BOSTON—From hacked connected cars to power grids, the implications of IoT security issues seem to be getting graver – yet when it comes to pointing fingers for security troubles, many times victims don’t even know where to start.
IoT experts said at the Security of Things Forum today said that a big problem, on top of an already lax culture when it comes to securing IoT, is the fact that there are so many different players behind an IoT solution – and none are viewing security as a shared responsibility.
“There is no single neck to grab [when it comes to IoT security], which is a lot different than what we’re hearing in the overall market,” said Chris Rezendes of Context Labs.
Rezendes said that he is seeing various companies view responsibility differently when it comes to IoT systems across the insurance, automotive and pharmacy industries – making it harder to assign onus when security issues arise.
In the automotive industry, for instance, “I guarantee you what they’re talking about is not having the automotive OEMs being the primary source of liability or expectation when it comes to securing a platform,” he said. “In fact it goes all the way down to who are the code developers that provided the microservice for the specific part that goes into the subsystem; that goes into a system; that goes into a car.”
IoT is difficult because partnerships are not only necessary, but required for IoT devices and systems, from connected cars all the way down to smart thermostats. Even individual IoT devices come with an array of components – from processors, web services, devices and apps.
Beyond the technology level, what differentiates IoT is that security liability is complex even at a business model level – and an IoT implementation can involve different manufacturers, as well as OEM or commercial buyers, all the way to end users.
For instance, said Chris Cacioppo, CTO of 6 River Systems, smart meters have three varying levels of security: the technology manufacturers behind the meter, the utility companies deploying the product and the end-users who are actually using it.
“There are three different parties who are responsible for creating delivering and managing IoT: the manufacturers, primary consumers and secondary consumers,” he said. “Manufacturers have the responsibility to build security into IoT, but usually people say whoever deploys it takes care of security [in terms of segmenting networks or other security measures]. But, people who are deploying it are pointing back to the manufacturers. [for security].”
This could have dangerous implications when a bad actor sets his sights on the IoT product at the center of confusion.
“it’s not a shared responsibility like it should be,” Cacioppo said.
Security Problems – No End In Sight
The role of responsibility is a large part of security issues when it comes to the IoT. But issues have existed since the start of IoT; taking secure measures is often in the back of the mind for many manufacturers.
The 2016 Mirai botnet attack leveraged as a distributed denial of service (DDoS) attack through 300,000 vulnerable IoT devices, like webcams, routers and video recorders — and it showed just how many IoT devices lacked basic security posture. And it’s not just a manufacturing issue, said Rezendes.
“We’ve talked to hundreds of VCs, entrepreneurs and manufacturers… they didn’t care about security, it was friction,” said Rezendes. “We have no idea how you change that culture. The prevailing mindset seems to be, if we don’t have an answer for the issue, don’t expose the issue.”
M. Carlton, chief research officer at Senrio, which recently conducted a lateral attack proof of concept via an IoT gadget to hack a storage device, shared this sentiment. Senrio’s PoC targeted a vulnerable Axis surveillance camera as an entry point into the network, which then enabled the researchers to compromise a TP-Link Router and access a networked-attached storage device (NAS).
“There are manufacturers who are taking security more seriously, but there are also some who aren’t there yet when it comes to putting emphasis on security,” Carlton told Threatpost.
How To Assign – And Uphold Liability?
There have been some outcries for a better shared-responsibility model, particularly after Mirai emerged. The IoT Cybersecurity Improvement Act of 2017, introduced in August 2017, outlined what level of security that IoT devices sold to the U.S. government should have.
A new bill, called the State of Modern Application, Research and Trends of IoT Act, would also help hold companies liable and assign responsibility when it comes to security. It would enable Commerce Secretary Wilbur Ross to survey industries using IoT devices to determine how the devices are used and what regulations in each industry exist.
However, progress is slow: the new bill is still in draft form, and the The IoT Cybersecurity Improvement Act of 2017 has not yet had a committee hearing.
In the meantime, companies can be taking basic security measures to protect themselves – from talking to partners to better understand what role each of them plays in an IoT solution, to understanding which IoT devices exist on their networks.
“It is rule No. 1 to know what’s on your network,” Carlton said. “Run audits, because if you don’t know it’s there, you can’t defend it or keep it up to date.”