Most IoT devices do not have proper security in place, according to experts.
It should come as no surprise to any one following the IoT industry that device security is in shambles. Combine an explosion of IoT devices — smartphones, wearables, point-of-sale systems — with open networks, and there will be hacks.
But just how bad is IoT security? Some 75 percent of IoT devices do not have proper security, according to a survey of senior security professionals. Approximately half of those security experts said less than 10 percent of IoT devices were secure, according to the survey, released June 3 from security firm IOActive.
“The exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority,” said Jennifer Steffens, chief executive officer for IOActive, in a post on their website.
The survey follows a steady stream of news about IoT security compromises, some of them serious, at a time when the IoT is experiencing explosive growth. Fiat Chrysler, for instance, had to recall 1.4 million vehicles last year due to a security hole that would allow remote control of the vehicle.
In other news, roughly 300,000 SimpliSafe home security systems were found to be vulnerable to a simple hack. A team at Princeton University also exposed flaws in a wide range of home IoT devices, including video cameras and smart speakers.
IoT hacking, however, is not confided to mass-produced consumer devices. The Cloud Security Alliance lists at least 21 ways IoT device security can be compromised, including many in the enterprise. A few ways include:
- Identity theft.
- Compromise of control systems such as vehicles, Pacemakers or power plants. A recent cyberattack of a power plant in the Ukraine, for instance, started off with a phishing campaign using a malicious Microsoft Word document. Ultimately hackers were able to get past a firewall and cause a blackout due to the lack of two-factor authentication.
- Manipulation of financial data at point-of-sale and mobile POS systems.
- Hacking edge devices in an enterprise IoT network.
- Theft of corporate data, including data stored on an employee’s mobile device. (A recent survey by Centrify found that 43 percent of employees have accessed sensitive corporate data on an unsecured public network. Another study showed that the leading secure container solution, Good Technology, can be breached and corporate email stolen).
Privacy is also a serious concern. Examples include the monitoring of home IoT cameras, including baby monitors. Cable-set top boxes, meanwhile, may amass a large amount of behavioral data; usage-based insurance products can collect data on driving habits (and the data may determine whether a spouse is being unfaithful or an alcoholic). Retail beacons collect a large amount of demographic data and could be used to track movement.
According to the IOActive survey, seventy-two percent of respondents said they felt the lack of security was the biggest challenge facing the IoT, while 63 percent said uneducated users was their biggest concern. Fifty-nine percent, however, cited privacy.
How to improve security?
One notable finding from the IOActive survey is that while teams of researchers often expose IoT security flaws, publicize them, and the security flaw goes viral on the Internet, 83 percent of security experts said that public disclosure is not significant or effective in improving security.
When asked what they felt would be the most effective way to increase IoT security, minimum security compliance standards and mandatory product updates and recalls were the top two suggestions.
Industry experts advise taking a “security-first” view with IoT development, as 73 percent of respondents to the survey felt that security was not adequately designed into products.
“Companies often rush development to get products to market in order to gain competitive edge, and then try to engineer security in after the fact. This ultimately drives up costs and creates more risk than including security at the start of the development lifecycle,” Steffens said.
The security-first approach is also championed by the IoT Security Foundation. The Cloud Security Alliance, meanwhile, advocates using a secure systems engineering approach to the architecture and deployment of a new IoT system.
That’s no easy task for the enterprise IoT, which has a challenge with multiple standards and interoperability.
“The IoT encompasses edge devices, messaging and transport protocols, Application Programming Interfaces (APIs), data analytics, storage, software, and various other technology concepts. Edge devices themselves are complex, consisting of multiple layers of technology and requiring an understanding of hardware, firmware, software and a plethora of protocols,” the Cloud Security Alliance stated in a white paper. (Editor’s note: Sue Walsh contributed to this story).