It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems.
Those numbers may be hard to swallow, but recent headlines concerning connected devices, sensors and controls – ranging from SCADA, IoT and M2M – suggests that what might seem like chicken-little opinions about IoT security may not be too far from the reality.
A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues.
“On the IoT continuum we are about 15 percent in,” said Chris Poulin, research strategist, IBM X-Force Security. “A common refrain from the business is ‘I don’t know what I don’t know’ when it comes to IoT security. The industry is evolving. To some extent we are just trying to figure out what’s a real threat and what is fear, uncertainty, and doubt.”
Experts however do find consensus on common IoT security issues centered around lack of standards and protocols, an inability to update device firmware, and lack of security when it comes to data transport encryption and secure web interfaces.
Can’t Update
The problem is we are rushing to deploy insecure products to support business needs, and then deciding that we need security, said Christopher Conrad, practice manager, critical infrastructure at NSS Labs. “These products should have the security baked in, not bolted on,” Conrad said.
Some of the simplest IoT devices (or machine-to-machine) devices lack adequate processing power and storage to host endpoint security software. They are real-time OS’s which do not offer support for a wide variety of endpoint protection products.
The list of IoT products without the ability to have firmware updated with security protection is long. Recent headlines bear that out and range from malware vulnerabilities found on EZCast media streamers, CCTV cameras enlisted for DDoS attacks and web-based SCADA systems vulnerable to man-in-the-middle attacks.
In May, ICS-CERT warned that an industrial IoT device made by Environmental Systems Corporation (ESC) used by the energy sector for environmental monitoring was vulnerable to attacks (CVE-2016-4501 and CVE-2016-4502). Worse, it said that security vulnerabilities couldn’t be fixed because they lacked the ability to be updated.
The vulnerabilities, found by security researcher Maxim Rupp, were tied to ESC’s 8832 Data Controller, a device that “has no available code space to make any additional security patches; so, a firmware update is not possible,” according to ICS-CERT.
IoT security challenges include a lack of industry long-term support and a patching solution for internet-connected devices that need to be updated and maintained for years to come. Example: How long does Samsung support its IoT smart fridge with security updates?