The Online Trust Alliance (OTA) has determined that the overwhelming majority of publicly reported Internet of Things (IoT) vulnerabilities publicly disclosed over the last year could have been easily avoided.
According Craig Spiezle, Executive Director and President of the Online Trust Alliance, security and privacy is often overlooked in the rush to bring connected devices to market.
“If businesses do not make a systemic change we risk seeing the weaponization of these devices and an erosion of consumer confidence impacting the IoT industry on a whole due to their security and privacy shortcomings,” he stated.
The most glaring IoT security failures analyzed by the OTA included the omission or lack of rigorous security testing throughout the development process; the lack of a discoverable process or capability to responsibly report observed vulnerabilities; insecure or no network pairing control options and a lack of testing for common code exploits and limited transport security and encrypted storage for user IDs and passwords. Last, but certainly not least, the OTA found that a number of IoT devices lacked a sustainable and supportable plan to address vulnerabilities through the product lifecycle, including a dearth of software and firmware update capabilities, along with insecure and untested security patches and updates.
“Security starts from product development through launch and beyond but during our observations we found that an alarming number of IoT devices failed to anticipate the need of ongoing product support,” said Spiezle. “Devices with inadequate security patching systems further opens the door to threats impacting the safety of consumers and businesses alike.”
As we’ve previously discussed on Rambus Press, the current security paradigm associated with the mobile and PC world is undeniably flawed. Indeed, serious or even critical vulnerabilities disclosed on an almost daily basis are patched with hurriedly coded software and firmware updates. While a ‘good enough’ approach may have been tolerated for smartphones and tablets, the industry cannot afford to relegate security to a tertiary concern for an IoT that may very well ultimately affect every aspect of our daily lives. A new paradigm, designed from the ground up to provide secure foundations for connected devices, is clearly long overdue. Devices should be secured throughout their lifecycle from chip manufacture, to day-to-day deployment, to decommissioning.
According to Steven Woo, VP of Systems and Solutions at Rambus, the semiconductor industry is slowly beginning to realize IoT security is a critical goal that needs to be treated as a first-class design parameter. Nevertheless, software is often selected as the security medium of choice because it is relatively simple to deploy and layer on top of existing systems.
“It’s certainly no secret that software-based security can be hacked. However, a silicon-based hardware root-of-trust offers a range of robust security options for IoT devices. Enabled by Moore’s Law, integration of a silicon root-of-trust into IoT silicon makes a lot of sense. As more and more devices are brought online, the importance of heightened security will only increase. Providing hardware-based security via a root-of-trust is going to be very important going forward,” he added.