With most IoT devices using open source technology, inherent software vulnerabilities remain unaddressed.
Internet of things (IoT) technology has innumerable merits that considerably enhance our productivity in both the business landscape, as well as in our day-to-day lives. But this efficiency comes at a price. IoT is a novel technology that is susceptible to more than 70,000 known CVEs (Common Vulnerabilities and Exposures). And despite this astounding figure, the new and emerging technology is still believed to have many more vulnerabilities that have not been yet been discovered by industry players.
This makes India’s rapid adoption of the technology a bit perilous from the cyber security perspective. With IoT technology manufacturers racing to bring their products to market, security features are unlikely to be a high priority. As such, this is one of the few areas of technology where regulation may benefit the end-users and the wider security ecosystem.
According to cybersecurity player F-Secure, IoT or ‘smart’ devices are the latest market sensation. This means there is currently a rush to launch new internet-connected products in the market to claim maximum share. However, such devices are usually manufactured by companies with expertise in design and manufacturing, not security. “Most OEMs use open-source technology, but they don’t advertise that fact or provide upgrade paths to consumers. As a result, there may be inherent software vulnerabilities that have not and will never be addressed. What’s worse is that there is no one checking to make sure the required patches are applied. A single vulnerable device can then be used as a vector of attack to gain access to the entire network,” says Keith Martin, head of Asia-Pacific and Corporate Business, F-Secure. “Remember, Hypponen’s Law states: If it’s smart, it’s vulnerable.”
Naturally, there are opportunities for cyber security companies such as F-Secure to assist IoT device manufacturers in developing security strategies. F-Secure, for instance, has a cyber security assessment service for hardware and software companies wishing to test their products for vulnerabilities. It is also working with router manufacturers and internet service providers catering to domestic customers. Home routers are the entry points to the internet connectivity of people’s homes. Though home routers may not be IoT devices as such, they are an essential component of connected homes; securing them, therefore, becomes critical.
At the same time, F-Secure believes that endpoint protection for personal devices (such as Windows PCs, Macs, Android phones or tablets) is still important. Compromised IoT devices might be used “as is” for malicious activities such as botnet attacks, but they can also be used for infecting other personal devices on the home network. This could then lead to, for example, exfiltration of sensitive personal files or theft of login credentials. Hence, endpoint protection (for the platforms that support it) is still very relevant and needed.
“We believe the best protection for connected homes can only be achieved through a three-layer protection strategy comprising endpoint protection (for supported devices and platforms), in-router security, and cloud-based security,” he says.
F-Secure sees three to four major factors which need to be addressed to make IoT devices more secured. One is the lack of financial consequences which encourage manufacturers to make their IoT products (or any online system, for that matter) secure. As long as IoT device manufacturers can get away with selling unsecured products and services without penalties, there is little hope for change. The other factor is the lack of regulation and compliance rules, and the enforcement thereof. IoT devices should be tested and marked according to a robust cyber security standard. The third factor is lack of secure software development expertise. As the need for cyber security expertise grows, IoT device makers find it more and more difficult to hire and retain the necessary talent. “We recommend and support investing in the education of cyber security experts to address this challenge,” he summed up.