The world of IoT is a fast-moving one. New innovations and changing technology standards come along rapidly. However, there is one thing that remains constant. No, it’s not death or taxes, it’s IoT security issues.
IoT deployments are too often riddled with built-in security issues and user-behavior rarely improves the situation.
We’ve written often about the problems with IoT security and what enterprises can do to make their own deployments more secure. Unfortunately, IoT applications are plagued by ongoing security issues and the attacks only seem to be becoming more serious and frequent.
The State of Internet of Things Security in Europe
Our security partner, Subex, has released its report, ‘The State of Internet of Things Security in Europe – Q3 2019 (July – September 2019)’. Subex has a honeypot network in 62 cities around the world, which they use to gather threat intelligence for their reports. These cities are chosen because they are key sites for gathering security intelligence.
One of the most striking things about their report is the rapid increase in malware. Malware variants are proliferating, in Q3 of 2019, 9,450 malware variants were identified. According to Subex, ‘The unit cost of buying/sourcing or renting malware … have registered a steep increase this quarter. This has led to hackers moving on to using malware variants with subtle code changes to attack connected devices.’
IoT Attacks Become More Professional
We’re seeing IoT attacks becoming almost like a business, with malware for sale and attackers looking to maximize their ROI. While bot farms were present in the Q2 report, their presence has grown significantly in the interim, particularly in Eastern Europe.
IoT devices with poor security are the fuel for these bot farms, particularly consumer IoT devices, which often lack proper security and suffer from issues such as default passwords. The Mirai botnet attack of a few years ago utilized a vast number of poorly-secured consumer IoT devices such as internet-connected webcams and baby monitors.
The Responsibility for Proper IoT Security Should Not Fall On Consumers
It is unrealistic and unfair to expect your average consumer to be responsible for setting up adequate security on their devices. Until manufacturers begin to properly secure their consumer IoT devices out of the box we will continue to see bot farms grow in strength and number.
Many IoT professionals are rightly concerned with the state of IoT security today. According to a questionnaire by the IoT M2M Council, 47% of IoT industry leaders say they are very concerned about the security of their IoT devices, with 22% listing themselves as extremely concerned.
While it’s heartening to see that industry professionals are aware of the risks, what we haven’t seen enough of yet is concrete actions to better secure the IoT. There are a number of reasons why IoT security measures are lagging behind where they should be.
The low cost of many IoT devices means that adding any kind of security would drastically increase the price. This is particularly an issue in cases such as large scale IIoT sensor deployment. IoT sensors cost on average $0.44 in 2018, securing them could significantly increase their cost.
Scalability Can Be a Security Issue
Scalability is also an issue for many IoT deployments. As the deployment scales up it becomes more complicated and more costly to software patch devices, particularly if the device does not support Over The Air updates. The rate of evolution of security threats is rapid, as soon as one patch has been developed, another type of threat is detected. How can manufacturers keep on top of new threats and ensure that their security is always up to date?
When it comes to consumer IoT, too many device developers see being first to market as more important than taking the time to develop sufficient security measures.
There’s also the issue of how much importance buyers place on security. If they don’t value it then manufacturers won’t include it. Even if they do value security, often they are only able to choose between products with varying levels of poor-security. In many categories, there simply aren’t products on the market with adequate security.
Time to Secure the Network
One way that organizations can secure their IoT deployments, even if the devices themselves cannot support OTA software updates, anti-malware or firewalls, is by securing the network.
Our IoT-specific security solution, Pod Protect, uses a three-tier detection strategy: signature-based, heuristics and anomaly-based, to identify and flag threats as they occur on the network. The threat database is updated in real-time with signatures gathered from 48 honeypots located in key locations around the world.
Pod Protect adapts to the traffic that is normal for your application and is able to flag any suspicious traffic while allowing for the seamless movement of healthy traffic. It uses agentless monitoring of the network, meaning there is no need for code or software to be added to the device. It makes it easy and cost-effective to scale an IoT deployment.
IoT opens up a whole world of new possibilities to improve our lives, ease disease management, save the bees, help the elderly, improve public transport, and many more. Unfortunately, it also opens us up to new vulnerabilities; security and privacy risks that we need to be forewarned and forearmed against. For us to be able to benefit from the many positives of the IoT, it is essential that IoT applications are protected with IoT-specific security solutions, before it’s too late.