This piece is part 3 of our ongoing series on IoT security. Don't forget to download the eBook to understand the IoT security gap and how your business needs to address it, today.
Securing the Internet of Things is a major concern and a priority, but organizational capabilities to address the concerns aren't evolving as quickly as are connected products or the concerns themselves. This year, the number of respondents to our Internet of Evil Things survey who said they have a budget — or plan to have a budget — for IoT security is up 11 percent. Still, though, budgets for IoT remain low compared with other categories.
Even though 44 percent of respondents said they care more about device threats than about traditional network security — up 16 percent from 2016 — and even though Gartner has reported that "lack of IoT network and device visibility is now a top concern of chief information security officers (CISOs), both in consumer and industrial IoT verticals," actually achieving IoT security has proven elusive for many companies. That could be because products are being invented faster than we can vet them, because employees don't vet those devices at all, or because there are a lot of ways to connect to your IoT devices even thorough security vetting won't necessarily prepare you for.
Let's review some of the main threats and why they're present in the first place.
Swiss Cheese Security
Companies are making connected devices fast, but they're leaving gaping holes in the form of default configuration, weak passwords and unidentified backdoors. Why? Says Yolonda Smith, director of product management at Pwnie Express, "These things are designed to be deployed quickly and security takes a backseat. Whoever makes it to market first wins the day."
Predictions 2017: Cybersecurity Risks Intensify, a recent Forrester report, echoed that sentiment. "Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly. When smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed, especially if multiple IoT solutions include the same open source component."
An inability to patch IoT firmware because the vendor didn't plan for over-the-air patching or because the device doesn't have reliable network connectivity is serious cause for concern. And it's not just speed to market or the sheer number of devices that can lead to these holes being built right in, it's also regular old carelessness on the part of the manufacturer and the end user.
Pwnie Express Director of Research and Development Rick Farina agrees. "Look at even non-intentional vulnerabilities. Look at Mirai, the big one. Here is, more or less, an SDK released for DVR and IP camera products, where people spent no effort to do silly things like change the default password. Even when people read the EULA for the smart TVs that said 'Don’t ever talk about anything private in front of this television, and please leave the room to do so, whether it’s on or off,' it had no effect on them.
"That's IoT in a nutshell. It's completed riddled with holes." And businesses are overlooking these vulnerabilities in exchange for the promise of accelerated business and market differentiation.
Default Configurations and Weak Encryption
In our latest report, data culled from up to 74.5 million wireless devices and 86 million connections from different device types, total, told us what we already knew: companies have not stopped producing products with insecure default configurations. The default network from common routers “linksys” and “Netgear” were two of our top 10 most common “open default” wireless SSIDs (named networks), and the hotspot network built in for the configuration and setup of HP printers—“hpsetup”—is still near the top.
This lack of security is a true annoyance. As Sam Thielman wrote for The Guardian, referring to the Mirai botnet that brought about October 21, "One frustration among researchers is that DDoS attacks such as Friday’s siege of the Dyn servers are digital warfare of the least intelligent kind. There’s no network breach, merely a host of insecure devices hijacked using simple methods such as scanning open networks for devices using factory-default passwords. The devices are then used to artificially increase traffic beyond a network’s capacity – the computer equivalent of calling every phone in an office building at once, repeatedly." In other words, simple attacks are enough, because these are simple vulnerabilities.
Aside from default configurations, inability to update and the ridiculous number of devices in the wild, vulnerabilities come from a variety of hidden areas, including:
- Stretched to the limit IT security teams
- Stretched to the limit budgets
- Lack of education for non-IT employees
- Poor encryption
The first three of these issues could be addressed by strong organizational direction, but the last is especially disconcerting, because the responsibility for it doesn't necessarily lie with your enterprise. (We'll come back to responsibility later in this blog series.) Poor encryption is a massive and widespread issue. In our review of millions of devices, we found that a full 21 percent of all viewed SSIDs had weak or no encryption — far beyond what we would have expected from an enterprise environment. Eighteen percent of these service set identifiers (SSIDs) had no encryption, and a surprising three percent of all SSIDs had Wired Equivalent Privacy (WEP) encryption — a standard so outdated it was considered vulnerable a decade ago.
Finally, though some manufacturers actually do manage to produce systems and devices which come off the production line with adequate security, that security doesn’t last forever. As we have seen with attacks such as WannaCry — where SMB version 1 was exploited — or with vulnerabilities such Heartbleed and ShellShock in which SSL and SSH were found to have lacking protections, security, like milk, rots. And like milk, measures taken for security purposes have an expiration date. Unlike milk, though, that expiration date isn’t taken into account when you purchase. This rot means that as security models evolve, so must the underlying supporting architecture. Devices that were meant to last for decades aren’t coming off of the line architected in a way that will allow them to remain secure for decades. This is particularly true for large, complex systems such as those found in industrial and medical environments.
With this information in mind, it's easy to see why vulnerabilities abound. And it's not just the presence of vulnerabilities that matters, but also the actual parts of your business that these vulnerabilities expose — parts that were never connected before. When budget and internal action doesn't match up to the fears of security professionals or the increase in product development as manufacturers race to market, there are more likely to be more security gaps in every organization — and those gaps will be of greater significance. They simply can't be covered by current spend.
What can happen, then, if the gap isn't closed?
And don't forget to read our eBook to understand more about the consequences of poor IoT security and how you can begin to fill the gap today.