Across consumer, enterprise, and industrial landscapes, connected devices promise to be an everyday fixture in our lives – several times over. While these devices are marketed as “smart”, the security on most of them remains anything but.
Thus far, IoT vendors have largely operated in a market driven by device functionality, market adoption, and price competition. Consumers are drawn in by what a device can do to make their lives easier and by how much it costs, with little else influencing their decision making. As a result, IoT device security has been an afterthought for many – and really, most – vendors. This is especially true at the low end of the market.
Consequences of this neglect are now causing concerns about device security to rise in prominence. At issue is the fact that unsecured devices actually pose a threat to end users in the form of IoT-based security breaches. Products with recording capabilities can create privacy concerns when compromised, and the hacking of household controls – lights, temperature, etc. – gives attackers the opportunity to create mayhem.
Even worse than this, compromised IoT devices are more frequently used to perform large-scale distributed denial of service (DDoS) attacks, combining the bandwidth of thousands of devices to overwhelm and deny access to targeted websites or critical internet infrastructure. The harm arising from woefully insufficient IoT device security was demonstrated by the attack on DNS provider Dyn, during which an IoT botnet utilizing up to 10 million IP addresses succeeded in taking around 1,200 popular websites offline, including major names such as Amazon, Twitter, and Spotify. More recently (and perhaps soon to be even more consequential), the Reaper botnet threat was discovered. We an expect more.
This problem is magnified by the fact that the vast majority of IoT devices will be purchased and placed in consumer households, operated by users with little knowledge and savvy about security issues. While today there are few IoT device vendors focused on adding security, this really presents a big opportunity for those manufacturers willing to be proactive in implementing and educating the market about the need for stronger security. By informing (and marketing to) consumers about security issues, these forward-thinking vendors can highlight superior security as a competitive differentiator.
A future where consumers lack privacy even inside their homes and where IoT botnets regularly cause devastating internet outages will not be tolerated – and any environment in which eventual consumer pressure or regulatory action comes to a head will strongly favor those vendors that take early action to preempt these concerns.
That said, because most end-users of these products understandably lack security expertise, solutions that require user action in safeguarding their own home networks may be less than fully effective. Additionally, because most of the IoT devices being deployed inherently lack the CPU, memory, and other resources necessary to run security agent software or have any “self-awareness” of their own security status, the more complete answer likely requires IoT devices to be monitored by some type of entity on the network where they are running.
This points to the device vendors needing to partner with hub, router, firewall, and UTM networking offerings that have already integrated IoT device monitoring, profiling, and behavioral anomaly detection capabilities.
The networking that ISPs, cable companies, and MSSPs deploy are ideally positioned to introduce IoT security that protects entire networks through the discovery and profiling of local IoT devices. As a smart device joins the network, security technology integrated within network equipment will be able to recognize the device down to its make and model, by analyzing its unique fingerprint of communications functions.
Going a step further, ongoing behavioral anomaly detection and analysis of these communications will allow for instant recognition of any devices that have been compromised or are vulnerable to being exploited – for example, devices gearing up to participate in a DDoS attack. The immediate detection of compromised devices enables that ISP, cable/telco, or MSSP to then take action by alerting the end-user, and/or disabling or shutting down compromised IoT devices before they cause any harm.
As network equipment with these security capabilities become popularized and as ISPs, cable companies, telcos, and MSSPs begin offering local device security monitoring, it will place an imperative on IoT device vendors to much more proactively address the security of their products. This will likely happen through partnerships or certification programs, and is the best bet for ensuring networks of the future won’t allow vulnerable or compromised devices to operate.
Certainly, the growing dissatisfaction of owners buying and installing devices that aren’t allowed to operate will be a tremendous incentive for vendors to up their security game.
If you found this article insightful, why not watch our #InfosecWebinar on Malware in IoT, Crypto-coins & Smart Devices