About That IoT Device You Received as a Holiday Gift… – Security Intelligence

It is quite possible that you received an internet of things (IoT) device as a holiday gift, and its very likely that you will find this holiday gift useful. But its also possible you received an additional gift you have no use for at all: security vulnerabilities. This is the inconvenient truth about the average IoT device like all technologies, it has flaws and it can add to your risk profile.

Whether youre an individual concerned about someone hacking your home security system and eavesdropping on your private space or youre part of an enterprise that could have all its sensors turned into a distributed denial-of-service (DDoS) support army, IoT security vulnerabilities are a fact of life, and we can expect to see more of them as more technological advancements emerge. One such advancement, 5G, is already hitting the streets and will fuel increased ubiquity of IoT devices.

How we manage IoT cybersecurity in the coming months and years will play an increasingly important role in how we manage all types of security risks.

What makes an IoT device vulnerable? There are a few issues that are specific to IoT devices, but in principle, they do not differ all that much from the issues we see in other devices we use regularly. In 2014, the Open Web Application Security Project (OWASP) started compiling a list of IoT vulnerabilities to help developers, manufacturers, enterprises and consumers make better decisions regarding IoT systems. Their 2018 top 10 IoT security vulnerabilities were:

If youre a nefarious actor, these types of security vulnerabilities could make you feel like a kid in a candy store.

How do we deal with some or all of these challenges? There are some interesting thoughts out there, but one from Dan Geer is particularly eye-catching, even though it was offered some time ago. Namely, he stated that IoT devices should be made to be ephemeral in nature. In other words, the devices should have a short life span. The thinking behind this idea is that, because there is a lack of updates for these devices, they should be offboarded before they can become an unmanageable threat.

It is certainly an approach to consider, as there are economies of scale that can be utilized, especially since the manufacturing costs of these devices continue to drop. Perhaps its time to reconsider the feasibility of that approach. Think of these IoT devices as disposable. Once they have been used to capacity, theres no point in fixing them rather, you could just recycle them and obtain replacement devices.

There are, of course, drawbacks to this approach, at least for now. One is that good code is still not cheap. In fact, good code is expensive. Until we can get some type of economies of scale for code, this approach may be an uphill battle, but it is one worth revisiting from time to time.

Another interesting approach could be the increased use of threat modeling. With advances in data gathering and monitoring systems, along with artificial intelligence (AI), an enterprise can begin to prioritize threats. An area where we could see some very creative methods would be in the development and application of visualization platforms.

Just like social media visualization can offer benefits around understanding relationships, the same can be said of IoT devices, whether theyre stationary, mobile or, even more importantly, serving as sensors or actuators or both, in some cases. But even with threat modeling, there will still be a level of reactivity to your planning. Naturally, you will often have to predict what might happen to put a stop to it but wouldnt it be nice if you could end the running around altogether?

Just as the internet is inherently vulnerable, so is an IoT device. But rather than rebuilding a few decades worth of telecommunications infrastructure and communications protocols, there is something more immediate we can do to reduce security vulnerabilities in these gadgets: certify them.

Certification isnt a simple issue, though. The industry needs to get together and create standards, such as security by design principles, but those standards and their implementation in products will come with costs. It should not surprise anybody that there are only so many costs that can be passed on to the consumer before people start looking elsewhere.

Despite these conditions, coming to some sort of agreement on common security and safety standards for IoT devices still looks like the best long-term bet. Certification establishes a baseline, and that baseline is important because you can provision your network not to accept certain devices unless they have met the standards. Remember, these devices may seem peripheral and could just be endpoints, but in the coming years, theyll also make up more and more of the business supply chain, feeding information constantly into some decision-making authority that will rely on their accuracy and reliability.

Lets make sure our vision is 20/20 on IoT security vulnerabilities as we head into the new year. To reference a holiday movie, remember that Gizmo was a cute and fun gift up until the moment a little improper care resulted in a bunch of gremlins. Dont let your IoT device turn into a gremlin!

Original post:
About That IoT Device You Received as a Holiday Gift... - Security Intelligence

Related Posts

Comments are closed.