The Internet of Things (IoT) is creating huge opportunities for businesses and society at large. Experts expect 30 billion connected devices to generate a market size of $1.7 trillion by 2020, according to an IDC infographic.

With all this opportunity at risk, it is reasonable to ask why industry leaders haven’t done more to address the ever-increasing IoT security concerns, which have been cast into sharp focus by recent high-profile distributed denial-of-service (DDOS) attacks.

Let’s look at the key stakeholders and discuss how they need to step up to help mitigate security risks and optimize the return on the IoT.

Government and Market Regulators

The IoT is a classic example of the tragedy of the commons, whereby the common resource of the internet is degraded by IoT device manufacturers, vendors and users ignoring security. This leads to IoT devices becoming vulnerable to manipulation by cybercriminals. U.S. Sen. Mark Warner recently wrote in a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.”

Because security is a network externality, the prices of IoT hardware and software indicate neither the likelihood of security breaches nor the resulting costs of associated damage. According to Motherboard, market solutions have failed and governments must impose regulations to help fix the problem. That is a tricky proposition in a globalized economy.

All Talk, No Action

The incentive is there, but government agencies remain slow to act. The U.S. and European Union (EU), for example, have acknowledged that the IoT security problem demands attention. The appropriate remediation of that problem, however, is a matter of debate.

Several federal agencies such as the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) issued IoT security guidelines, but these fall short of the legislative efforts some security experts are calling for. Indeed, according to CIO, U.S. lawmakers appear reluctant to regulate the market in this way.

The EU is also making efforts to address security concerns by proposing that companies comply with a cybersecurity rating and approval process for connected devices, EurActiv reported. There seems to be more of an appetite in Europe for this type of government intervention, and the EU seems more likely to incorporate these proposals in a legislative framework. How long before this happens, however, is anyone’s guess. The General Data Protection Regulation (GDPR), for example, will take effect in 2018, following four years of negotiation.

As usual, government intervention, whether it is the solution or not, will take time to implement. It will presumably take even longer for experts to assess its efficacy.

The Customer’s Burden

IoT customers must continue to implement best-practice security controls. These controls have evolved over the last two decades and should continue to adapt to the IoT systems of the future.

The recent DDoS attacks against IoT-connected apartment buildings in Lappeenranta, Finland, highlighted what can happen when operators implement weak cybersecurity on their systems. Devices are typically compromised when owners fail to update default usernames and passwords. Customers should be more vigilant and learn the basics of securing machines, routers and connected devices.

The Internet Service Provider’s Role

As internet service providers (ISPs) own the network and IoT solutions require connectivity, ISPs play a prominent role in IoT security. ISPs deliver better IoT security to their customers in two ways. First, they can monitor, filter or block potentially malicious traffic based on known patterns, which reduces spoofing. However, ISPs have been slow to adopt this standard due to installation costs.

ISPs can also notify customers if devices in their networks are involved in malicious traffic. Customers can then act on this information to secure compromised machines. IoT stakeholders must do more to encourage ISPs to take initiative when it comes to IoT security.

Guidelines for Software Developers

It is more effective to develop secure code for traditional applications than to create secure code for connected devices. Fewer and fewer IoT players are traditional software companies, with government agencies, consumer products and manufacturing entities moving into the space. These parties might not be as advanced as software companies in terms of secure software engineering.

To improve the situation, developers should start with solid foundations when coding for the IoT. According to the recent IBM white paper “IBM’s Point of View — Internet of Things Security,” this can take the form of solid security guidelines such as the following:

  1. Define security policy requirements.
  2. Design for security.
  3. Use app-scanning tools.
  4. Use threat modeling in the system design.
  5. Check all data that is passed through application program interfaces (APIs).
  6. Rigorously test open-source components and dependencies.
  7. Maintain code change records.
  8. Test for security.

It is important for the software community to both advocate and practice secure software engineering. As the IoT continues to define the future of cybersecurity, the industry must address the dangers of insecure code before it’s too late.

Device Manufacturers: The IoT Security Bogeyman

The bogeyman in the IoT security debate is the device manufacturer. There is currently no market incentive for manufacturers to actively implement security by design. If they were to actively make their devices more secure, however, what would they need to do? The Broadband Internet Technical Advisory Group (BITAG) recommended that device manufacturers take the following actions to enhance IoT security:

  • Use current software best practices, ship with relatively current software, provide automated mechanisms for patching software and install strong authentication by default.
  • Follow security and cryptography best practices, which include securing communications, encrypting configuration communications by default and authenticating communications, software changes and requests for data.
  • Be restrictive rather than permissive when communicating.
  • Continue to function even if internet connectivity is disrupted or the cloud back-end fails. A connected light switch, for example, should continue to function manually. This is even more important for devices that affect user safety.
  • Support addressing and naming best practices such as IPv6 and DNSSEC.
  • Ship with a simple and easy-to-find privacy policy.

These guidelines seem to make perfect sense, right? Unfortunately, device manufacturers are unlikely to take them seriously, at least in isolation.

Learn More

To learn more about securing IoT devices, please download a complimentary copy of the Ponemon Institute’s 2017 State of Mobile & IoT Application Security Study.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today