A recent study found 80 percent of Internet of Things apps aren't tested for vulnerabilities and there is still a lack of urgency to address the risk.
The “2017 Study on Mobile and IoT Application Security”, conducted by the Ponemon Institute and sponsored by IBM and Arxan Technologies surveyed 593 IT and IT security practitioners to explore how companies are unprepared for risks created by vulnerabilities in IoT apps.
The survey found despite the lack of urgency, 84 percent of respondents are very concerned about the threat of malware to mobile apps and 66 percent of respondents say they are very concerned about this threat to IoT apps. To make matters worse, 79 percent of respondents say the use of mobile apps and 75 percent of respondents say the use of IoT apps increase security risk very significantly or significantly.
Respondents also reported being more concerned about getting hacked through an IoT app, 58 percent, than a mobile app, 53 percent.
Anyone who thinks these findings sound contradictory, you're not alone. Arxan Technologies chief marketing officer Mandeep Khera told SC Media, “The biggest surprise was that a vast majority of the respondents believe that they are likely to get hacked but most of them are not doing much to protect themselves. Just seems counter-intuitive,” she said.
Khera warned this is mainly due to a lack of inertia, lack of awareness, and lack of budget and that these are the same type of problems that got developers in trouble when trying to secure web apps a few years ago.
“IoT is still fairly new and due to lack of a big visible hack or a regulation, organisations have hard time justifying security initiatives,” Khera said. “However, a hack is coming and in some segments like connected medical and connected automobiles, companies are starting to make good progress in terms of security.”
One of the problems that is staggering progress, Khera said, is that since IoT is so new most professionals do not understand the potential vulnerabilities and the potential impact of hack on these devices. To combat this security executives need to make a strong case for IoT app protection because consequences could be devastating.
Proactive testing, fixing vulnerabilities and binary code as well as cryptographic key protection are some of the ways that companies can mitigate the risks and better secure IoT devices and while companies may go through the software development lifecycle with security in mind, once they throw those out in the wild on end point devices or mobile, binary code and cryptographic keys are vulnerable and easy for hackers to attack, Khera said.
IoT apps are experiencing something similar to the rise of virtualisation; a lack of understanding and commitment to security first methodology, Brad Bussie, CISSP, director of product management, STEALTHbits Technologies told SC Media.
“IoT apps are still new enough that usability is outflanking security because security has a reputation of getting in the way,” Bussie said. “The new IoT apps also lack a common set of standards because of the sheer number of IoT devices providing countless applications.”
Bussie said vendors continue to manufacture insecure devices because manufacturers are experiencing a phenomenon in IoT and IoT apps where the buzz and usability are outweighing the security implications.
“I always take this back to a simple principle when analysing risk (Probability of Event) x (Cost of Event) = Risk Value,” Bussie said. “Many companies appear to be running this equation and coming to a simple conclusion; it is cheaper to manufacture devices and applications without proper security.”
He noted that until manufactures stand up and make this a priority and a marketable feature, the industry will continue to produce insecure products regardless of the impact it has on consumers.