The Security Model is Broken, Part 5: IoT Security
The Internet of Things (IoT) is rapidly growing, but security is lagging behind. Millions of cars and almost a billion smart phones are vulnerable to some sort of hacking. Gartner estimates that there will be 26 billion IoT devices by 2020. How many vulnerable devices will we have by then? As Yogi Berra said, it’s deja-vu all over again.
There will be 26 billion IoT devices by 2020
This year, one American car manufacturer recalled 1.4 million hackable cars; researchers successfully hacked automobiles made by an electric car maker; and the Stagefright vulnerability exposed almost a billion Android smart phones.
To their credit, the electric car maker anticipated that vulnerabilities could occur, they had OTA (over the air/WiFi) patching capabilities and they have patched their vehicles. The American car manufacturer does not have OTA capabilities and is distributing USB drives to the owners of the vehicles so they can patch their cars. And Google scrambled to get a patch out because they did not have a coordinated patching process in place with their manufacturers, but they have since instituted a monthly patching process in the wake of the Stagefright vulnerability.
What is more frightening (pun intended) are the results of the 2014 HP IoT Research study which highlights alarming rates of vulnerabilities in IoT devices they tested. Most devices had vulnerabilities related to cross-site scripting and weak credentials, weak password schemes, unencrypted transmissions, personal information being collected, or account enumeration weaknesses. OWASP also has a project to identify and maintain the top ten security problems related to IoT. Again, the usual suspects figured prominently: insecure cloud/web interfaces, lack of encryption, insufficient authentication.
This is not a very good showing, but it doesn’t have to be this way.
In January of this year, the FTC released a paper outlining IoT security and privacy risks. They proposed both legislation for general security and privacy protection, and supported best practices for IoT security. I believe this is a necessary first step to hopefully developing regulatory standards for IoT devices.
Also, several industry groups such as the IoT Consortium, Industrial Internet Consortium, Allseen Alliance, and others are working on IoT standards including the security components.
While these efforts should be supported and continue, the necessary safeguards to secure IoT devices are well known by now. Vulnerability assessment, patching capabilities, strong passwords, intrusion lockout, encrypted transmissions, input validation, and privacy safeguards are well established and fundamental security practices.
The necessary safeguards to secure IoT devices are well known by now
These safeguards should be implemented from the get-go of IoT device deployment. If they are not, then we haven’t learned from past mistakes.
Related Articles
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption
March 22, 2024Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. And much more!
How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform: The Importance of Contextual Prioritization
March 11, 2024Discover how contextual prioritization of exposure is revolutionizing OT/IoT security, enabling organizations to shift from reactive to proactive breach prevention.
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Internet of Things
- Security Policy