The state of IoT security: Trusted connected devices a work in progress

The Internet of Things (IoT) has a shockingly bad security record. After all, it literally broke the Internet when up to 100,000 IoT devices were ensnared in the Mirai botnet last year, helping stage the historic distributed denial-of-service (DDoS) attack that took down Netflix, Twitter, Amazon, and The New York Times. It's no wonder that IoT security fears are top of mind for IT organizations supporting the devices.

And the problem is growing. When you consider that the IoT will grow to 26 billion devices in just two years, according to Gartner, and each new device is a potential attack vector for some enterprising hacker, a frightening picture takes shape.

So what’s the current state of IoT security, exactly, and where is it headed in the coming year? Here’s a glimpse into the future.

 

Gartner Magic Quadrant for Application Security Testing 2018

The sorry state of IoT security

The reasons for the IoT’s shoddy security record are numerous. By most accounts, it starts with manufacturers rushing IoT products to market. Along the way, security becomes a casualty of the drive to get an innovative and affordable product out the door. Operating on a low-cost business model with razor-thin margins, developers have long overlooked or ignored basic security principles. When they have addressed security at all, they have tended to use lightweight technology that minimizes complexity and maximizes convenience for the end user.

The problem is compounded by the fact that many companies are diving into the IoT from other markets and don’t have the expertise to foresee and address even common security pitfalls.

“If Honeywell, for example, decides to compete with Nest and adds Internet capability to its thermostats, they’re now in the IoT business,” says Cricket Liu, chief DNS architect at Infoblox. “But the problem is that because they haven’t been in the networking business previously, they haven’t had to think about key things such as building in security features and protecting networked devices from vulnerabilities.” (Honeywell has indeed included Internet capability in its thermostats.)

For their part, IoT device manufacturers can fairly claim that they are only giving customers what they want. Unique passwords, complex configurations, and regular software and firmware updates could be off-putting to people looking for simple plug-and-play appliances for their homes.

“The maximally cynical interpretation is that, given a choice between two devices—one of them cheaper and out the door faster, and one of them more expensive, delayed, and more secure—people will pick the first,” says Michael Collins, technical director for the Cybergreen Institute. “Security has always been a difficult sell, and since secure systems are going to be more restrictive, you’re going to also run into a reduction in features.”

Though smart-home product and service adoption continues to grow slowly year over year, Parks Associates senior analyst Brad Russell says that security concerns may eventually stunt growth. “Of all the smart-home devices, no single device has more than 12% penetration,” he says. “Security and privacy concerns provide headwinds where adoption would be faster if these concerns were allayed.”

Bridging the security gap

In a perfect world, manufacturers would heed this warning and start developing more secure IoT devices while preserving their ease of use. But as Sami Nassar, vice president of cybersecurity solutions at NXP points out, the IoT is still in an innovation phase. Robust quality controls will only come after it has been established that the technology works and is useful.

And even if the industry did suddenly strengthen its security game, there’s little it could do for the millions of IoT devices already being used in homes and businesses that are defenseless against increasingly sophisticated attacks.

Faced with this reality, third parties are stepping in to bridge the gap.

One case in point is Snappy Ubuntu Core, an IoT-centric version of the popular Ubuntu distribution of the Linux open-source operating system. The OS has been reduced to its core components to work within IoT devices’ processing and memory limitations. It’s also modular, so when an app is corrupted the damage is contained. Developers can create their own store with Snappy, through which they can manage software updates across devices.

Security firm Cloudflare also recently stepped into the fray, with its new Orbit service. Rather than worry about pushing patches to billions of devices—if those devices have been designed to receive updates at all—manufacturers can use Cloudflare’s network as a defense layer. It creates a secure and authenticated connection between an IoT device and its origin server, blocking vulnerabilities and deploying “virtual patches” in place.

Liu’s company, Infoblox, takes a different approach, working on ways to detect the compromise of IoT devices passively by monitoring DNS queries, for example.

“Most IoT devices send a very circumscribed set of DNS queries,” he says. “A Nest thermostat, for example, talks to Nest and maybe Google, and not much else. If your DNS server suddenly notices that it's looking up a domain name in Moldova, that's probably an indicator of compromise.”

Collins sees promise in the rise of plug-in security appliances for home users, such as the BitDefender BOX and the Norton Core. “These devices are explicitly security-focused and designed for home users who don’t have a deep understanding of security,” he says. “I wouldn’t be surprised if eventually these functions were integrated into commodity cable modems and the like.”

Alliances and advocates

While technologies and services such as these provide short-term fixes, other efforts are addressing the long game. Industry alliances such as the Online Trust Alliance (OTA), the Open Web Application Security Project (OWASP), and the Cloud Security Alliance, to name just a few, are working to understand the threats and promote shared standards for security and privacy. OWASP, for example, has published a detailed Top Ten list of IoT vulnerabilities to help promote IoT security awareness among vendors and the engineering community.

Russell says two certification programs have also been recently introduced to provide IoT product manufacturers with options for independent testing. The Underwriter Laboratories Cybersecurity Assurance Program (UL CAP) builds upon UL's historic approach to product safety testing to “minimize risks by creating standardized, testable criteria for assessing software vulnerabilities and weaknesses,” according to its website. ICSA Labs IoT Certification uses a proprietary security testing framework to help companies develop a scope for testing and then apply appropriate criteria. The nonprofit Internet of Things Security Foundation is developing a self-certification process for IoT product developers as well.

On the consumer side, advocacy groups are helping keep users apprised of risks and teaching them to protect themselves. Russell notes that Consumer Reports works with Cyber Independent Testing Lab and The Digital Standard to assess how easily a product can be hacked and how well consumer data is secured, and now includes scores for cybersecurity and privacy safeguards in its product reviews.

Other consumer advocacy groups, ranging from the Electronic Privacy Information Center (EPIC) and the Patient Privacy Rights Foundation to the American Civil Liberties Union and the Center for Digital Democracy, are also working on security and privacy issues related to the IoT.

A need for regulation

Despite this abundance of activism, most of the experts we spoke with agreed that there’s still little incentive for IoT manufacturers to change their approach.

“Currently, there are no regulations to force them to meet basic security requirements,” says Patrick Tiquet, director of security and architecture at Keeper Security. “Until the government or consumers demand security in IoT design, it will continue to be ignored.”

Consumers seem to be getting more aware of the potential perils of their smart appliances, and there’s evidence the government is as well. A bipartisan group of senators introduced the Internet of Things Cybersecurity Improvement Act of 2017 in August, which would establish a baseline of security requirements for IoT devices sold to the US government.

Two other government actions may have more far-reaching implications. In Europe, the EU General Data Protection Regulation, which will be enforced in all member states starting in May 2018, establishes clear requirements for the handling of citizens’ data and levies heavy financial penalties against organizations for noncompliance.

In the US, the Department of Homeland Security has issued its “Strategic Principle for Securing the Internet of Things (IoT), Version 1.0,” which outlines a set of principles and best practices to improve IoT device security. While it doesn’t rise to the level of a demand for better protections, it signals the more active involvement of the government in the industry.

Silver lining but no silver bullet

While these are all positive developments, just about everyone we spoke with agreed that things will get worse before they get better, with more IoT attacks and on a larger scale in 2018. The silver lining is that many feel this may pave the way to the inevitable government regulation that’s ultimately needed to turn things around.

Even then, though, Liu reminds us there’s no single silver bullet to ending IoT attacks and that perhaps the best protection is a partnership between device companies and consumers.

“A challenge that we are facing is maintaining security on an ongoing basis,” he says. “No one gets security right the first time. Even the savviest of manufacturers will find new vulnerabilities after their devices have shipped," Liu said.

To ensure newly discovered vulnerabilities are always patched, manufacturers must tackle the challenge of finding ways to make sure their devices are easy to update for consumers, he said. "But the responsibility also falls on us: We as consumers need to consistently update our IoT devices, rather than constantly hitting the ‘Ignore’ button.”

 

 

Topics: Security