The Internet of Things (IoT) is creating huge opportunities for businesses and society at large. Experts expect 30 billion connected devices to generate a market size of $1.7 trillion by 2020, according to an IDC infographic.

With all this opportunity at risk, it is reasonable to ask why industry leaders haven’t done more to address the ever-increasing IoT security concerns, which have been cast into sharp focus by recent high-profile distributed denial-of-service (DDOS) attacks.

Let’s look at the key stakeholders and discuss how they need to step up to help mitigate security risks and optimize the return on the IoT.

Government and Market Regulators

The IoT is a classic example of the tragedy of the commons, whereby the common resource of the internet is degraded by IoT device manufacturers, vendors and users ignoring security. This leads to IoT devices becoming vulnerable to manipulation by cybercriminals. U.S. Sen. Mark Warner recently wrote in a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.”

Because security is a network externality, the prices of IoT hardware and software indicate neither the likelihood of security breaches nor the resulting costs of associated damage. According to Motherboard, market solutions have failed and governments must impose regulations to help fix the problem. That is a tricky proposition in a globalized economy.

All Talk, No Action

The incentive is there, but government agencies remain slow to act. The U.S. and European Union (EU), for example, have acknowledged that the IoT security problem demands attention. The appropriate remediation of that problem, however, is a matter of debate.

Several federal agencies such as the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) issued IoT security guidelines, but these fall short of the legislative efforts some security experts are calling for. Indeed, according to CIO, U.S. lawmakers appear reluctant to regulate the market in this way.

The EU is also making efforts to address security concerns by proposing that companies comply with a cybersecurity rating and approval process for connected devices, EurActiv reported. There seems to be more of an appetite in Europe for this type of government intervention, and the EU seems more likely to incorporate these proposals in a legislative framework. How long before this happens, however, is anyone’s guess. The General Data Protection Regulation (GDPR), for example, will take effect in 2018, following four years of negotiation.

As usual, government intervention, whether it is the solution or not, will take time to implement. It will presumably take even longer for experts to assess its efficacy.

The Customer’s Burden

IoT customers must continue to implement best-practice security controls. These controls have evolved over the last two decades and should continue to adapt to the IoT systems of the future.

The recent DDoS attacks against IoT-connected apartment buildings in Lappeenranta, Finland, highlighted what can happen when operators implement weak cybersecurity on their systems. Devices are typically compromised when owners fail to update default usernames and passwords. Customers should be more vigilant and learn the basics of securing machines, routers and connected devices.

The Internet Service Provider’s Role

As internet service providers (ISPs) own the network and IoT solutions require connectivity, ISPs play a prominent role in IoT security. ISPs deliver better IoT security to their customers in two ways. First, they can monitor, filter or block potentially malicious traffic based on known patterns, which reduces spoofing. However, ISPs have been slow to adopt this standard due to installation costs.

ISPs can also notify customers if devices in their networks are involved in malicious traffic. Customers can then act on this information to secure compromised machines. IoT stakeholders must do more to encourage ISPs to take initiative when it comes to IoT security.

Guidelines for Software Developers

It is more effective to develop secure code for traditional applications than to create secure code for connected devices. Fewer and fewer IoT players are traditional software companies, with government agencies, consumer products and manufacturing entities moving into the space. These parties might not be as advanced as software companies in terms of secure software engineering.

To improve the situation, developers should start with solid foundations when coding for the IoT. According to the recent IBM white paper “IBM’s Point of View — Internet of Things Security,” this can take the form of solid security guidelines such as the following:

  1. Define security policy requirements.
  2. Design for security.
  3. Use app-scanning tools.
  4. Use threat modeling in the system design.
  5. Check all data that is passed through application program interfaces (APIs).
  6. Rigorously test open-source components and dependencies.
  7. Maintain code change records.
  8. Test for security.

It is important for the software community to both advocate and practice secure software engineering. As the IoT continues to define the future of cybersecurity, the industry must address the dangers of insecure code before it’s too late.

Device Manufacturers: The IoT Security Bogeyman

The bogeyman in the IoT security debate is the device manufacturer. There is currently no market incentive for manufacturers to actively implement security by design. If they were to actively make their devices more secure, however, what would they need to do? The Broadband Internet Technical Advisory Group (BITAG) recommended that device manufacturers take the following actions to enhance IoT security:

  • Use current software best practices, ship with relatively current software, provide automated mechanisms for patching software and install strong authentication by default.
  • Follow security and cryptography best practices, which include securing communications, encrypting configuration communications by default and authenticating communications, software changes and requests for data.
  • Be restrictive rather than permissive when communicating.
  • Continue to function even if internet connectivity is disrupted or the cloud back-end fails. A connected light switch, for example, should continue to function manually. This is even more important for devices that affect user safety.
  • Support addressing and naming best practices such as IPv6 and DNSSEC.
  • Ship with a simple and easy-to-find privacy policy.

These guidelines seem to make perfect sense, right? Unfortunately, device manufacturers are unlikely to take them seriously, at least in isolation.

Learn More

To learn more about securing IoT devices, please download a complimentary copy of the Ponemon Institute’s 2017 State of Mobile & IoT Application Security Study.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read