Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Security Pros Show Extensive Distrust of IoT Security

Security testing firm IOActive recently surveyed 129 security professionals on the security of Internet of Things devices at its IOAsis San Francisco 2016 event March 1-2, 2016. The result shows extensive distrust of IoT security.

Security testing firm IOActive recently surveyed 129 security professionals on the security of Internet of Things devices at its IOAsis San Francisco 2016 event March 1-2, 2016. The result shows extensive distrust of IoT security.

According to Gartner, there will be 6.4 billion connected things this year. That number will more than triple to 21 billion connected things by 2020. “Your refrigerator, smoke detector, doorbell and air freshener may already be. Next, clothes, traffic lights and pedestrian walk buttons – and every part of a factory – and even your home’s windows, will all be connected, sharing information…” commented a CNBC report in February.

It is not necessarily the nature of individual products that is concerning, but the way in which they gather data and communicate with other devices and remote servers. “Consensus,” said Jennifer Steffens, chief executive officer for IOActive, “is that more needs to be done to improve the security of all products – but the exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority.”

This is reflected in the survey responses. Three particular concerns are that security is not designed into products during development; that naive users and user errors will compound problems; and that data privacy will be an issue. These concerns are no different to the concerns frequently voiced for company networks – the difference in the IoT, however, is that the sheer volume and variety of products is staggering.

Just as the concerns are the same, so are the solutions. “It’s important for the companies that develop these products to ensure security is built in,” continues Steffens; “otherwise hackers are provided with opportunities to break into not only the products, but potentially other systems and devices they’re connected to.” 

The survey showed that 72% of the respondents do not believe that this is adequately happening. And it isn’t happening for the same reasons that mainstream software applications are not built securely from the design stage. “Companies often rush development to get products to market in order to gain competitive edge, and then try to engineer security in after the fact. This ultimately drives up costs and creates more risk than including security at the start of the development lifecycle,” said Steffens.

There is no easy solution. The respondents looked to minimum security standards, and enforcing mandatory product recalls, updates, or injunctions as the two most effective means for improving IoT product security. In reality, recalling millions of small intelligent devices might simply be impractical; imposing security standards on devices manufactured in third world countries for economic reasons might be impossible; and enforcing injunctions on companies located in other jurisdictions would be no more effective than it is with other products.

Nevertheless, 83% believe that some form of regulatory action would be necessary, particularly to force vulnerability disclosures.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.