IoT security: Development and defense
As the risks of connected devices increase, organizations must evaluate and strengthen their product protections with training, pen testing and device maintenance plans.
It's no secret that connected IoT devices come with inherent cybersecurity risks.
IoT opens the door for malicious actors to launch attacks and infiltrate thousands or millions of unsecured devices; cripples infrastructure and knocks out networks via DDoS attacks; and potentially gains access to private or sensitive information. Much of the embedded firmware that runs connected IoT devices is insecure and highly vulnerable, leaving an indeterminate number of critical systems at risk.
As connected devices proliferate, so too do the risks. Consider that the number of IoT-connected devices globally is expected to reach 25 billion by the end of 2021, according to Gartner. With 127 new IoT devices connecting to the internet every second, according to McKinsey, potentially exploitable vulnerabilities on these devices fuels a growing attack surface.
Coping with IoT security challenges demands a two-pronged approach. It must consider attack preparedness from both a protected product perspective -- by way of secure code running the software -- and firmware on these devices. An IoT security strategy must also have detect and respond capabilities to address the fallout when vulnerabilities are inevitably exploited.
Anticipate device security improvements
While IoT adoption continues to grow, the standards, compliance requirements and secure coding practices surrounding IoT have not advanced at the same rate. Recent high profile software supply chain attacks have brought the issue of secure coding into sharp focus, prompting the Biden administration to issue an executive order addressing new requirements for federal agencies to only purchase and deploy secure software. This pivotal shift will have an immediate impact on global software development processes and lifecycles, especially when you consider the vast reach of U.S. federal procurement. Virtually all device manufacturers and software companies will be impacted directly as the administration begins to increase obligations on the private sector and establish new security standards across the industry.
Specific to IoT, the order directs the federal government to initiate pilot programs to educate the public of the security capabilities of IoT devices, and to identify IoT cybersecurity criteria and secure software development practices for a consumer-labeling program. Perhaps this is just the incentive the private sector needs to adjust their practices to align with these criteria. Historically, it is estimated less than 30% of IoT device manufacturers notified by Bitdefender with evidence of software vulnerabilities have even responded or acknowledged the flaws, according to Bitdefender. Moreover, while most manufacturers do eventually fix the issues, the speed at which they do so is relative.
As administrators and agencies consult with industry and commercial leaders to address questions on exactly when the order will be implemented throughout the U.S. and at what scale various infrastructure and manufacturing organizations will need to comply, there are steps manufacturers can do now to prepare. They are as follows:
- Make secure coding training mandatory for software developers.
- Solicit and share information on common IoT vulnerabilities through the community.
- Study the most common pitfalls by checking cybersecurity communities.
- Conduct code analysis with automated tools, ensuring that nothing gets out the door without being prescanned for potential vulnerabilities.
- Use penetration testing teams to find anything missed in the development cycle -- but vet any third-party pen testing providers; you get what you pay for.
Assume everything is flawed
For purchasers of IoT devices, ideally, the product you're buying meets standards and requirements, especially once the executive order is implemented. But recognize that it's wise to conduct your own pen testing of devices.
In my years of experience, I have never seen a system that could not be compromised, either in the wild or in a controlled environment. Someone will find the vulnerability, so it's important to leverage pen testers to find it first where you can.
Once IoT devices meet security approval and are placed in your infrastructure, be sure to monitor using an extended detection and response, endpoint detection and response or other security operations center solutions. That way if it's breached, you'll have the visibility you need to determine if the devices are doing something they shouldn't be in terms of questionable behavior regarding access, queries, times and IP addresses. Additionally, these detection and response capabilities provide a baseline reading of how the devices should operate, making anomalies easier to spot while also ensuring that protection is in place when one of these devices are attacked.
Expect to be compromised
The lifespan of an IoT device in a consumer versus industrial or commercial setting varies widely, from three to five years in a consumer setting and an average useful life of seven to 10 years in a commercial setting. The reality is only a small fraction of them are intelligent devices that have controlled update mechanisms, so expect that any built-in protections will be obsolete within two years.
Even with the pending implementation of standards in product development lifecycles, assume everything in your environment and everything you do to protect it is flawed. There is always someone out there who knows more than you, so it's important to play out those what if scenarios. Ask yourself what would happen if these devices were compromised and the impact that would have. And while the temptation is to try to predict how it could happen, it's more important to focus on if it happens. You will never be able to predict all the how's.
Assuming those risks, it's important to prepare your defenses.
- First, prioritize and segregate devices. Segregating devices on the network will minimize any potential damage in the event of an attack and allow you to isolate them quickly. Leveraging endpoint detection and response technologies or working with a service provider that delivers endpoint detection and response remains key to identifying and remediating potential threats at the user or device level.
- Map out both short-, medium- and long-term plans for addressing device maintenance. Understand what devices, such as switches and routers, must be up to date with the latest OS or software. Know how easy or difficult it is for updates to reach devices and, if there is a vulnerability, how quickly can the vendor fix and distribute an update.
- Identify mitigations for supply chain attacks. Consider not only the chain of production for these devices, but the environment and ecosystem of that device as well, particularly at the service provider level.
As you evaluate the security of IoT devices in your organization, preparedness remains key. By understanding what you can do to ensure secure product protections and leveraging pen testing, as well as endpoint and network defense preparation, the better equipped you will be to address the fallout when vulnerabilities are inevitably exploited.
About the author
Alex "Jay" Balan is chief security researcher and a spokesperson for Bitdefender. His career is focused on information security, innovation and product strategy, fields in which he has accumulated more than 15 years of experience. He drove the vision for Bitdefender's Unix-based security solutions before kick starting a project that would advance the company's R&D department and steer part of the company's focus toward technology and innovation. He is now furthering security and privacy research and has been actively involved in creating awareness by speaking at a number of conferences, including RSA Conference, DefCon Hacking Conference, Derbycon, Security BSides, Internet Security Conference, Interpol's meetings on cybercrime for heads of units, DefCamp, IMWorld, Future of Media and many others.