Information technology is evolving, and security is failing to keep pace. Computing is becoming more pervasive in our daily lives as everything from cars to industrial control systems to refrigerators is interconnected and sending or receiving data from mobile applications and cloud services. We need holistic security approaches to keep up with this growing Internet of Things (IoT).
While an attack on a smart thermostat may seem insignificant, the Target breach -- in which information on more than 70 million of its customers was compromised -- was the result of poor security of the heating and ventilation management and control systems in the company's stores. Other high-profile IoT attacks have surfaced, from the Carna embedded-device botnet and TRENDnet's Web camera exploit to the Linux.Darlloz worm, and the Thingsbot attack discovered by Proofpoint, a security as a service provider.
A lack of security
The diversity of IoT devices is dramatically increasing the attack surface for exploits and malware. A report from HP Security Research provided results of the top 10 consumer devices and found a staggering amount of vulnerabilities (lack of transport encryption, insecure Web interface, authorization and software protection issues) and privacy concerns.
Poor IoT security results from two main problems:
- The race to market for new devices means that security is not included in the design, or it is severely limited or poorly implemented.
- Developers of legacy embedded systems in areas such as manufacturing or transportation didn't consider security controls, because these systems originally were isolated and air-gapped from IP networks. Those air gaps are quickly disappearing as industrial control systems are increasingly networked and remotely managed.
The HP study showed that even basic security principles that have been taught for more than 20 years, such as strong passwords, aren't making it into the product development cycle. What can we do to improve IoT security?