Security testing firm IOActive recently surveyed 129 security professionals on the security of Internet of Things devices at its IOAsis San Francisco 2016 event March 1-2, 2016. The result shows extensive distrust of IoT security.
According to Gartner, there will be 6.4 billion connected things this year. That number will more than triple to 21 billion connected things by 2020. “Your refrigerator, smoke detector, doorbell and air freshener may already be. Next, clothes, traffic lights and pedestrian walk buttons – and every part of a factory – and even your home’s windows, will all be connected, sharing information…” commented a CNBC report in February.
It is not necessarily the nature of individual products that is concerning, but the way in which they gather data and communicate with other devices and remote servers. “Consensus,” said Jennifer Steffens, chief executive officer for IOActive, “is that more needs to be done to improve the security of all products – but the exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority.”
This is reflected in the survey responses. Three particular concerns are that security is not designed into products during development; that naive users and user errors will compound problems; and that data privacy will be an issue. These concerns are no different to the concerns frequently voiced for company networks – the difference in the IoT, however, is that the sheer volume and variety of products is staggering.
Just as the concerns are the same, so are the solutions. “It’s important for the companies that develop these products to ensure security is built in,” continues Steffens; “otherwise hackers are provided with opportunities to break into not only the products, but potentially other systems and devices they’re connected to.”
The survey showed that 72% of the respondents do not believe that this is adequately happening. And it isn’t happening for the same reasons that mainstream software applications are not built securely from the design stage. “Companies often rush development to get products to market in order to gain competitive edge, and then try to engineer security in after the fact. This ultimately drives up costs and creates more risk than including security at the start of the development lifecycle,” said Steffens.
There is no easy solution. The respondents looked to minimum security standards, and enforcing mandatory product recalls, updates, or injunctions as the two most effective means for improving IoT product security. In reality, recalling millions of small intelligent devices might simply be impractical; imposing security standards on devices manufactured in third world countries for economic reasons might be impossible; and enforcing injunctions on companies located in other jurisdictions would be no more effective than it is with other products.
Nevertheless, 83% believe that some form of regulatory action would be necessary, particularly to force vulnerability disclosures.