The Security Model is Broken, Part 5: IoT Security
Billions of IoT devices are not secure
The Internet of Things (IoT) is rapidly growing, but security is lagging behind. Millions of cars and almost a billion smart phones are vulnerable to some sort of hacking. Gartner estimates that there will be 26 billion IoT devices by 2020. How many vulnerable devices will we have by then? As Yogi Berra said, it’s deja-vu all over again.
There will be 26 billion IoT devices by 2020
This year, one American car manufacturer recalled 1.4 million hackable cars; researchers successfully hacked automobiles made by an electric car maker; and the Stagefright vulnerability exposed almost a billion Android smart phones.
To their credit, the electric car maker anticipated that vulnerabilities could occur, they had OTA (over the air/WiFi) patching capabilities and they have patched their vehicles. The American car manufacturer does not have OTA capabilities and is distributing USB drives to the owners of the vehicles so they can patch their cars. And Google scrambled to get a patch out because they did not have a coordinated patching process in place with their manufacturers, but they have since instituted a monthly patching process in the wake of the Stagefright vulnerability.
What is more frightening (pun intended) are the results of the 2014 HP IoT Research study which highlights alarming rates of vulnerabilities in IoT devices they tested. Most devices had vulnerabilities related to cross-site scripting and weak credentials, weak password schemes, unencrypted transmissions, personal information being collected, or account enumeration weaknesses. OWASP also has a project to identify and maintain the top ten security problems related to IoT. Again, the usual suspects figured prominently: insecure cloud/web interfaces, lack of encryption, insufficient authentication.
This is not a very good showing, but it doesn’t have to be this way.
In January of this year, the FTC released a paper outlining IoT security and privacy risks. They proposed both legislation for general security and privacy protection, and supported best practices for IoT security. I believe this is a necessary first step to hopefully developing regulatory standards for IoT devices.
Also, several industry groups such as the IoT Consortium, Industrial Internet Consortium, Allseen Alliance, and others are working on IoT standards including the security components.
While these efforts should be supported and continue, the necessary safeguards to secure IoT devices are well known by now. Vulnerability assessment, patching capabilities, strong passwords, intrusion lockout, encrypted transmissions, input validation, and privacy safeguards are well established and fundamental security practices.
The necessary safeguards to secure IoT devices are well known by now
These safeguards should be implemented from the get-go of IoT device deployment. If they are not, then we haven’t learned from past mistakes.