If devices are shipped with the low-hanging fruit problems removed, security becomes a consumer requirement, which will lead hardware vendors to guarantee a baseline level of security.
In the early 2000s, the thought of allowing connected devices access to corporate applications was unheard of.
Fast forward to 2018 and the concept is ubiquitous in all industry verticals. The explosion of devices – 20 billion by 2020 according to Gartner – does create problems, but the issues very rarely emanate from proprietary or unique technology challenges; they stem from a handful of linked issues.
Because the idea of internet-enabled toasters, coffee machines, toys, planes, trains, and automobiles is relatively new, security has not always been considered in product design. A lot can be achieved through education; selling devices with predictable default configurations and poor password management is simple to fix and inexpensive. If devices are shipped with the low-hanging fruit problems removed, security becomes a consumer requirement, which will lead hardware vendors to guarantee a baseline level of security.
I believe that the most critical issues for IoT security include:
The hardware industry's failure to address critical vulnerabilities
When it comes to secure development and patching, hardware vendors are at least a decade behind the software industry. At the turn of the millennium, software vendors were forced to rethink their approach to security and ensure that it was built into products throughout the development lifecycle.
In light of the multitude of “IoT pwnage” we've seen over the past year, however, hardware manufacturers need to up their game – and quickly. Unlike software vulnerabilities which can be addressed with a simple patch, many of today's hardware products have no easy means of patching firmware. It's therefore likely that an entire generation of hardware devices will need to be replaced when critical vulnerabilities are uncovered. Easy for a light bulb, slightly harder for a plane.
Enterprise IoT visibility
The organisational attack surface continues to expand; the more device types and form factors that we have to deal with, the tougher it is to have any semblance of enterprise visibility. When was the last time that you conducted a penetration-test on your photocopier or HVAC system? Both are likely now connected online, and storing and transmitting data. CISOs must go beyond the PC, and include IoT devices in overall security planning and testing.
Another significant challenge when securing IoT devices comes from the fact that organisations simply don't know where they are. The consumerisation of IT has empowered employees to deploy network-connected devices without involvement from the IT department. However, as we learned from the Mirai botnet, these IoT devices can be remotely repurposed by a botnet – and leveraged as powerful weapons in a DDoS attack.
Automation leads to downstream risk
IoT-enabled devices provide consumer convenience, but they also increase the need for holistic risk management and threat modeling. Let's take digital assistants, such as Amazon Echo and Google Home, for example. In isolation, the threat profile is innocuous enough: a friendly voice in our living rooms that tells us the weather, or how the FTSE 100 is performing. Unfortunately, the assistant's main benefit is also its vulnerability: extensibility and integration.
What happens if one of these devices is compromised? The home assistant has become the contemporary domain admin – the prized asset in an environment. Why go through the effort to compromise a laptop, with its multifactor authentication and automatic patching, when an attacker can grab the keys to the kingdom via straight-forward appliance rooting?
Why Machine Learning (ML) is not a silver bullet
ML models can be used to improve efficiencies and identify risks or new opportunities. It adds power and automation to previously time-consuming, resource-intensive activities, and is used to identify malware, predict stock prices, tailor an investment portfolio, or even drive a car.
But ML doesn't work well on all problems. In situations where patterns within data are unavailable, machine learning isn't particularly useful. Insider threats are a good example: identifying surreptitious activity of a disgruntled employee has so many permutations that it's difficult to spot. A risk associated with smart devices comes from the veracity of the information being provided. If we're concerned with the IoT security, data integrity becomes a real security issue. Indeed, if sensors, water pumps, electricity meters, and cameras can all have their data altered, and this data is used for critical decision-making (like turning on street lights), then there's a problem.