What Makes IoT Security so Tough?
As connected devices become more popular and accessible, the security risks associated with IoT devices are posing serious concerns for developers.
Join the DZone community and get the full member experience.Join For Free
I went to the very first Internet of Things (IoT) meet-up in New York City five years ago when the term “digital transformation” was just starting to become a buzz phrase and IoT devices were appearing everywhere. It was then that I realized the impact all those interconnected “things” would have on cybersecurity.
Devices before IoT where just that, devices. They ran on code and were made to solve a specific purpose. It could have been to program your thermostat, a garage-door-opener, or an EKG machine. Now, all of these devices are interconnected. If you want your thermostat to change to a warmer setting, as you pull your car into your garage, that is now possible. All of our devices are conveniently connected and able to communicate with each other either via central control systems or with some consumption device like your phone or tablet. Getting too hot? Just have your thermostat signal your blinds to close. Or, speak into your phone and have your front door unlock. Is your washing machine in need of a check-up? It can request service by itself through an API call.
Realities of Modern Convenience
Sure, we call this modern consumer convenience, but it is also very convenient for an attacker. As more and more devices are connected, the attack surfaces infinitely increase and, therefore, vulnerability potential increases.
Some consumers may not find this concerning. “What is an attack surface anyhow?” they might ask. Manufacturers may be more concerned with getting products out to market before even considering the potential vulnerabilities that live in their products. Why would someone want to mess with your thermostat, your blinds, or read your EKG? Whenever we begin to hear about what it could mean when someone hacks into our devices — maybe it's your baby monitor that's scaring your family with weird noises and threats or its someone that's hacked into and turned off your pacemaker — we will realize the potential.
Why Is Securing IoT Devices so Different?
So, how is securing these devices different than securing other devices such as desktops, servers, and cell phones? Attackers hacking into devices with vulnerable code is not new. So, what is different with IoT and why is it hard to secure these devices?
There are multiple factors at play here, let’s look at some of them:
Failing to Completely Understand the Risks
Manufacturers always want to be first to market, launching the latest device, but failing to understand the true security risks that these devices may hold. This means that in a race for functionality, some security defects may be overlooked. Often consumers do not understand the security risks of these devices and, thus, do not hold the manufacturers responsible for these risks. I have heard a personal EKG device manufacturer say “I don’t think anyone would care to hack our device,” and a potential consumer in the same setting back them up.
When “things” are attacked, it is difficult to detect the attack and ultimately place responsibility on the manufacturer. After all, if Windows crashes, resulting in the loss of a days’ work, it is easy to blame it on Microsoft. However, if a Wi-Fi router is being used by attackers to mine Bitcoin, it may be using a bit more electricity, but is likely unnoticeable to a consumer.
Ease of Set-up and Authentication
Deployment of IoT devices has inherited security flaws as well. Typically, locking down a device by setting a secure password or installing security keys for communication requires some work on the consumer side. However, these devices are designed to be installed as easily as possible, with minimal to no configuration. Unfortunately, this means that default passwords are hard-coded into the devices, insecure communication protocols are used, and the most lax permissions are selected.
Lack of Patch Management
Finally, when vulnerabilities are discovered in servers, desktops, or phones, they are patched. Patches are distributed and installed on the affected systems. Patch management, however, becomes more difficult in embedded devices. Here, patching mechanisms either do not exist or are poorly implemented. Sometimes patching may not even be possible. While you can update a Windows machine with some downtime for a reboot, rebooting a pacemaker is probably not in the best interest of the user.
Working Towards Better Secured IoT Devices
These reasons are the most pressing issues of the IoT world that are lucrative for attackers and difficult for security practitioners. Nevertheless, this does not mean that we should just give up. There are ways of making IoT devices both convenient for the consumer and secure from attacks. It just requires a little effort and rigor.
Published at DZone with permission of Roman Garber, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.