Five fundamentals of security in the internet of things era

The sad truth is that many consumers now find themselves asking the same questions that security researchers asked many years ago: What do we trust, who can we trust, and why should we automatically trust anything, regardless how familiar or benign it looks?

With an estimated 6.4 billion devices already in circulation, we’re almost to the point where there’s an Internet of Things (IoT) device for every person on the planet. By 2020, devices will outnumber us by almost three-to-one. While we’re still working on securing desktops, laptops, servers, phones and tablets, we must start applying those same standards of trust to the smaller (and sometimes larger) devices that don’t seem as dangerous.

While automation, connectivity and intelligence have increased in information technology, industrial control systems, and most recently in our living rooms and cars, innovation and convenience have taken precedence over security. We’ve considered basic environmental and safety concerns, but not sufficiently enough for sabotage or subterfuge situations.

With the popularity of IoT products, both vendors and consumers are learning quickly what works and what does not. The seemingly minor issue of leaving default passwords enabled on security cameras and digital video recorders turned into a major security flaw, as the Mirai botnet fueled a massive distributed denial of service (DDoS) attack against domain name system provider Dyn in October 2016. As recently as March 2017, IBM X-Force researchers found a new variant of the Mirai botnet attempting to mine Bitcoins using compromised IoT devices.

Connected cars are among the latest IoT devices to come under scrutiny by the security community. Earlier this year, it was reported that four major auto manufacturers left security and privacy gaps in the mobile apps controlling their connected cars, allowing previous owners to geo-locate, unlock and control the vehicles in unintended ways.

New vulnerabilities in products are discovered frequently, which erode consumer confidence. Securing the IoT requires partnership by both the public and private sectors. Here are five fundamentals of IoT security:

  • Software security degrades over time: All software needs to be patched eventually. Manufacturers need a way to get IoT sensors and devices patched in very distributed and uncontrolled environments. They need to provide updates for the life of the device.
  • Static secrets don’t stay secret: Default or hard-coded credentials can quickly become security issues by becoming known over time. Recent examples, including Mirai, demonstrate how malware takes advantage of such a situation to take over IoT devices for DDoS tsunamis. Organizations need to design devices that prompt a change of passwords on the first use.
  • Weak configurations persist: The default configuration of an IoT device persists unless changed by the user. If manufacturers ship IoT devices in the least secured state, it is the responsibility of the device owner to take measures to improve that security. If vendors set the default configuration to the most secure choice, users must consciously select more secure options.
  • Without lifecycle management, data accumulates: Because of all the data generated from IoT devices, the security of the data and how it’s created, used and deleted becomes important. What happens if the data falls into the wrong hands? Over time, connections between different seemingly disparate datasets may emerge. IoT devices accumulate massive amounts of personal data, such as voice searches, GPS locations or heart rate information. If the data isn’t managed and secured, it could lead to loss of privacy and issues of data ownership. Choose vendors that can be trusted with personal data.
  • Secure devices that operate in hostile environments: In contrast to mobile devices, like phones, laptops and tablets, IoT devices often operate without any human supervision. Such devices must be rugged and resistant to physical tampering and have an ability to alert a central command center if they are under attack. Administrators of IoT operations need the visibility and control to be able to safely degrade and decommission devices that have failed or been compromised.

Securing the Internet of Things is not the sole responsibility of the cybersecurity industry. Manufacturers, developers, and most importantly, consumers must reach an understanding about the dangers and remedies moving forward.

By Ben Mann