Today, IoT security has become a hot topic. While more and more connected devices are online under the IoT framework, bringing automation and convenience, it has also introduced new risks particularly in the area of security. According to experts, both vendors and users have a role to play in this regard.
Today, IoT security has become a hot topic. While more and more connected devices are online under the IoT framework, bringing automation and convenience, it has also introduced new risks particularly in the area of security. According to experts, both vendors and users have a role to play in this regard.
Some recent examples illustrate why people have become wary of the security of network-connected devices. The rampancy of baby cams and monitors being hacked has caused the New York Department of Consumer Affairs to
issue an alert in January 2016. Verizon’s latest Data Breach Digest reported that at a certain college campus,
connected vending machines and streetlamps were used as bots to slow down the university’s network. Finally, in October last year, IoT devices including network cameras and NVRs infected with the Mirai malware were also used to
launch DDoS attacks against Dyn, an Internet performance management company. The result was a shutdown of service across various websites including Netflix and Amazon.com.
According to the experts we spoke to, the security of devices found in the market varies. “There is a big difference between vendors. Some are only competing on price, features and time to market so security is not on their priority list while other strengthen their IoT devices and sell that as a differentiator,” said Mathieu Chevalier, Security Architect at
Genetec. “I would say, however, that on average the security posture of IoT devices is pretty say because of a constant flux of new players in the former category.”
“Today’s IoT devices range from very insecure to very secure, which I don’t find surprising in an unregulated market,” said Adrian Sanabria, Director of Research at
Savage Security. “There will always be businesses that, given the choice, will skip the added expense of making a product safe or secure.”
IoT vendors’ role
Given the threats that IoT devices are subject to, users expect vendors to do more to make their products secure. “They have to bake security in as they develop their products instead of just trying to retrofit it on top of their products after the fact. The other part is that end users have to activate the security features embedded in the products they buy; if not they are not of any use. On that regard vendors can publish hardening guides explaining how to configure their products, and they have to make their products as secure by default as possible,” Chevalier said.
He cited Genetec's own examples. "We have a hardening guide that help configure our system in the most security way. Genetec has a service that will update Security Center automatically so that customers receive the latest security updates in a timely fashion,” he said. “Also, in the upcoming version of our flagship product we will have a means to let our customer know if there is a security relevant update to the firmware of their connected IoT devices. Genetec also embed security practices into the way it build its products to make sure that security is taken care of in every step of the development process.”
What users should do
As cybersecurity is a two-way street, it should be practiced by vendors and users alike. “The two most important that users can do is: update their IoT devices’ firmware to the latest version and change the default password of their devices. If they do just that they will be in a lot better shape against hackers,” Chevalier said.
According to Mars Kao, Senior Engineer at the Taiwan-based
Institute for Information Industry, users can protect themselves through a product selection approach and a technical approach. “On the product selection side, users can ask several questions, for example does it require authentication or is it cloud-based so the use of password is not required, how strong is the encryption, and whether an activity log can be provided if someone else has tried to log in to the system,” he said. “Then, from the technical side, users should change the default password and set the authorization levels so that different users have access to different data.”
Sanabria, meanwhile, has the following suggestions:
- Perform network scans against devices from internal and external networks (if applicable). It is important to understand the device’s attack surface. Also check infrastructure scanning tools like Shodan and CENSYS.
- Consider past attacks and vulnerabilities related to IoT devices and explore those same scenarios against your devices to see how they hold up.Don’t consider only preventative controls – detective controls, the ability to respond to and recover from an attack are even more important.
- Do your due diligence with the vendor, and ask questions like: Has this product been tested by a third-party for security vulnerabilities? Can we review the findings? And What’s your average vulnerability response time and time-to-fix on a vulnerability.