As the explosive growth of IoT tech continues; businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences.
The central problem with IoT security is that there is no central problem – IoT is a more complicated stack than traditional IT infrastructure and is much more likely to be made up of hardware and software from different sources.
+ALSO ON NETWORK WORLD: Review: VMware’s vSAN 6.6 + Configuration errors in Intel workstations being labeled a security hole
There are three main areas of IoT security – devices, network, and back-end. All of them are potential targets, and they all require attention, according to Forrester principal analyst Merritt Maxim. Right now, devices are getting the bulk of the attention – the huge number of different manufacturers, some of whom haven’t worked very hard to make their products secure, makes device-level IoT security problematic.
“You don’t have the Wintel monopoly you have in the desktop world, which makes a more homogeneous environment,” said Maxim. “Generally [IoT] devices are running embedded Linux or various flavors of that, which creates security blind spots,” since those operatings systems might not be what IT security pros are used to working with.
What’s more, most of the IoT players that are actively focusing on security are approaching it at the network or back-end level – not on the devices themselves, according to Stacy Crook, IDC’s research director for IoT.
“There’s a point to which these guys can get down deep in the device, but they have to figure out how much investment they want to make there because … there’s so many different device types and different architectures,” she said. “So they have to figure out how much of their time do they really want to spend.”
Addressing the threat
Specialist security firms are doing their best to keep pace with the changing nature of the IoT security threat. Companies like Pwnie Express – which got its start making penetration testing devices – have tried to adapt to the new threat landscape.
“In the early days, [test devices] were things like [fake] wall plugs, and they worked harder at making sure they were disguised, since the pen tester didn’t want to make it obvious that the environment was under test,” recounted Matt Williamson, CTO of Pwnie Express.
The latest and greatest, however, is a module that sits in a customer’s data center and monitors Wi-Fi, Bluetooth, and a host of other wireless network types for unusual traffic, since the network is a major potential target for malicious hackers.
Yet it can be difficult to focus security efforts, according to Williamson, with different customers worrying about different parts of the network.
“Because we’ve got a fairly broad set of things that we cover, it’s tough to put a finger on which ones are more important,” he said. “Some of our customers are more concerned about Bluetooth … Bluetooth TVs, and so on. Other people are more worried about rogue access points.”
These issues aren't unique to IoT, but they're relevant nonetheless – so much so that Pwnie's corporate focus is squarely on IoT as it applies its pen testing expertise to the increasingly broad array of devices present on corporate networks.
Polls: IoT Security is a major issue
The IT world has, at least, obtained an awareness of the scale of the problem it faces, according to several recent surveys. Pwnie’s 2017 Internet of Evil Things report, which surveyed 800 security professionals, found that fully 84% of respondents said that the Mirai botnet incident – which saw vast numbers of poorly secured IoT devices, primarily digital security cameras, harnessed into a powerful botnet used in DDoS attacks – in 2016 had changed their view of IoT security threats. 92% said the problem will remain a major issue.
Part of the problem seems to be that efforts to address it are still in the early stages – just 23% of security pros who monitored the connected devices entering their offices said that they scanned them for malicious code, and two-thirds of respondents said they weren’t sure of the total number of connected devices being brought onto their networks.
A poll of 500 executives conducted by Forbes concurred, finding that respondents ranked IoT as the most important emerging technology, outpacing even robotics and AI. A third of the respondents said that security is the most serious problem facing IoT.
According to Maxim, part of the reason for that is that the consequences of IoT hacking are potentially a lot more serious than those of traditional computer crime – a 2012 scene from the TV series Homeland, which saw a character die when his pacemaker was hacked is anything but far-fetched, he said.
“That’s not a theoretical attack, that’s possible today – and that’s a different dynamic than the traditional online world, where it’s just about identity theft or payment information for monetary gain,” said Maxim. “IoT hacking can cause potential loss of life.”
Common platforms link devices to the backend
The traditional way of connecting IoT devices to the back end was with customized platforms, but now a majority – 57% – of IoT deployments use platforms that can be applied to most deployment scenarios, according to Crook’s research.
Google and Microsoft are raising the profile of this option with their service offerings Google Cloud and Azure IT that provide such platforms.
“It’s really the idea about leveraging a common platform to build these IoT applications across different use cases, instead of having to create a custom platform for every single different IoT use case,” she said.
There are security ramifications, mostly positive, to the increasing use of these platforms – Crook’s recent research said that 57% of IoT deployments are using this type of platform – and most of them center on the edge layer, a new part of the stack that sits between the endpoint devices and the data center. An example would be a hub device that analyzes data and does low-level management of connected devices on a factory floor.
Edge computing is an important concept for IoT, because many applications – particularly those that are highly delay-intolerant – can’t wait for data to make the cycle all the way from the endpoint to the data center and back again before action is taken. Hence, IoT hubs and other devices will take up some of the computational and management slack – and add an additional place in the stack that security features can be implemented.
“Increasingly, [data is] going to be collected at the edge,” said Crook. “It could be on a factory floor, for instance, and there are going to be more and more of these edge devices collecting data.”
More broadly, she added, an IoT platform is an architecture created with security in mind but not as the main focus. There are threat detection capabilities available, but they’re usually sold as add-on services, not as core components of the platform.
“IoT security is definitely going to be an ecosystem approach,” said Crook. “The platform providers will work with other security companies on providing full solutions, but I think the platform certainly plays a key role in security.”
There’s a limited amount of action that most IoT users can take, according to Maxim, but the most important steps at the device level are:
- Never using devices with default passwords.
- Ensuring that there’s a way to patch everything – a device that can’t be patched remotely, once compromised, is now a part of the “Internet of Bricks.”
But attacks are likely to continue, which could have far-reaching consequences down the road.
“We have started to see fines levied against medical device companies and others for privacy violations, so there is some regulatory heat there,” Maxim said. “Unfortunately, we probably need a couple even higher-profile compromises to get to a point where it’s regulated or get the industry to act.”
In the future, we may see systems that are more fundamentally security-oriented, according to the CEO of blockchain-based IoT security startup Xage, Duncan Greatwood - who noted that they could look very different than previous-generation technology.
“People make statements like ‘security is foundational’ and expect polite nodding,” he said. “It’s a different kind of situation to enterprise security."