By James Blaisdell
Jul 2, 2019
With half of 2019 gone already (can you believe it?), in our opinion it’s an opportune time to reflect on the state of IoT security. We continue to sense a general urgency, but continued sense of confusion on the path forward, in many of the prospects that come to us via our normal sales processes.
How Bad is IoT Security Today?
In one word, bad. It seems IoT vulnerabilities with major consequences in practically all industries are being reported now more than ever, with the media continuing to stress that IoT cybersecurity attacks could be enormous and have widespread impact. Just this weekend, the US government and Medtronic warned that some of the company’s insulin pumps have a vulnerability in the wireless RF communication protocol that affects 4,000 people. Hackers in an adjacent product such as a blood glucose meter, glucose sensor transmitter or USB device, can potentially send RF signals to change the pump’s setting, and send a patient into a state of hypoglycemia or hyperglycemia depending on how much insulin is delivered.
While this is a vulnerability in connectivity and in the medical field, many IoT device manufacturers continue to be lax in the very basics, such as not using passwords or using default ones that buyers cannot change, or are the same on all devices and not using symmetric encryption. While routers and connected cameras (largely due to volume) make up 90% of infected devices today, almost all IoT devices are vulnerable.
We hate to be downers at the start of this July 4th week, but it’s important to be honest with ourselves on where we are.
Here are some of the reasons we think the problem is going to get worse before it gets better:
- The financial payoff for device makers to move fast and not fully consider security seems to be too big. There are many manufacturers (both on the consumer and industrial side) already making a lot of money in what are many multi-billion dollar marketplaces. It’s clear the incentives are not aligned and government regulation may be the only answer as it has been in food and transportation safety.
- Device owners don’t know their devices are even connected or infected and some may not care if their device is causing trouble. Not only are consumers and buyers not voting with their wallets and mandating an IoT safety scorecard of manufacturers, but there is evidence that even when someone’s device is involved in a botnet device owners think it’s someone else’s problem if the device works for them. This was validated by phone calls to inconspicuous device owners contributing to the Mirai botnet several years ago.
- The attitude amongst enterprises is not much better. A study by Inmarsat in Jan 2019 found that two-thirds of 750 businesses in the global supply chain knew that their approaches to cybersecurity could be strengthened but only 33% have invested in new security technologies and 56% saying they lacked staff to secure their industrial IoT deployments. This gets into the cybersecurity job shortage which remains a looming problem.
- There are millions and possibly billions of legacy devices that were pumped out with vulnerabilities, and have no way to be updated easily (like the insulin pumps above per Medtronic’s statements). Unless the owners “traded them in” with a fully secure alternative device (not a possibility today), this estate of “toxic” legacy devices is goldmine for hackers and botnet creators.
- There are now over 30 countries and counting that are developing cyber defense and cyber attack warfare capabilities. Many of these teams focus on finding zero-day vulnerabilities and or unpatched vulnerabilities in critical infrastructure and other important national assets. Both the US and UK intelligence agencies have been quite vocal about foreign malicious actors having infiltrated key national infrastructure sites, and the US (since former Pres Obama) has said we have the most cyber capable army in the world. While there has been little verified notice of anyone causing mass disruption (outside of Ukraine a few years ago), even nuclear missiles must be tested at some point to validate they work.
- We can’t underscore that with nearly a billion IoT devices being shipped a year today, the lack of universal standards similar to WiFi or 802.1X for how devices should handshake, send encrypted traffic to one another and receive OTA updates means the toxic lake of devices is only getting bigger like cumulative CO2 emissions are for global warming (notwithstanding our first point below). 5G stands to accelerate the number of devices coming online in the next 2 years but standards consolidation does not appear on the horizon.
Of course, we like to look at the positives here at Dellfer and here are some reasons to be optimistic:
- There is more government attention than ever on IoT security issues. ENISA, which henceforth will be permanent and called the EU Agency for Cybersecurity, got serious about IoT a few years ago has now passed the EU’s Cybersecurity Act and will oversee cybersecurity for all 28 member states. The agency will have influence over the development of IoT devices and will play a big role in unifying different cybersecurity standards and guidelines for certification. On our side of the pond, NIST has also just released a new 34-page report called NISTR 8228 that complements their Cybersecurity Framework and SP 800-53 Rev. 5 guidance document. NIST is working toward a baseline document that identifies the fundamental cybersecurity capabilities an IoT device should include. There are several other working bodies for standards that we will detail in a future post.
- Every day the topic of IoT cybersecurity seems to be growing, either from the media side or analyst reports that describe it as an exploding market. This helps in raising consciousness for a big problem and keeping it top of mind.
- With all of the technical, economic, behavioral and political issues we’ve discussed in this post, we are more convinced than ever that we are on the right track with ZeroDayGuard, a solution that effectively lowers the pain to very little for developers to secure their IoT code and seal exploitable vulnerabilities. With movements like the secure by design guidelines coming out of the UK last October, we know that our IoT device integrity solution sits on the right side of the fence related to how to make massive progress on what seems like an intractable problem. IoT cybersecurity cannot be solved by bolt on, after-the-fact solutions. Nor do we have the time (decades?) to waste as we did in the enterprise space with a cat-and-mouse catch up game given the stakes in this game.
So should we hang it all up and accept a major catastrophe will happen?
Not at all. If you are a developer or engineering team manager, we invite you to view any of our videos to see how easy it is to actually deploy a security layer in your code that can keep your devices from being attacked by remote code execution attacks or anything that would exploit a buffer overflow vulnerability. We are literally talking seconds to minutes during your build time operation. While clearly there are other security safeguards to respect in IoT device development, ZeroDayGuard takes care of a large swatch of some of the most harmful types of attacks and hacks possible on IoT connected devices.
As a consumer, like other big problems in our world becoming educated and aware of the choices you make from elected officials to products you buy all matter in the long run.