Thanks to the Mirai botnet attacks, few people in the world of tech need a reminder that IoT devices remain a serious threat to enterprise networks. Still, more than a year after the botnet made headlines worldwide, IoT security remains mostly an idea, rather than a reality.
Such is the scope of the problem that Frost and Sullivan IoT research director Dilip Sarangan argues for governmental intervention. Sarangan says that, because the responsibility for IoT security is diffused across device manufacturers, network providers, software developers and many others, it’s difficult for the industry to make progress on all-encompassing standards.
“The only entity that has the ability to actually dictate what the minimum threshold is, unfortunately, is the U.S. government,” he said.
The difficulty in creating overarching standards mostly has to do with the fact that any given IoT implementation has a large number of moving parts, each of which may be administered by different organizations, or even by third parties. For example, a set of medical devices provided by company A connecting to a network provided by company B, running an application, originally written by company C and residing in company D’s cloud.
“Everyone talks about it like they’re going to provide end-to-end security, and there’s actually no way to do that,” said Sarangan. “You have no control over a lot of parts of an IoT solution.”
From the networking side, Sarangan said, there are plusses and minuses to most of the options available to any given IoT implementation. Cellular networks, for example, tend to be a lot more secure than Wi-Fi, ZigBee or the other wide-area options, but a company will probably have much more limited visibility into what’s happening on that network.
That, in and of itself, can be a security issue, and it’s imperative for the carriers to provide more robust device management features in the future.
“What type of device it is, what type of information it’s supposed to send, where it’s supposed to send the data, what you are supposed to do with that data – until you know all of that, it’s hard to be completely secure,” said Sarangan.
Improved network visibility is key to preventing worst-case scenarios like malicious actors accessing power grids and Internet infrastructure, but so are common-sense measures like air gaps.
“You have the hacks happening, but the hacks haven’t been significant enough to where you’d worry about it,” he said. “The other side of it is that a lot of critical infrastructure – let’s say a smart grid – is on private networks.”
A sea of IoT devices
A lack of quality control and the presence of a host of very old devices on IoT networks might be the most critical security threats, however. Decades-old hardware, which may not have been designed to be connected to the Internet in the first place, let alone stand up to modern-day security threats, creates a serious issue.
“You have over 10 billion IoT devices out there already … and a lot of these devices were created in 1992,” noted Sarangan.
Moreover, the huge number of companies making IoT-enabled hardware makes for a potentially serious problem where quality control is concerned. Big companies like Amazon and Microsoft and Google make headlines for their smart home gizmos, but the world of IoT is a lot broader than that.
China, in particular, is a major source of lower-end IoT devices – speakers, trackers, refrigerators, bike locks and so on – and it’s not just the Huaweis and Xiaomis of the world providing the hardware.
“[There are] hundreds of mom-and-pop shops out there developing hardware that we don’t necessarily know whether to trust or not – these are devices that are getting on unsecured Wi-Fi networks,” said Sarangan. “That’s already a security threat, and a large portion of Americans don’t actually protect their routers.”
Indeed, hidden backdoors have already been found on some such devices, according to The Register.