Lack of IoT Security Could Undermine Growth


Posted on by Robert Ackerman

Every once in a while, a huge new trend grabs hold in information technology and enhances a big slice of the world for the better.

In the late 1960s and 1970s, minicomputers offered faster processing of voluminous information for far less cost than mainframes and became very popular among midsize companies. Then there were PCs, which brought computing to the masses. That was followed later by the Internet, offering a limitless array of information for anyone who could afford a computer and an Internet connection.

Today, the trend everybody is talking about is the Internet of Things (IoT). IoT describes the network of physical objects—“things”—embedded with sensors, software and other technologies to connect and exchange data with other devices and systems over the Internet. They have become ubiquitous.

IoT—recently dubbed by The Economist as the second phase of the Internet—has become one of the key drivers of the digitization of the world economy. Yet for all the hubbub, IoT devices have minimal security, largely because few IoT customers are demanding better security and so providers don’t want to make the investment. This could eventually dampen the brouhaha.

Terry Dunlap, the co-founder of Maryland-based ReFirm Labs, which automates the process of finding security vulnerabilities in IoT devices, sums up the situation succinctly. “There is essentially no security in IoT devices,” he says. “It’s like the Wild West.”

Hopefully, the market will come to demand that IoT device makers change their ways, and a brand-new law, the Cybersecurity IoT Act, which mandates security requirements for IoT devices sold to federal agencies, will begin to change the calculus. In the interim, corporate customers can at least take steps to improve the security of the devices they already have. I’ll address what must be done shortly.

What makes IoT so popular is that it’s a state-of-the-art interconnection paradigm enabling connectivity among computers and devices without human intervention. It’s the technology behind smart cities, smart homes and self-driving cars, among other things, and provides companies with the ability to gain valuable new management insights, and consumers with the ability to better manage household routines and enhance home security.

For companies, IoT is increasingly a key component of new, data-driven transformation strategies. Organizations that have embraced IoT and analyze the accompanying data are already seeing improved operational processes, better inventory management and enhanced equipment maintenance.

IoT is also likely to enable new business models. Makers of industrial equipment, for example, may eventually shift from selling capital goods to selling their products as services, offering customers the ability to better monitor the performance of their machines on site.

In the home, meanwhile, IoT enables consumers to do things more easily and often more safely. Smart doorbells, for example, include motion sensors and video cameras that notify a homeowner when someone arrives at the door. Using a smartphone app, the homeowner can watch and talk to the visitor and even create a video of their interaction.

Predictably, the IoT market is booming. It is on track to reach $520 billion this year in the United States alone, more than double its size in 2017, according to Bain & Company. Mordor Intelligence says the IoT market will reach nearly $1.3 trillion in domestic sales in 2025.

This scenario may not ultimately unfold, however, because security is IoT’s Achilles’ heel. Many IoT device makers deliver updates for firmware—the device’s operating system—for only a short duration. Many also fail to provide sufficient security updates.

The upshot: The recently published Nokia Threat Intelligence Report 2020 found that IoT devices are now responsible for 33 percent of all infections observed in mobile networks, double the percentage in 2019.

Cybercriminals are taking advantage of the security weaknesses and are doubling down amid the COVID-19 pandemic in a bid to steal personal data.

According to Nokia, one transgression is disguised as a “Coronavirus Map” application. It mimics the legitimate and authoritative COVID-19 map issued by Johns Hopkins University to fulfill the public’s demand for accurate information about COVID-19 infections and deaths. Another malicious application related to COVID-19 is the smartphone contact tracing used to track a newly infected person’s mingling with others. Malicious applications resembling the official version have been appearing, aimed at stealing sensitive information from users.

Companies are an even bigger target because most businesses have lots of IoT devices, providing an enormous number of entry points for hackers to infiltrate and access all the information available on their networks. Once a cybercriminal gets access to the company network, he or she can make lateral moves to access various systems within the network.

Here are some steps companies should take to enhance IoT security. Some are also useful for consumers.

+ Corporate CISOs need to become more aware that IoT devices are a significant attack vector. So overwhelmed with other tasks, some don’t even know it’s an issue. This must change.

+ Lobby IoT manufacturers to follow in the steps of the federal government and build a minimum standard of security into IoT devices sold to the private sector. They should also insist that the manufacturers of all their IoT devices provide security updates. Too many organizations today focus almost entirely on ease of use.

+ Do not purchase IoT devices from a vendor that doesn’t supply security updates.

+ Change default passwords and adjust security settings to fit your specific needs. Many people use the same login and password for every device they use, making them easier for cybercriminals to hack. Every login must be unique for every employee and require strong passwords. In addition, the default password on every new device must always be changed.

+ Make a point of segmenting your network so that not every device provides access to the entire system, preventing hackers from getting too far.

There is no question that IoT is changing the world for the better. Whether you are acting as an employee or a consumer, you can access much of the information you need in real time, from almost anywhere, as long as you have a smart device and an Internet connection. But if security doesn’t improve, bad apples will keep raining on the parade and ultimately undermine technological progress.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital

Mobile & IoT Security

Internet of Things

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs