As the Internet of Things (IoT) Soars, Security Issues Mount

Posted on by Robert Ackerman

To the surprise of virtually no American adult, the growth of wireless devices in the world, including increasingly ubiquitous Internet of Things (IoT) devices, remains explosive. It doesn’t make the news anymore, only because it’s no longer a new story.

Nonetheless, it’s a sizzling, if repetitive, development.

According to iPropertyManagement, the number of IoT devices—the lion’s share of wireless device growth today—exceeded 14.2 billion globally in 2019, up more than 18% from 12 billion in 2018, and it’s expected to surpass 75 billion by 2025. By comparison, sales of traditional personal computers, which last year posted an increase for the first time in eight years, rose only a token 2.7%.

There is a big, festering problem in the IoT arena, however, and there doesn’t appear to be much motivation to address it. It’s about security, and it’s bad.

This undermines all the things that make “the Internet of Things” good. The IoT is an ecosystem of physical objects that are connected and accessible through the Internet. With a single application on a smartphone, IoT devices can be efficiently managed and monitored, and, in general, they work smoothly. But they are not secure in an era of relentlessly growing cyberattacks.

One reason is that IoT devices are not plug-and-play. Many are delivered with simple password authentication. And some organizations have implemented these devices without altering the factory settings. This is a major risk. Once a hacker knows the default credentials, which typically exist in thousands of similar devices, it’s easy for him or her to gain access to IoT systems and a back door into a corporate network—or into somebody’s smart home.

If predictions about IoT growth truly are to come to pass, this problem must be the first issue that manufacturers address. A recent IoT survey by Consumers International and the Internet Society found that 75% of the people polled in the US and a number of other major countries don’t trust the way their data is shared by these devices. Another survey—the Icontrol State of the Smart Home studyfound that 44% of Americans were “very concerned” about the possibility of their information getting stolen from their smart home.

Worst of all, an AT&T survey of more than 5,000 enterprises worldwide, most of which intend to deploy a network of IoT devices, found that only a small minority of pending customers felt confident that they could secure their IoT devices against hackers.

It may seem as though this situation need not exist. Smartphones—also, of course, wireless devices—have had few problems blocking viruses and other types of malware. This isn’t true of personal computers, particularly Windows machines, because they weren’t created with the connected world in mind and subsequently have had security holes from the start, many of which continue to exist. By contrast, newer smartphones and tablets were not only designed for a connected world but also molded by developers who applied lessons learned from the desktops preceding them.

Unfortunately, this doesn’t mean that IoT manufacturers will find it relatively easy to improve security. Because the IoT remains a relatively young market, many product designers and manufacturers appear more interested in getting their products to market quickly than in taking the required steps to build in good security from the start. In some cases, they fall down on the job because of resource constraints.

In addition, some IoT devices simply cannot offer advanced security features. Sensors that monitor humidity or temperature, for instance, cannot accommodate advanced encryption or other security measures.

Eventually, the advent of industry-accepted IoT standards will probably come into play, forcing IoT device designers and manufacturers to materially improve security. But it’s unlikely to happen anytime soon, at least on a broad scale.

In the interim, here are steps that companies and/or smart home owners or both can take to help mitigate security vulnerability:

+ Consider implementing loosely coupled IoT systems. This would require creating a separate service set identifier (SSID) and virtual LAN and having the capacity to route that traffic through a firewall. The network, meanwhile, would be configured and managed from a centralized location.

This can help ensure that the failure of a single device doesn’t lead to widespread failure. This partial solution, of course, would need to be implemented in such a way that it blends organization-specific operational capabilities with multilayered cyber risk management techniques.

+ Insert security into the supply chain. Start relationships with supply chain managers that lead to an agreement mandating no approval for any IoT purchases unless a security team has signed off on them.

+ Control access within an IoT environment. First, organizations should identify the behaviors and activities deemed accepted by connected devices, then put in controls that account for this. This should mitigate malicious or unauthorized activities.

+ Limit the ability of IoT devices to initiate corporate network connections. Instead, IoT devices should connect to networks only through network firewalls and access control lists. This would not prevent adversaries from attacking systems that have direct network connections. It would, however, limit their ability to laterally move within networks.

+ End users must make a point of embracing their own security precautions. This includes changing passwords and implementing stronger ones, installing patches when available, checking the device manufacturer’s website regularly for firmware updates and, of course, using Internet security software.

+ Conduct research before purchasing devices. Make sure you know what types of data they collect, how it is stored and protected and whether it’s shared with third parties. Also review policies or protections regarding data breaches.

+ Notwithstanding a lack of guidance, business and technology leaders should recognize that essentially they have little choice but to develop and implement their own global cyber risk standards. They should also try to share them with other entities. Formal standards are highly likely to become a reality at some point, but this won’t occur for years.

If major IoT users partner with others and operate cooperatively, significant value can be created. It’s true—in lieu of formal standards—that major hiccups could become an issue in the early-going.

Nonetheless, an effort would be worthwhile, and players in the technology, media and telecommunications industries are expected to lead the charge. Let’s hope they do so, and enjoy some level of success. The stakes are too high not to take some big steps in a bid to mitigate the IoT problem.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Mobile & IoT Security

Internet of Things

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs