We recently teamed up with renowned security reporter, Paul Roberts to take a hard look at the state of IoT security today. Together we surveyed over 400 product professionals regarding IoT security. Some of the results were expected (i.e. companies ranked security as a top priority when developing a connected product) and some, well, surprised us.
While most respondents found that protecting against malicious attacks on devices was far and away the top security concern and priority, it was who these organizations were concerned about that was really intriguing. When asked about cyber-adversaries, 50% noted that they were most worried about organized criminal groups and skilled hackers – beating out seemingly more mundane issues like weak communication security and authentication (only 9% ranked ‘weak user authentication to device’ as a top concern). But here’s the issue with that. 81% of hacking related breaches use either stolen or weak passwords – 81%. It’s the most common IoT adversary, yet the one manufacturers seem less concerned about.
Looking at it objectively, we certainly understand the fear around sophisticated attackers. Data theft is one of the most widely reported cyberthreats and generally results in higher profile incidents – think TJX from years ago. Fast forward to today and we have TV shows like Mr. Robot showcasing sophisticated criminal groups attacking connected things and wreaking havoc. We can write that off as just fantasy, but in reality, much of the research on IoT security today reports on how software or design flaws are only uncovered by skilled researchers. This constant dialogue makes it easy to understand why so many connected product makers are warier of the bigger more elaborate attacks, than the smaller ones.
But if our device maker population is focusing mostly on these sophisticated actors – are we more vulnerable to these seemingly smaller, yet more prevalent threats? If you look at account hijacking, for example, it was rated lowest amongst the types of attacks respondents were most concerned (only 14% ranked it as most likely threat to their devices), however it was this type of attack that the now infamous Mirai malware was built. Similarly, DDoS attacks were also ranked quite low in terms of risk, yet they are among the most common and popular as they don’t’ require intimate knowledge of the device being targeted.
While it is certainly not wrong for device makers to worry about sophisticated attacks, it is the perception of risk that is a bit alarming. It’s true that no one can create a bulletproof product so it’s important to align device security with the actual risks to the specific devices. What are the most common attacks in general? What is the known history of attacks against similar devices? We need to move beyond just acting on the rhetoric, but look at the reality of the situation. Most attacks aren’t novel – they just take advantage of inherent design or deployment weaknesses – like insecure communications and weak authentication. Less than half (45%) of the respondents indicated that they would secure connected device deployments by using encrypted communications like TLS to and from their deployed devices. Additionally, just 39% indicated that they would require mandatory updates to default credentials. And this is simply unacceptable.
There is hope, though. Device manufacturers are moving in the right direction when it comes to designing security into connected devices to ensure that the next-generation do not repeat the mistakes of the past. Many (73%) are planning to add strong authentication like one-time passwords into their newest devices and 53% indicated that their connected devices will enforce strong passwords for both users and admins when deployed.
As we look at IoT security overall – the future is bright. Most device manufactures view it as a top priority and are embedding security into the devices as part of the design process. This is a huge step forward from the early days of IoT when security was more of an afterthought. Closing the gap between perceived threats and actual ones is the next phase in our maturity. As we all continue to get smarter about the IoT, we’ll continue to learn how best to protect it. Until then, don’t underestimate attackers and don’t ignore the low hanging security fruit.
Want to learn more about IoT security and our study? Join us for our upcoming webinar: Today’s IoT Security Landscape, and How Companies Can Avoid Common IoT Security Mistakes featuring Paul Roberts.