The proliferation of IoT devices and embedded parts is growing at a pace in lockstep with that of open source software adoption. That is to say that IoT appears to be an irreversible trend. This makes sense given that Linux and embedded Linux are the de facto operating systems for IoT-based systems and parts.
Gartner, the largest IT industry analyst firm, estimates there will be 20.4 billion IoT-connected components worldwide by 2020, up from the estimated 8.4 billion this year. According to a 2017 Boston Consulting Group report, the market for IoT products and services is expected to reach $267 billion by 2020. The report also predicts that by 2020, 50% of IoT spending will be driven by discrete manufacturing, transportation and logistics, and utilities — critical areas of businesses and community infrastructure.
However, IoT adoption and growth are not guaranteed. There are significant, hidden security vulnerabilities that exist in IoT devices that must be addressed before we can expect the predicted growth rates.
The IoT security ticking time bomb
Most of the firmware built into embedded parts and IoT devices use third-party code that contains open source components. By sourcing third-party code instead of developing software on their own, OEMs can lower assembly costs and quickly add innovations, saving months or years of originally required development time. They also contain known security vulnerabilities.
Newer versions of these components are available without the security vulnerabilities. Nevertheless, it ranges from challenging to impossible for OEM development teams and their third-party software suppliers to accurately and effectively track all open source software components in their code. Especially when their main focus is to concentrate on developing higher-order systems.
According to a newly released PricewaterhouseCoopers report, researchers found only 35% of approximately 9,700 companies polled said they had an IoT security strategy in place. Many companies are expanding their use of connected devices and sensors that collect and send operating or customer data back into digital business tools to drive decision-making. However, only 28% say they have begun to implement added security needed to guard against the increased risk of cyberattacks created by IoT networks.
Unfortunately, without the willingness of OEMs and developers to effectively secure their IoT products, we will be left with either a vulnerable critical corporate and community infrastructure or impairment to the IoT market growth. Technology, manufacturing, utility and government organizations will begin to take a pointedly more cautious approach regarding the devices they layer into their systems and infrastructure.
Equifax-like lawsuits could impede IoT adoption
Costly litigation initiated by customers and ultimately end users against OEMs will likely incite negative IoT adoption and growth.
Why? Because OEMs will be hard pressed to defend themselves when the vast majority of IoT security vulnerabilities are due to known open source security issues in the firmware — issues that could have been remedied with software patches or by using the most recently updated versions of the OSS components that already contain the patches.
This is exactly what happened with Equifax. A well-known and documented Apache Strut security vulnerability was left unpatched, resulting in a data breach that triggered multiple multibillion-dollar lawsuits.
Consumer mobile device and client computing “push updates” model won’t work for most IoT implementations
For more than a decade, OEMs selling enterprise clients and consumer mobile devices have patched security vulnerabilities found on operating systems and applications via updates. Major players, like Microsoft and Apple, have exhibited successful implementation of this “patched” update model, shielding PCs and mobile devices from cybercrimes. Other companies, like Tesla, have taken this process to a new level, updating entire fleets of automobiles with patches and eliminating the need for owner intervention.
IoT platforms are particularly susceptible to security vulnerabilities. Major players like Microsoft and Apple shield personal computers and mobile devices from cyberattacks. Yet no standardized systems currently exist to administer such robust security for IoT structures, despite their heavy use of open source components. Without any leading players to effectively push these “patched” updates, IoT platforms are left susceptible to known security vulnerability exploits. Consequently, IoT OEMs must bear the burden of locating and eliminating all known security vulnerabilities in their firmware prior to shipping products.
Great, but how can they do that?
With the right tool.
Given that 90% or more of the software distributed contains some form of open source-based code, the most efficient mechanism for finding and weeding out IoT security vulnerabilities is via code scanning. This simple procedure will deliver the highest security vulnerability removal ROI.
Scan for known security vulnerabilities
Most OEMs purchase their firmware or third-party code elements in order to reduce development and purchasing costs. OEMs usually acquire all or some part of their firmware in binary format, making it very challenging to initially identify any potential security vulnerabilities without the source code.
There are a number of software security and compliance analyzing and scanning tools that OEMs and developers can use. Unfortunately, most are focused on addressing common programming errors in the source code. Though existing open source and commercial code analyzers offer partial binary scanning, their first step is to reverse-engineer binary into the source code.
There are more effective ways to examine binary codes — namely binary code scanners. They evaluate all raw binary to positively identify what open source components, and what versions, are in the code. The scanners will then compare their findings to established, frequently updated databases of known security vulnerabilities. Binary scanners can examine library function or other code exclusively delivered in binary format sans disassembly.
The positive potential offered by IoT devices in personal, commercial and societal applications borders on the incredible. New industries will emerge and others will be completely transformed for the better. However, unless IoT security is effectively addressed, it may remain just that, a potentially positive group of products and associated services. OEMs and their development teams should look to implement an easy, first line of IoT security defense by scanning and addressing potential security holes that exist in the firmware.
In my next article, I will examine, at a more granular level, different types of binary code scanners.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.