It is quite possible that you received an internet of things (IoT) device as a holiday gift, and it’s very likely that you will find this holiday gift useful. But it’s also possible you received an additional gift you have no use for at all: security vulnerabilities. This is the inconvenient truth about the average IoT device — like all technologies, it has flaws and it can add to your risk profile.
Whether you’re an individual concerned about someone hacking your home security system and eavesdropping on your private space or you’re part of an enterprise that could have all its sensors turned into a distributed denial-of-service (DDoS) support army, IoT security vulnerabilities are a fact of life, and we can expect to see more of them as more technological advancements emerge. One such advancement, 5G, is already hitting the streets and will fuel increased ubiquity of IoT devices.
How we manage IoT cybersecurity in the coming months and years will play an increasingly important role in how we manage all types of security risks.
The Same Problems, Just More of Them
What makes an IoT device vulnerable? There are a few issues that are specific to IoT devices, but in principle, they do not differ all that much from the issues we see in other devices we use regularly. In 2014, the Open Web Application Security Project (OWASP) started compiling a list of IoT vulnerabilities to help developers, manufacturers, enterprises and consumers make better decisions regarding IoT systems. Their 2018 top 10 IoT security vulnerabilities were:
- Weak, guessable or hardcoded passwords
- Insecure network services
- Insecure ecosystem interfaces
- Lack of secure update mechanisms
- Use of insecure or outdated components
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical security hardening
If you’re a nefarious actor, these types of security vulnerabilities could make you feel like a kid in a candy store.
How to Reduce Risk From IoT Devices
How do we deal with some or all of these challenges? There are some interesting thoughts out there, but one from Dan Geer is particularly eye-catching, even though it was offered some time ago. Namely, he stated that IoT devices should be made to be ephemeral in nature. In other words, the devices should have a short life span. The thinking behind this idea is that, because there is a lack of updates for these devices, they should be offboarded before they can become an unmanageable threat.
It is certainly an approach to consider, as there are economies of scale that can be utilized, especially since the manufacturing costs of these devices continue to drop. Perhaps it’s time to reconsider the feasibility of that approach. Think of these IoT devices as “disposable.” Once they have been used to capacity, there’s no point in fixing them — rather, you could just recycle them and obtain replacement devices.
There are, of course, drawbacks to this approach, at least for now. One is that good code is still not cheap. In fact, good code is expensive. Until we can get some type of economies of scale for code, this approach may be an uphill battle, but it is one worth revisiting from time to time.
Another interesting approach could be the increased use of threat modeling. With advances in data gathering and monitoring systems, along with artificial intelligence (AI), an enterprise can begin to prioritize threats. An area where we could see some very creative methods would be in the development and application of visualization platforms.
Just like social media visualization can offer benefits around understanding relationships, the same can be said of IoT devices, whether they’re stationary, mobile or, even more importantly, serving as sensors or actuators — or both, in some cases. But even with threat modeling, there will still be a level of reactivity to your planning. Naturally, you will often have to predict what might happen to put a stop to it — but wouldn’t it be nice if you could end the running around altogether?
Stop Playing the Chasing Game
Just as the internet is inherently vulnerable, so is an IoT device. But rather than rebuilding a few decades’ worth of telecommunications infrastructure and communications protocols, there is something more immediate we can do to reduce security vulnerabilities in these gadgets: certify them.
Certification isn’t a simple issue, though. The industry needs to get together and create standards, such as security by design principles, but those standards — and their implementation in products — will come with costs. It should not surprise anybody that there are only so many costs that can be passed on to the consumer before people start looking elsewhere.
Despite these conditions, coming to some sort of agreement on common security and safety standards for IoT devices still looks like the best long-term bet. Certification establishes a baseline, and that baseline is important because you can provision your network not to accept certain devices unless they have met the standards. Remember, these devices may seem peripheral and could just be endpoints, but in the coming years, they’ll also make up more and more of the business supply chain, feeding information constantly into some decision-making authority that will rely on their accuracy and reliability.
Let’s make sure our vision is 20/20 on IoT security vulnerabilities as we head into the new year. To reference a holiday movie, remember that Gizmo was a cute and fun gift up until the moment a little improper care resulted in a bunch of gremlins. Don’t let your IoT device turn into a gremlin!