The State of IoT Security: Not Good
IOT security today is very much in its infancy. Yet IOT is growing at an explosive rate. Research firm Statista, one of the leading statistics companies on the internet, projects the number of internet connected devices to grow from 17 billion in 2016 to 75 billion by 2025.
A nascent security landscape coupled with tremendous growth has the potential to result in security attacks larger than we have ever seen and with higher impact to our society.
For example, a malware named “Mirai” brought down a significant part of the internet in North America in 2016 when it created a deliberate spike in internet traffic by turning cameras and baby monitors into a BOT attack.
Mirai did not have to rely on complex password hacking to create its Botnet of infected devices. Instead, the malware used the default usernames and passwords that were shipped with the IOT devices. Why would this happen? In general, manufacturers may not have the in-house security expertise to understand cybersecurity best practices, and their focus is more likely on revenue than cybersecurity.
There are standards developed by the Online Trust Alliance, in particular the “IOT Trust Framework,” that will help developers and manufacturers avoid cybersecurity exploits. The IoT Security & Privacy Trust Framework v2.5 outlines security principles, user access and credential management, privacy principles, user notification and other best practices.
That’s well and good, but what will really drive manufacturers to invest in such cybersecurity standards and the necessary expertise to implement them? It will be a shift in the marketplace. Once consumers endure their devices not working due to a cyber-attack they will choose companies that have effective IoT security in place. That may be the most important driver — public pressure and consumer demand.
One major IoT security challenge is the nearly unlimited number of manufacturers and types of devices.
If you think about the pre-IOT cybersecurity world – smartphones for example – it was already a tremendous challenge to secure a select few smartphone operating systems, such as IOS and Android. IoT is a new world and a far more diverse ecosystem with a large number of non-standard device operating systems. So the challenge is great.
Solutions to IOT Threats
There are a number of cybersecurity techniques that could carry over to the IoT world.
Techniques to identify the connectivity point for a device, what kind of device is it, and if it has been “seen before,” will help cybersecurity professionals stop devices or IP’s that are causing harmful traffic. In the IoT world, device identification and risk analysis will depend on data points that include traffic patterns, geolocation data, proxy and IP data, and other device characteristics.
It is critical to identify the source of the threat – and differentiate it from other traffic in order to stop affected machines – by blacklisting IP’s or devices themselves. If the device or IP can be determined specifically, that provides the opportunity to stop the velocity of that one device – or many similar devices – continually accessing a network.
If a single, or a few dominant, IoT operating systems emerge, as was the case with smartphones, there would be the option of utilizing “light” applications on the device itself. If a standard OS emerges that interacts with the endpoint, then there’s the potential to uniquely identify that device based on its attributes. To use a parallel example, security for mobile applications is much more powerful because you can identify a returning device and make risk assessments about it. This is beneficial in DDoS attack because you know which devices are secure and which to shut down. However, for this to become pervasive, the IoT industry will have to invest in an operating system with processing power to support the intelligence required. There have been conversations about this but no firm traction thus far.
Eventually there will be better methods to secure IoT. But as the market stands today, there is considerable risk as the industry plays “catch up” to the problem at hand.
Michael Lynch chief strategy officer at InAuth.