Forty-eight percent of U.S. companies with IoT devices on their network have been breached, according to a recent study.
All industries, including healthcare, retail and finance, rely on IoT for its efficiency and productivity benefits to beat out competitors. As a result, IoT manufacturers are working diligently to keep up with the supply and demand logistics of this increased adoption. Unfortunately, more often than not, these devices lack proper security, ultimately creating an opportunity for an adversary to hack through the device and infiltrate the broader network.
A recently discovered vulnerability dubbed Devil’s Ivy showcases exactly how security flaws impact IoT devices. The Devil’s Ivy vulnerability was found in a toolkit called gSOAP, which is a bundle of reusable code that software engineers or device manufacturers use so devices can talk to the internet, and was located deep within the communication system of Axis smart cameras. Researchers discovered that the gSOAP toolkit has been used by many big name manufacturers; there are currently one million devices using gSOAP that carry the Devil’s Ivy vulnerability.
So, what’s the solution? While it might seem simple — to stop using vulnerable development toolkits and create stronger security systems — unfortunately, manufacturers face many challenges when developing these devices. Let’s take a look.
Four reasons why IoT devices are insecure
Lack of experience
Manufacturing organizations are not in the business of cybersecurity. As such, they are unknowingly making it easier for cybercriminals to breach a network. We saw this first with the PC industry. PCs have been manufactured by engineers that are experienced in hardware and software development for over 25 years, and while they might be attempting to build them with proper security, they have ultimately been unsuccessful. But now, businesses operate in digital and physical environments that continue to grow as new technologies, including IoT, are added to the network. As a result, the complexity of the environment increases. So, IoT manufacturers face the same challenge PC manufacturers did — they might attempt to make their devices secure, but since this is not their area of expertise, they are failing to do so.
Organizations are financially motivated, as is the case with the manufacturing industry. While some businesses are able to scrape together funding to back a security division, most manufacturers don’t prioritize it and cannot finance the efforts. When thinking about the magnitude of IoT devices connected today — roughly 8.4 billion according to Gartner — and the increasing demand, manufacturers are incentivized to bring devices to market as quickly and cost-effectively as possible. Therefore, security is an afterthought, if even thought of at all.
Keeping in line with compliances and regulations
One industry where regulations can hinder IoT security is healthcare. For example, the FDA requires continuous communication with manufacturers so they can be alerted when a new vulnerability is discovered. Then, the manufacturer must make an update and patch the device. However, this can be an incredibly slow process and may take up to 60 days, leaving the devices open to attack.
Manufacturers are constantly trying to keep up with competition by producing new IoT devices to address growing interest. In turn, businesses are drawn to these new flashy devices to reap their benefits. The competition to develop the latest and greatest technology prevents manufacturers from slowing down to ensure that security is embedded properly from step number one. Building security from scratch takes time, and in the eyes of the manufacturers, slows them down from developing the next big thing.
How you can protect your IoT network
All this gloom and doom aside, there are some simple and efficient processes you can start to prevent IoT breaches in your enterprise environment. To begin, you’ll need visibility to see what devices are connecting to your network. Next is the ability to manage those devices — i.e., restrict access to a non-compliant device, block internet access, quarantine any device based upon anomalous behavior, and/or notify its owner of a security concern. Finally, you’ll want to implement a mitigation plan when malicious behavior is detected. Once those processes are in place, dedication via continuous and thorough monitoring will be the most effective way to keep your organization’s IoT devices, and entire networks, safe on an ongoing basis.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.