Analysis

People aren't taking IoT security seriously, claim experts

IoT companies have attitude of "ship first, make it secure later", vendors state

Security

Security is very much a central issue for the Internet of Things, experts claimed at Paris' Connected Conference last week. 

A multitude of connected devices automating our day-to-day lives is useful, but it also gives an unprecedented and ever-increasing digital window into our homes, as well as introducing multiple new threat vectors for attackers to exploit.

Estimates have pegged the number of IoT products on the market to shoot up to 30 billion within five years. According to Freescale's Alex Candela, "at least 50 per cent of those new IoT devices are going to be developed by startups".

This has the potential to raise numerous problems. For many Startups, security is often not a principal concern, as Hugo Fiennes of Electric Imp points out. When it comes to IoT security, he claims that "people are not taking it seriously yet."

Advertisement
Advertisement - Article continues below

"A lot of the time in startups, the issue is that you have a limited amount of money, a limited amount of time, a limited amount of resources, and security's not the thing that's going to make or break the company at that stage."

The fact that many companies are being forced to choose between security and getting to market quickly could lead to problems later down the road, according to Fiennes.

"People are often much more concerned with shipping than they are with actually making sure their product is secure", he claims. He believes there's a dangerous attitude of "ship first, make it secure later", without realising that "it's almost impossible to do that".

Secure updates are a major source of concern for professionals in the IoT space. Fiennes drew on the example of 2014's Heartbleed bug: despite the confidence of sys-admins with fully-patched servers, affected systems "went from fully secure to fully insecure in the space of one announcement".

Regular updates to device firmware are crucial for responding to new threats such as Heartbleed. Many products, however, are released with no system for delivering them. Fiennes was emphatic about the risks of this strategy, stating that "If your device can't be updated automatically, it is insecure, period".

Fiennes is of the opinion that self-updating software is a necessity for IoT vendors, because, as he puts it, "users don't upgrade things". To illustrate this point, he asked the tech-savvy, professional crowd who had updated their router's firmware in the past year, with around five people responding in the affirmative.

The solution, he says, is to simply cut the user out completely. By placing enabling clauses in their terms of service, companies' devices can simply upgrade their own firmware at the earliest convenient opportunity. 

However, he cautions that this requires a level of trust between users and vendors. While some companies have less-than-sparkling security records, Fiennes mentioned Belkin as a company that has a good attitude to the problem.

With one of their products, it was discovered that although they were signing firmware updates, they were putting the key in the update itself. Since then, however, they've taken steps to secure future products by offering bug bounty programs, liaising with security experts, and trying to rebuild their image.

One of the most dangerous aspects of IoT is the vastly increased number of attack vectors it introduces. IoT evangelist Liam Boogar warned that the danger of intrusion gets exponentially greater "the more we create new nodes".

Advertisement
Advertisement - Article continues below

Threats can come from anywhere, too. Fiennes mentioned a common question when dealing with IoT security: "why would someone hack my toaster?" As he explains, however, it is no longer simply a toaster. If it has A/C power and a network connection, that device is a node.

"It doesn't matter that it's a toaster", Fiennes says; "The person who hacks it may not even know it's a toaster". For an attacker, almost any powered, connected device can be used for malicious tasks such as broadcasting spam, sending DDoS packets or building a secure tunnel into the rest of your network.

Hackers have a well-earned reputation for ingenuity, and Fiennes recommends keeping an eye on exactly what it is they're doing. He states that hacker conventions like Defcon and Blackhat can be a great source of insight for developers.  

Fiennes advises IoT creators when visiting these kinds of conferences to look around and see what people do to other products and think "could someone do this to mine?'" By analysing the methods used by real potential intruders, companies can get increased visibility over their product's security flaws. 

The security of the Internet of Things is an issue that's only going to get more and more prominent, as an increasing number of connected devices enter the market. However, by ensuring that they're abiding by best practises and maintaining a strong security focus, companies can prevent threat actors from exploiting their product. 

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019