The State of IoT (In)Security [source: tripwire]
by CIRT Team
The state of Internet of Things (IoT) security today is clear: it’s terrible.
IoT devices are everywhere – from Fitbits and Amazon Alexas to smart appliances and intelligent home security systems, they’ve already permeated our consumer lives. Outside of the consumer space, however, IoT is even more prevalent.
IoT devices control electrical grid switches and public water systems; monitor road traffic in real-time to optimize city travel; track patient health in hospitals, so doctors and nurses can stay alert; control servers for Facebook, Spotify and our other favorite media sites; and much, much more.
Not to mention, IoT devices will soon be increasingly used in music, construction, film and countless other industries – in addition to totally permeating infrastructure, healthcare and home life. As machine learningand blockchain become more sophisticated, they’ll integrate with IoT, as well. Its potential will only grow with time. Obviously, the prevalence of these devices makes them a prime target for a whole variety of hackers (from nation-states and cyberterrorists to hacktivists and organized crime groups).
Ransomware and other forms of extortion are just two types of cyberattacks we’ve seen. The Mirai malware from this past August, which wiped out entire Internet services across the east coast, is a prime example of how damage might not just be financial. We only need look to other countries to see how these attacks can be replicated against electrical grids and other critical infrastructure, potentially putting millions of lives at risk.
On top of this already precarious situation is that IoT devices are insecure by default. Encryption is often sub-standard; basic hardware security features are overlooked; default passwords are weak and duplicated across devices; and internal security controls, like dynamic information-flow tracking, are similarly (almost) nonexistent.
There are certainly reasons for this fact. IoT devices possess significantly less computing power than most modern machines, and so implementing modern security techniques in IoT devices without significant overhead is difficult. Further, the organizations that use these devices (and the systems that these devices are built into) usually depend on the speed of “edge computing,” so security may even be considered, on its face, as economically undesirable for manufacturers.
Will companies really buy a slower but far more secure device in favor of a faster but insecure one? The answer is that this shouldn’t even be a question.
For more, click here.