And how the industry is failing to learn from its mistakes
The technology industry is failing to learn from its mistakes, as familiar security failings from the IT space hobble the nascent internet of things (IoT) market, and threaten its growth.
A glance at top IoT security vulnerabilities, as calculated by the Open Web Application Security Project (OWASP), shows this to be the case. The same errors and oversights from IT security keep appearing, invariably linked with identity authentication, transport encryption and physical security.
“We keep building new technologies with the same old vulnerabilities built in. This should not be the case. We haven’t been learning. It’s not like we can even say we did our best. We haven’t even really tried to figure out how to do it right,” says Jaya Baloo, chief information security officer at KPN in the Netherlands.
In particular, the continued usage of default and weak passwords, the persistent absence of updating software and firmware mechanisms, the lack of device-based firmware altogether, the failure to implement two-way authentication, and the inability to lock-out devices are making IoT devices soft targets for hackers. These are the principle roots of each of OWASP’s top 10 vulnerabilities, as listed below.
- Insecure web interface
- Insufficient authentication/authorization
- Insecure network services
- Lack of transport encryption
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configurability
- Insecure software/firmware
- Poor physical security
Baloo comments: “There are so many things we already know, which we could be doing better, which could very easily be remedied. We just haven’t learnt. It’s like the goldfish with the one-second memory – we get surprised at lessons we already know. Our memory span is really short. We keep repeating the same mistakes. That is absolutely unnecessary, and we could do better.”
The technology market, at large, agrees. “Yes, it’s the same issues, as always,” says Senthil Ramakrishnan, lead member of technical staff at AT&T. “This stuff has to be baked in. But cost and time to development are huge issues.”
The attack surface is being extended. Gartner reckons 20.4 billion connected ‘things’ will be in use by 2020, up from 8.4 billion in 2017.
Meanwhile, HP says 70 percent of consumer IoT devices use unencrypted network services. AT&T reckons just half of enterprises have run IoT security assessments. Provider Malwarebytes Labs calculates there were nearly one billion malware detections, affecting nearly 100 million devices in 200 countries, in the second half of 2016 alone.
The industry has already been warned, claim market watchers, most resoundingly when the Mirai botnet hijacked of IoT devices in a massive distributed denial of service (DDoS) attack in late 2016, disabling a number of high-profile internet services. David Dufour, vice president of engineering and cyber-security at Webroot, says the challenge of cyber-security in the IoT market is now out of control.
“The security industry is losing the IoT security battle,” he says. “Every season brings additional connected devices, but many of these low-cost connected items aren’t brought to market with security in mind. Although there are great conversations going on around IoT security both at the government and industry levels, there has been little action.”
Whatever the style of attack, the potential fallout is magnified in industrial settings. “The real risk is in the potential impact of failures,” remarks Jay Thoden van Velzen, director IoT security at SAP. Every major institution is a target, potentially, he notes – from nuclear power stations through to “risky manufacturing”, from electrical grids to sundry smart-city operations.
Kelsey at McAfee says factories and supply chains are just as susceptible to code-red attacks as governments and utilities running critical infrastructure. But cyber-crime, like most crime, is more primal, he says, and private industry promises a hefty ransom. “The majority of bad guys are focused on the money,” he says. “If a manufacturer’s operations can be brought to its knees by a simple ransomware attack on its systems, you can bet they are a target.”
For a deeper dive into this topic, click here to register for the upcoming webinar titled “Industrial IoT security–The pitfalls and practicalities of securing manufacturing and supply chain IoT systems.”