Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

The Security Model is Broken, Part 5: IoT Security

The Internet of Things (IoT) is rapidly growing, but security is lagging behind. Millions of cars and almost a billion smart phones are vulnerable to some sort of hacking. Gartner estimates that there will be 26 billion IoT devices by 2020. How many vulnerable devices will we have by then? As Yogi Berra said, it’s deja-vu all over again.

There will be 26 billion IoT devices by 2020

This year, one American car manufacturer recalled 1.4 million hackable cars; researchers successfully hacked automobiles made by an electric car maker; and the Stagefright vulnerability exposed almost a billion Android smart phones.

To their credit, the electric car maker anticipated that vulnerabilities could occur, they had OTA (over the air/WiFi) patching capabilities and they have patched their vehicles. The American car manufacturer does not have OTA capabilities and is distributing USB drives to the owners of the vehicles so they can patch their cars. And Google scrambled to get a patch out because they did not have a coordinated patching process in place with their manufacturers, but they have since instituted a monthly patching process in the wake of the Stagefright vulnerability.

What is more frightening (pun intended) are the results of the 2014 HP IoT Research study which highlights alarming rates of vulnerabilities in IoT devices they tested. Most devices had vulnerabilities related to cross-site scripting and weak credentials, weak password schemes, unencrypted transmissions, personal information being collected, or account enumeration weaknesses. OWASP also has a project to identify and maintain the top ten security problems related to IoT. Again, the usual suspects figured prominently: insecure cloud/web interfaces, lack of encryption, insufficient authentication.

This is not a very good showing, but it doesn’t have to be this way.

In January of this year, the FTC released a paper outlining IoT security and privacy risks. They proposed both legislation for general security and privacy protection, and supported best practices for IoT security. I believe this is a necessary first step to hopefully developing regulatory standards for IoT devices.

Also, several industry groups such as the IoT Consortium, Industrial Internet Consortium, Allseen Alliance, and others are working on IoT standards including the security components.

While these efforts should be supported and continue, the necessary safeguards to secure IoT devices are well known by now. Vulnerability assessment, patching capabilities, strong passwords, intrusion lockout, encrypted transmissions, input validation, and privacy safeguards are well established and fundamental security practices.

The necessary safeguards to secure IoT devices are well known by now

These safeguards should be implemented from the get-go of IoT device deployment. If they are not, then we haven’t learned from past mistakes.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.