upside of recent data breaches is that they have generated more discussion around security among consumers and manufacturers than ever before. And the industry continues to make strides with IoT security, with new IoT devices much more likely to have at least basic security in place.
However, there are millions of IoT devices still in the world that are insecure, and Particle co-founder and CEO Zach Supalla reminds us that those devices aren’t going anywhere. That means existing IoT businesses are vulnerable, and despite the industry’s best efforts, major breaches are likely to continue. But he feels there could be positive outcomes here, too.
“These breaches will create uncertainty in the market that will force IoT practitioners to both double down on their security investments and to increase their marketing focus on the value of security and data privacy.”
—Zach Supalla
Still, while OWASP and others will continue to develop and promote security guidelines, LeBlanc isn’t holding his breath for a magic bullet in 2019. There will be increasing levels of activity in this area, but I expect it will be a long time, if ever, before there is an industry-wide standard for IoT, he said.
“That’s why it’s more important than ever that IoT providers and users ensure that they are adopting best practices and using the latest technologies, in order to protect their IoT systems from attack.”
—Larry LeBlanc
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
