Thanks to Mike Lynch, Chief Strategy Officer for InAuth, a subsidiary of American Express, for sharing his insights on the state of IoT security today.
How are you and your company involved in IoT?
We provide device intelligence and security for a mobile-first world. With mobile, today we’re dealing with two standard mobile operating systems, predominantly Android and IOS. IoT is not unlike mobile many years ago, there are no common operating systems. And, IoT will grow much faster than mobile with more than 20 billion devices by 2020 according to Gartner. That’s three devices for every person on earth!
What are the keys to a successful IoT security strategy?
First, can you identify the device that is attempting to interact with you? Can you distinguish devices connecting with your app or your network? Can you block an IP address or device that should not be connecting with you? Today, a car connecting to your bank is suspicious. In five years, it may have a reason for doing so. The principle is to thwart bad traffic. If possible, you want to be able to determine if this device should be connecting with me based on traffic patterns, geolocation data, or device characteristics.
If you cannot know what device is attempting to connect with you, you must be prepared for velocity attacks — one device trying to do many things at one time. One source may be hitting your network over and over like a DDOS or fraudulent attack if payments are involved. Hackers will look for loopholes in security. If one device is making many attempts you must be prepared to identify the source.
How has IoT security changed in the past year?
The number of devices and vulnerabilities is growing exponentially. Manufacturers are not security experts. The Mirai IoT botnet showed how many devices can be weaponized. This is only the beginning.
What are the technical solutions for IoT security?
The market is looking at patterns but that is not effective. You are being reactive to a moving target. Sophisticated bots rotate IP addresses. There is no effective security today. People are aware it’s a problem. The solution needs to start with the manufacturers but we’re a long way off. Most people are looking at passive traffic. Until we have a standard operating system for IoT devices that you can protect and until a common security framework is adhered to, it will be very challenging.
What real world problems are you helping your clients solve?
We solve problems using bots protecting consumers and companies. We detect malware threats for our clients' consumers. We provide transparent security to ensure that the user hasn’t been phished, is using a fake app, or hasn’t been hacked and that their SMS is safe. We use many different risk assessment techniques to ensure that you can trust the device interacting with your Digital channel. We’ve enabled the mobile wallet and mobile banking for many of the world's biggest brands and financial institutions.
What are the most common issues you see with IoT security?
Passwords cannot be changed on devices, or default user passwords are being reused and shared. When a default password can be changed, it is unrealistic to rely on a customer to change it.
Where are the greatest opportunities to succeed in IoT security?
Manufacturers need to close security holes. One approach would be to begin using the IoT Trust Framework on all of the devices produced. While manufacturers don’t want to invest in security, they are putting their customers at risk with unprotected devices.
What skills do developers need to ensure the IoT devices they are working on are secure?
Follow the IoT Trust Framework until an operating system emerges. Then, you can build light apps with devices that will give you the opportunity to: identify the device, know the risk associated with the device, know whether or not a version of that device really exists, grant access and administrative privileges, and tell whether or not the device contains malware. Without a common operating system, use more common cyber security techniques and look at traffic and devices to differentiate what’s good and bad.
What have I failed to ask that you think we need to cover with regards to IoT security?
We need to identify a set of best practices and hopefully a new way of connecting IoT devices such as through a common operating system where solutions are more application-based, like a smartphone platform. We also need a better way of managing credentials built into IoT devices. Start working on the problem now. We need to be able to define the device. The problem will grow. We will see more DDOS attacks. It’s a very challenging environment to secure but people will hold off on payment projects until there’s a solution for attacks like we’ve seen. Neither companies nor consumers want to connect in a high-risk environment. As such, adoption of IoT may be slowed without a sound solution to the security issue.