IoT Security is Hyperbole

Posted on by Robert Ackerman

Most Americans are probably acquainted with the Internet of Things (IoT) – the network of physical objects – “things” – that are embedded with sensors, software and other technologies to connect and exchange data with other devices and systems over the internet. Among the multitude of devices they make possible are doorbell cameras and smart wearables. IoT devices, considered one of the most important technologies of the 21st century, grow at a vigorous pace.

There is also, of course, IoT security, charged with securing devices from cyber threats and breaches. This is essentially hyperbole, however. IoT devices and IoT device security are two different worlds.

IoT itself is a winner – a technological gem that enhances productivity on a multitude of fronts and usually makes life easier and/or safer for those who embrace it. But IoT security isn’t in the same league whatsoever, and that’s a big problem.

This could eventually generate buyer backlash. For now, however, consumers on the home front readily purchase smart cameras, for instance, which in addition to viewing a guest can talk to him or her without opening the front door via a smartphone app. Meanwhile, manufacturers of industrial equipment, which are also buying more IoT devices, may want to eventually use them to sell their products as services, not hardware, giving consumers the ability to monitor the performance of their machines off-site.

Will things change for the better at some point?

They might, and a new step underway at the White House, coupled with a positive 2020 step, may be a good omen. Yet this could turn out to be insufficiently meaningful. For now, IoT security remains woefully inadequate because IoT devices weren’t built with security in mind. IoT device manufacturers, by and large, have resisted changing their ways, creating vulnerabilities in a multiple device system, notwithstanding that many companies believe that IoT device attacks are often their single biggest security concern. IoT devices have sometimes been shipped with malware in them.

In most cases, there is no way to install security software on the IoT device itself. Many IoT devices aren’t security configured by default when shipped. And due to their often embedded nature, the software frequently isn’t patched once in use. In addition, many companies deliver firmware updates for only a short period. Making matters worse still, IoT devices, unlike other technologies, have unusually large attack surfaces due to their internet-supported connectivity, providing hackers with the opportunity to interact with devices remotely.

IoT device manufacturers are under pressure to minimize security partly because they have limited budgets for properly testing and improving firmware security, among other security features. In addition, they compete with thousands of competitors, most similarly with weak security, making focused and speedy moves to market imperative simply to stay alive.

Notwithstanding the bevy of security issues, homeowners and companies continue to keep buying IoT devices aggressively. According to Statista, an online platform that specializes in market data, the number of devices in the U.S. exceeded 13 billion last year, up from about 10 billion in 2021. Techjury, an online provider of expert reviews on software and devices, projects there will be more than 25 billion IoT devices in America by 2030.

The first time that IoT security made the spotlight was six-and-half years ago, when internet service provider Dyn, since acquired by Oracle, was breached by an IoT botnet. Among the largest denial-of-service attacks ever launched, it brought down huge portions of the internet, leaving a sizeable number of high-profile internet platforms, including Twitter, temporarily unavailable to users throughout North American and Europe.

Since then, among the biggest victims are hospitals and other healthcare organizations, which have huge numbers of connected medical devices. According to the U.S. Department of Health and Human Services, nearly 600 healthcare organizations were breached last year, many of them impacting patient care. And 75 percent of healthcare practices have experienced cyberattacks in recent years, according to a 2022 Medical IoT Survey by Capterra, a marketplace vendor that serves software companies.

More troubling down the road may be the fact that legions of IoT sensors and computing devices are connected to much of the world’s critical infrastructure. Their aging devices were designed long ago, making power grids and transportation systems rich hacker targets.

On the bright side, government isn’t oblivious to this. Congress passed the IoT Cybersecurity Improvement Act of 2020, which requires relatively strict minimum security standards for connected devices used by the federal government. The hope is that most IoT companies won’t ultimately have the resources to develop different lines of products for the federal government and commercial sector, so they will ultimately produce only the more secure products.

Today the federal government also appears to be moving forward on long-held plans to develop a product labeling system to alert consumers to the security risks of IoT devices.

The jury is out on how much the 2020 act and the possible new law will broadly mitigate IoT security issues. If they don’t turn out to be sufficient, the next step to improve IoT device security would likely be to convince organizations writ large to develop an integrated, holistic security fabric approach that covers the entire attack surface, automatically seeing and removing IoT device malware.

How many sizable companies and organizations would actually do this is another big question mark. Eventually, it may have to become a requirement.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Mobile & IoT Security

Internet of Things malware critical infrastructure Medical Device Security Device Security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs