Securing Billions of IoT Devices Poses Mind-Boggling Challenges
Hewlett-Packard on July 29 released the results of a study in which engineers scanned 10 popular IoT devices, ranging from thermostats and TVs to webcams and home alarms, and found that, on average, there were 25 vulnerabilities per device. The vulnerabilities included insufficient authorization—most allowed passwords like "1234"—insecure Web interfaces, a lack of transport encryption and inadequate software protection, according to the tech vendor. The growing demand is driving device makers to bring systems to the market quickly, often at the expense of proper security. In addition, Daniel Miessler, practice principal for Fortify on Demand at HP Fortify, told eWEEK that a key issue is that the IoT is bringing together a range of components in new ways that combine vulnerabilities and include network traffic and cloud connectivity. "Each one of those touch points has vulnerabilities that you can write books about, but IoT is special in that it combines all those vulnerabilities together into one ecosystem," Miessler said. "You're taking all the vulnerabilities from already insecure spaces and rolling them into one." The concerns of security experts are many. The IoT and its tens of billions of connected devices will open up the attack surface for cyber-criminals who are becoming increasingly sophisticated. At the same time, the kinds of devices and systems that will make up the IoT will vary greatly, ranging from toys to industrial systems to airplanes. Do they need the same levels of security? Should they have the same levels of security? There also are the large number of manufacturers who are building devices for the IoT that may not have the same ideas about the need for security.However, the reality may be otherwise. "If past performance is any indication of future results, it's going to take a catastrophe," Dell's Ferguson told eWEEK. "But it should be proactive." "It's a challenge," Wolfgang Kandek, CTO at security specialist Qualys, told eWEEK. "The Internet of things is coming, or is here already. Security—just like Internet security—is really just an afterthought. ... Security is really not included in the design [of many products]. The challenge is the same [as] when we really got going with the Internet." Part of that is because when software or hardware is in development, product managers have a difficult choice to make: Do they put more features into the offering, which will make it more attractive to potential customers, or do they reduce the number of features to make room and money for security capabilities, which can make the end product more expensive and complex? "If they have the resources to do one thing, and they have two choices, they'll push toward features until they get pushed to security," Kevin Gilchrist, vice president of product management for security technology vendor Comodo, told eWEEK. "To make it really secure is synonymous with making it less easy to use for device users."
In addition, there are issues of the backseat role security tends to play in the development of hardware and software in the rush to stake a position in such burgeoning trends as the IoT, and the lack of attention it gets from end users until something goes horribly wrong. In a situation like the Internet of things, security should be a proactive concern, rather than a reactive one.