How to begin fixing vulnerable IoT security issues
The frenzy surrounding all things surrounding the Internet of Things has quickly moved from unbridled excitement to dystopian warnings.
The focus has moved from its potential to revolutionize the way we work and play, to visions of television sets turned spy and hijacked medical devices holding lives for ransom.
With so much hyperbole, it can be difficult to cut through the noise to understand exactly where the problems lie in securing the IoT.
Much has to do with the sheer scale of the attack surface. The current estimate for IoT devices is 6.4 billion, and Gartner predicts they will reach an installed base of 21 billion units by 2020—others others predict even higher. These devices are ever-connected and ever-susceptible, even when idle, and cybercriminals are taking full advantage.
The Mirai botnet that took down more than 80 major websites consisted mainly of CCTV cameras and DVRs, but that was only the beginning. The latest bot-herding software, Wicked, is a more sophisticated Mirai relative. It includes at least three new exploits targeting known vulnerabilities in various IoT devices, including cameras and Netgear routers.
With a problem of such magnitude, why aren’t we doing a better job of protecting IoT devices? Looking at the IoT security landscape, we see mostly network-level defenses: managing IoT security at the network level, detecting IoT attacks at the network level, and blocking IoT attacks at the network level. These are valuable but limited—just as in the case of endpoint security, deep security requires software installed on the device itself.
However, there are almost no in-device IoT security products. The current diversity of hardware, software and operating systems poses a real challenge for developers of security products. IoT is a mixture of systems, composed of various types of CPUs and chipsets from different vendors.
ARM-based platforms dominate the market, but Intel is pushing its own IoT platforms. And the various manufacturers of IoT development boards use their own hardware architecture, integrated circuits, processors and chipsets. The situation at the software level is even worse. There are about 10 leading operating systems for IoT, as well as numerous others. For security vendors, developing and maintaining an IoT-wide security product is very challenging, if not impossible.
One of the primary purposes of IoT technology is to collect information, both overtly and silently. IoT devices often send unencrypted information over unsecured ports. And many times, as in the case of the “teddy bear” data breach, that collected information is stored in publicly accessible databases without any authentication required. They are designed to gather and transmit this data as quickly and cheaply as possible.
This is at direct odds with information security but unlikely to change soon. Implementing secure or confidential communication protocols increases development cost, time to market and manufacturing costs. Even manufacturers that are conscious of security issues might unknowingly embed insecure third-party components into their products. Many of the webcams enlisted by the Mirai botnet utilized electronic components from the same manufacturer.
Most IoT devices are riddled with vulnerabilities but were not built with patching and updating in mind. Cameras, routers, printers, sensors—all have internal firmware, which usually works for years without an update. As a result, there are many IoT devices, with different versions of kernels, frameworks, web-servers and applications. And even if manufacturers could develop patches, the logistics of upgrading the software or firmware is extremely challenging.
Apart from the difficulty in accessing devices, most do not have the memory and processing power needed to receive and perform the upgrade or patch. The online-update, instant-patch paradigm used in the modern OS is not yet feasible in the IoT world.
It’s not just things
Generally we think of the IoT as personal devices—for example, cameras, refrigerators or even cars. But much of our critical infrastructure—utilities, hospitals, transportation systems and all the other systems our communities and countries depend on—is increasingly digitally controlled and connected. This industrial internet of things (IIoT) brings tremendous productivity and reliability gains: better alignment of supply and demand, predictive maintenance planning, predictive outage response, instantaneous sharing of vital data and more. In some cases, like healthcare, it can make the difference between life and death.
However, this hyper-connectivity has increased the cyber risk for our critical systems exponentially. The energy sector is particularly vulnerable. Coordinated cyberattacks on the Ukraine power grid left more than 230,000 customers without power after hackers gained control of the Supervisory Control and Data Acquisition (SCADA). And earlier this month, researchers disclosed critical vulnerabilities in SCADA tools widely used in oil, gas and electricity operations, which would give threat actors complete control and the ability to move laterally through the network to execute additional attacks. When we talk about IoT security, we need to look at the bigger picture.
IoT is at a critical juncture; it’s time to shuffle priorities and put security at the top. End users need to implement best-practice security controls and demand greater security built into the products they buy. Cybersecurity vendors need to think outside the box to develop new protection paradigms. Manufacturers need to step up, take responsibility and actively make their devices more secure. And legislators must put forth effective regulations to ensure it happens.