It is quite possible that you received an internet of things (IoT) device as a holiday gift, and it’s very likely that you will find this holiday gift useful. But it’s also possible you received an additional gift you have no use for at all: security vulnerabilities. This is the inconvenient truth about the average IoT device — like all technologies, it has flaws and it can add to your risk profile.

Whether you’re an individual concerned about someone hacking your home security system and eavesdropping on your private space or you’re part of an enterprise that could have all its sensors turned into a distributed denial-of-service (DDoS) support army, IoT security vulnerabilities are a fact of life, and we can expect to see more of them as more technological advancements emerge. One such advancement, 5G, is already hitting the streets and will fuel increased ubiquity of IoT devices.

How we manage IoT cybersecurity in the coming months and years will play an increasingly important role in how we manage all types of security risks.

The Same Problems, Just More of Them

What makes an IoT device vulnerable? There are a few issues that are specific to IoT devices, but in principle, they do not differ all that much from the issues we see in other devices we use regularly. In 2014, the Open Web Application Security Project (OWASP) started compiling a list of IoT vulnerabilities to help developers, manufacturers, enterprises and consumers make better decisions regarding IoT systems. Their 2018 top 10 IoT security vulnerabilities were:

  1. Weak, guessable or hardcoded passwords
  2. Insecure network services
  3. Insecure ecosystem interfaces
  4. Lack of secure update mechanisms
  5. Use of insecure or outdated components
  6. Insufficient privacy protection
  7. Insecure data transfer and storage
  8. Lack of device management
  9. Insecure default settings
  10. Lack of physical security hardening

If you’re a nefarious actor, these types of security vulnerabilities could make you feel like a kid in a candy store.

How to Reduce Risk From IoT Devices

How do we deal with some or all of these challenges? There are some interesting thoughts out there, but one from Dan Geer is particularly eye-catching, even though it was offered some time ago. Namely, he stated that IoT devices should be made to be ephemeral in nature. In other words, the devices should have a short life span. The thinking behind this idea is that, because there is a lack of updates for these devices, they should be offboarded before they can become an unmanageable threat.

It is certainly an approach to consider, as there are economies of scale that can be utilized, especially since the manufacturing costs of these devices continue to drop. Perhaps it’s time to reconsider the feasibility of that approach. Think of these IoT devices as “disposable.” Once they have been used to capacity, there’s no point in fixing them — rather, you could just recycle them and obtain replacement devices.

There are, of course, drawbacks to this approach, at least for now. One is that good code is still not cheap. In fact, good code is expensive. Until we can get some type of economies of scale for code, this approach may be an uphill battle, but it is one worth revisiting from time to time.

Another interesting approach could be the increased use of threat modeling. With advances in data gathering and monitoring systems, along with artificial intelligence (AI), an enterprise can begin to prioritize threats. An area where we could see some very creative methods would be in the development and application of visualization platforms.

Just like social media visualization can offer benefits around understanding relationships, the same can be said of IoT devices, whether they’re stationary, mobile or, even more importantly, serving as sensors or actuators — or both, in some cases. But even with threat modeling, there will still be a level of reactivity to your planning. Naturally, you will often have to predict what might happen to put a stop to it — but wouldn’t it be nice if you could end the running around altogether?

Stop Playing the Chasing Game

Just as the internet is inherently vulnerable, so is an IoT device. But rather than rebuilding a few decades’ worth of telecommunications infrastructure and communications protocols, there is something more immediate we can do to reduce security vulnerabilities in these gadgets: certify them.

Certification isn’t a simple issue, though. The industry needs to get together and create standards, such as security by design principles, but those standards — and their implementation in products — will come with costs. It should not surprise anybody that there are only so many costs that can be passed on to the consumer before people start looking elsewhere.

Despite these conditions, coming to some sort of agreement on common security and safety standards for IoT devices still looks like the best long-term bet. Certification establishes a baseline, and that baseline is important because you can provision your network not to accept certain devices unless they have met the standards. Remember, these devices may seem peripheral and could just be endpoints, but in the coming years, they’ll also make up more and more of the business supply chain, feeding information constantly into some decision-making authority that will rely on their accuracy and reliability.

Let’s make sure our vision is 20/20 on IoT security vulnerabilities as we head into the new year. To reference a holiday movie, remember that Gizmo was a cute and fun gift up until the moment a little improper care resulted in a bunch of gremlins. Don’t let your IoT device turn into a gremlin!

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read