This article originally appeared on Forbes.
A few weeks ago, major retailers stopped selling toys from the company CloudPets after more than 2 million recorded messages were leaked in a major security breach. Internet of Things (IoT) security breaches are as prevalent as they’re varied. From medical devices and traffic lights to automobiles and (well) toys, each hitherto unconnected device that now joins the big bad world wide web brings additional security mysteries to the fore. And with over 20 billion connected devices projected to be in use by 2020, these are mysteries we must unravel.
There are plenty of reasons for the current gaps in IoT security including a lack of regulation, market failures, and stakeholder indifference, although none of these reasons are insurmountable. Even considering these challenges, there are concrete steps that we can take to avoid future IoT mishaps and the eventual descent of an all-devouring animatronic locust swarm.
IoT Security Challenges
Square pegs in round holes
It’s difficult for organizations to achieve competence in multiple fields. Whenever a product company makes an IoT-enabled device, they struggle to reconcile their expertise in their original industry with their unfamiliarity in internet connectivity and security. This results in manufacturers having outdated (if at all) OS and patching features on their products, being lax with password protection and changes, and having no regular software update mechanisms to communicate to their customers.
Moreover, many physical products have complex supply chains with outsourced production, cost-saving exercises, and clearly defined team structures. It’s an expensive and – from the companies’ point of view – unnecessary undertaking to weave device security into the process when there’s no requirement for it.
And there’s no requirement because…
Lack of regulation
There have been welcome strides in IoT security regulation in recent years. While the IoT Cybersecurity Improvement Act of 2017 is a good start, the industry still lacks a unifying, robust piece of legislation that puts the onus on vendors to comply with requirements or face consequences. And it’s understandable why that’s the case: with IoT still an evolving field, most innovation is carried out by startups that would be hamstrung by having to comply with labyrinthine regulations from the get-go.
Additionally, since IoT sits at the intersection of technology and a bevy of other industries, it’s a challenge to enact legislation that intersects across these industries, doesn’t impose unfair restrictions, but also doesn’t leave requirements too lax to make any difference.
Attack by proxy
In 2016, major websites like Twitter, Spotify, and PayPal experienced outages because of a large DDoS (Distributed Denial of Service) attack. This happened because their domain name provider, Dyn, was forced offline by a botnet that included traditional computing devices as well as IoT devices like webcams and digital video recorders. This incident set a dangerous precedent for how innocuous devices could be ‘recruited’ by attackers and used for malicious purposes without the device owners ever knowing about it.
The range of dangers posed by IoT hacks is so great because of their interconnected and dual nature. Because the devices serve an ‘offline’ purpose (like a TV or fridge) but are also connected to the internet, they can be compromised without affecting their original purpose, making the compromise harder to spot. And because they’re interconnected, one loose stone can quickly lead to an avalanche.
What Can We Do?
It’s vital to protect and secure the networks connecting IoT devices to the wilderness of the internet. Because IoT network security is a greater challenge owing to the multitude of protocols, standards, and device capabilities at play, its implementation is often incomplete and thus draws the eyes of attackers. A combination of traditional endpoint security features like antivirus software as well as firewalls/IPS features will go a long way towards deterring the use of IoT devices as attack entry points.
Consumers have been trained to care about the security of their computing devices (relatively), but it’s easy for them to forget updating the OS on their toaster, to everyone’s detriment. IoT device users should be proactive in changing passwords from their default (and changing them afterwards as well), checking that patches and updates are regularly installed, and report unusual activities to the relevant authorities immediately.
For their part, IoT device manufacturers should comply with the IoT Cybersecurity Improvement Act by regularly patching software on their devices, providing users the option to change default passwords, and communicating with their users about other security best practices as and when they come to light.
Authentication and Encryption
IoT communication often doesn’t have a human in the loop with machine-to-machine ‘conversations’ taking place in the back-end. In this scenario, it becomes vital for the data to be strongly encrypted (along with full key lifecycle management) while in transit between devices. Even if the devices themselves are secure, a stray credential key on the public domain can be sniffed out by attackers and become the keyhole they need to jimmy the door.
Automate for Fast Response
Following the ‘hope for the best, prepare for the worst’ adage, enterprises need to be prepared for an IoT breach to occur. Key tools needed here would be a SIEM / detection platform that identifies any anomalies that occur with IoT device behavior, and a security orchestration platform that weaves together data and actions from multiple products to automate incident response.
Platforms that can connect to on-premise security tools as well as IoT devices through APIs can make it easier for security teams to recognize the root cause of the attack and execute actions on the IoT devices directly.
For more security content, join our growing network of 20,000+ security enthusiasts by subscribing to email updates from Demisto.