Earlier this month, Sophos global head of security research James Lyne told ITProPortal that now is the time for tough, immediate action on dangerously unsafe IoT products.
“We’re absolutely in a world of release features, release products, push, push, push – and we’ll worry about security afterwards. Some of these products are so bad, it’s almost like they’ve made an effort to suck – they verge on negligence from a security standpoint, they’re doing the equivalent of selling a car without brakes…it’s indefensible,” he explained.
“We’re in this short period where regulators haven’t charged in to fix the issue – but it will happen. Cyber-criminals have started to realize that these devices are useful – look at Mirai – and just one of the ways they can profit from these devices.”
In related news, H. Michael O’Brien, Partner in Wilson Elser’s New York Metro offices, recently wrote an article in The National Law Review that calls on stakeholders perpetuating the growth of the IoT to focus on security.
“The Department of Commerce (DoC) provides a good outline of the broad-based steps that need to be undertaken by all stakeholders looking to capitalize on the potential of the IoT,” he stated. “These include the need for flexible, risk-based solutions. In other words, threats and vulnerabilities are constantly evolving; therefore, predefined solutions become obsolete without the creation of cutting-edge solutions.”
In addition, says O’Brien, there IoT security must be implemented by design, rather than an afterthought.
“The approach needs to be holistic and take into account risk assessment during design and testing of products before they are deployed,” he continued. “Vulnerabilities discovered after the product leaves the manufacturer must be addressed with patching and support throughout the life cycle of the product. Just as there is no free lunch, there are no straightforward, surefire ways to address security vulnerabilities in internet-connected devices.”
As we’ve previously discussed on Rambus Press, IoT devices that lack robust security inadvertently allows the establishment of unauthorized communication channels. Indeed, without authentication or encryption protocols, cyber criminals can connect to, hijack and even brick vulnerable IoT devices. It should be noted that IoT systems are particularly susceptible to security lapses, largely because they are at once simpler, yet more difficult and costly to protect. Moreover, developers of such systems tend to be less familiar with the importance of security.
Nevertheless, the industry can still do its best to safeguard IoT devices by leveraging secure hardware provided by the chipset vendor, as well as utilizing on-chip pre-provisioning of unique keys and IDs. In addition, OEMs should focus on the most critical vulnerabilities and choose the most appropriate levels of security based on plausible risks and attack vectors. A complete and scalable security solution can help here, as it will allow both OEMs and services to minimize in-field device setup and customization.
Interested in learning more about IoT security? You can check out our article archive on the subject and download our eBook below.