The Internet of Things (IoT) is creating huge opportunities for businesses and society at large. Experts expect 30 billion connected devices to generate a market size of $1.7 trillion by 2020, according to an IDC infographic.

With all this opportunity at risk, it is reasonable to ask why industry leaders haven’t done more to address the ever-increasing IoT security concerns, which have been cast into sharp focus by recent high-profile distributed denial-of-service (DDOS) attacks.

Let’s look at the key stakeholders and discuss how they need to step up to help mitigate security risks and optimize the return on the IoT.

Government and Market Regulators

The IoT is a classic example of the tragedy of the commons, whereby the common resource of the internet is degraded by IoT device manufacturers, vendors and users ignoring security. This leads to IoT devices becoming vulnerable to manipulation by cybercriminals. U.S. Sen. Mark Warner recently wrote in a letter to Federal Communications Commission (FCC) Chairman Tom Wheeler:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur.”

Because security is a network externality, the prices of IoT hardware and software indicate neither the likelihood of security breaches nor the resulting costs of associated damage. According to Motherboard, market solutions have failed and governments must impose regulations to help fix the problem. That is a tricky proposition in a globalized economy.

All Talk, No Action

The incentive is there, but government agencies remain slow to act. The U.S. and European Union (EU), for example, have acknowledged that the IoT security problem demands attention. The appropriate remediation of that problem, however, is a matter of debate.

Several federal agencies such as the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) issued IoT security guidelines, but these fall short of the legislative efforts some security experts are calling for. Indeed, according to CIO, U.S. lawmakers appear reluctant to regulate the market in this way.

The EU is also making efforts to address security concerns by proposing that companies comply with a cybersecurity rating and approval process for connected devices, EurActiv reported. There seems to be more of an appetite in Europe for this type of government intervention, and the EU seems more likely to incorporate these proposals in a legislative framework. How long before this happens, however, is anyone’s guess. The General Data Protection Regulation (GDPR), for example, will take effect in 2018, following four years of negotiation.

As usual, government intervention, whether it is the solution or not, will take time to implement. It will presumably take even longer for experts to assess its efficacy.

The Customer’s Burden

IoT customers must continue to implement best-practice security controls. These controls have evolved over the last two decades and should continue to adapt to the IoT systems of the future.

The recent DDoS attacks against IoT-connected apartment buildings in Lappeenranta, Finland, highlighted what can happen when operators implement weak cybersecurity on their systems. Devices are typically compromised when owners fail to update default usernames and passwords. Customers should be more vigilant and learn the basics of securing machines, routers and connected devices.

The Internet Service Provider’s Role

As internet service providers (ISPs) own the network and IoT solutions require connectivity, ISPs play a prominent role in IoT security. ISPs deliver better IoT security to their customers in two ways. First, they can monitor, filter or block potentially malicious traffic based on known patterns, which reduces spoofing. However, ISPs have been slow to adopt this standard due to installation costs.

ISPs can also notify customers if devices in their networks are involved in malicious traffic. Customers can then act on this information to secure compromised machines. IoT stakeholders must do more to encourage ISPs to take initiative when it comes to IoT security.

Guidelines for Software Developers

It is more effective to develop secure code for traditional applications than to create secure code for connected devices. Fewer and fewer IoT players are traditional software companies, with government agencies, consumer products and manufacturing entities moving into the space. These parties might not be as advanced as software companies in terms of secure software engineering.

To improve the situation, developers should start with solid foundations when coding for the IoT. According to the recent IBM white paper “IBM’s Point of View — Internet of Things Security,” this can take the form of solid security guidelines such as the following:

  1. Define security policy requirements.
  2. Design for security.
  3. Use app-scanning tools.
  4. Use threat modeling in the system design.
  5. Check all data that is passed through application program interfaces (APIs).
  6. Rigorously test open-source components and dependencies.
  7. Maintain code change records.
  8. Test for security.

It is important for the software community to both advocate and practice secure software engineering. As the IoT continues to define the future of cybersecurity, the industry must address the dangers of insecure code before it’s too late.

Device Manufacturers: The IoT Security Bogeyman

The bogeyman in the IoT security debate is the device manufacturer. There is currently no market incentive for manufacturers to actively implement security by design. If they were to actively make their devices more secure, however, what would they need to do? The Broadband Internet Technical Advisory Group (BITAG) recommended that device manufacturers take the following actions to enhance IoT security:

  • Use current software best practices, ship with relatively current software, provide automated mechanisms for patching software and install strong authentication by default.
  • Follow security and cryptography best practices, which include securing communications, encrypting configuration communications by default and authenticating communications, software changes and requests for data.
  • Be restrictive rather than permissive when communicating.
  • Continue to function even if internet connectivity is disrupted or the cloud back-end fails. A connected light switch, for example, should continue to function manually. This is even more important for devices that affect user safety.
  • Support addressing and naming best practices such as IPv6 and DNSSEC.
  • Ship with a simple and easy-to-find privacy policy.

These guidelines seem to make perfect sense, right? Unfortunately, device manufacturers are unlikely to take them seriously, at least in isolation.

Learn More

To learn more about securing IoT devices, please download a complimentary copy of the Ponemon Institute’s 2017 State of Mobile & IoT Application Security Study.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…