Three flaws at the heart of IoT security
Thibaut Rouffineau
on 20 March 2017
Tags: IoT , Security , white paper
This blog has been syndicated from SCMagazine UK, contributed by Thibaut Rouffineau – head of devices marketing.
According to the latest estimates by Gartner, the total number of connected devices will reach 6.4 billion by the end of this year. From connected homes, to autonomous vehicles, to futuristic smartdust, the Internet of Things has finally moved beyond the realm of theoretical concept and into our day-to-day lives.
As the presence of IoT devices has become more apparent however, so too has its Achilles heel – security. In the last six months alone, we’ve seen some of the largest DDoS attacks in history, all of which have been achieved through a vast network of infiltrated IoT devices. Given the scale of these attacks, it’s important to understand exactly how the Internet of Things is being infiltrated, what the existing issues are within the IoT, and ultimately, how best to fix them.
With this in mind, here are three of the biggest flaws that currently sit at the very heart of IoT security, along with a few tips for how developers, retailers and even governments can come together to make the internet of things safer for everyone:
1. The IoT product lifespan is too short
Through the combination of low barriers to entry and the huge potential for future products and applications, the Internet of Things represents a very attractive market for the business community. The result has been an IoT gold rush, with many independent developers and existing device manufacturers jumping on the bandwagon in an attempt to get their share of this exciting new sector.
Unfortunately, every gold rush has its losers. With so many companies rushing into a relatively new space – where many of the business models remain untested – it seems only natural to expect a reasonable number of false-starts along the way.
According to estimates from Canonical, over two-thirds of new IoT ventures are doomed to fail, with many projects surviving no longer than 18 months. When these businesses ultimately fail, their various IoT devices are left without ongoing support and vital security updates. The result has been an entire ecosystem of outdated an ultimately unsecured IoT devices just waiting to be hacked.
2. Nobody has taken ownership of the IoT
Across the various production stages of the average IoT device, it’s not always clear who should be responsible for ensuring that an end product is kept secure. Disconnects between different companies involved in the production process mean that, in many cases, security is treated as “someone else’s problem”. This is not helped by the fact that security during the development and maintenance cycles is almost always seen as a cost centre, with different departments passing the buck further down the line rather than taking on responsibility and absorbing the additional costs.
The result of this mentality is potential security holes being left open at all stages of the design process, with physical vulnerabilities being built into hardware, undocumented backdoors being incorporated within the operating system, and a lack of updates opening further vulnerabilities at the application level. To address this, rather than pushing responsibility further down the chain, all stages of the design process must start to incorporate some consideration for the end security of a device.
3. Lack of standardisation in IoT updates
According to research from Canonical, 40 percent of consumers have never performed an update on their connected devices. Given this fact, and that most users simply don’t know how to update IoT devices themselves, security patches must be delivered automatically in a consistent and reliable way.
This is especially true for those devices that do not provide users with an external user interface – something that is becoming increasingly true across the Internet of Things. In addition to providing automatic, centrally-managed updates, IoT device manufacturers must also find ways to roll those updates back as and when required. In several instances, faulty software updates have led to IoT devices being made less secure. In these instances, centralised rollback mechanisms are vital to ensure the long-term security of an IoT device.
While all of these flaws sit at the very heart of IoT security, they are just the tip of a much larger iceberg.
As recent events have shown, the Internet of Things is suffering from numerous vulnerabilities and potential security threats, from botnets and hackers, to spyware and cyber-attacks. To solve this issue, such concerns must be addressed from the ground up at all stages of the IoT. Governments need to provide a sensible level of regulation to limit the ‘gold rush’ mentality of new IoT firms. IoT device manufacturers must also consider the role of security throughout all stages of their designs. Developers themselves need to start incorporating more intelligent and automated update systems, relying on standardised operating systems and centralised software updates rather than numerous bespoke OSs. Even consumers must play their part, thinking carefully about the products they buy and the approaches they take to ensuring maximum security for their own home networks.
IoT security is not an issue that will be fixed overnight, but by incorporating security concerns from IoT infrastructure right through to post-purchase support we can help to make the Internet of Things safer, more reliable and ultimately more secure in 2017.
Original source from SCMagazine here
IoT as a service
Bring an IoT device to market fast. Focus on your apps, we handle the rest. Canonical offers hardware bring up, app integration, knowledge transfer and engineering support to get your first device to market. App store and security updates guaranteed.
IoT app store
Build a platform ecosystem for connected devices to unlock new avenues for revenue generation. Get a secure, hosted and managed multi-tenant app store for your IoT devices.
Newsletter signup
Related posts
EdgeIQ and Ubuntu Core; bringing security and scalability to device management
Today, EdgeIQ and Canonical announced the release of the EdgeIQ Coda snap and official support of Ubuntu Core on the EdgeIQ Symphony platform. EdgeIQ Symphony...
Canonical provides the ideal platform for Microsoft Azure IoT Operations
London, 19 November 2024. Canonical has collaborated with Microsoft as an early adopter partner and tested Microsoft Azure IoT Operations on Ubuntu Core and...
Needrestart local privilege escalation vulnerability fixes available
Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991,...