IoT security is the least of manufacturers’ worries: Here’s what they should do

large eyeball man open doorway watching spy privacy

As more things connect to the Internet, it seems security is taking a back seat to cost for manufacturers.

According to a report from Technavio (Infiniti Research Ltd.), the global connected market is expected to reach $6,217 million by 2020. Though the number is impressive, securing these connected devices is no longer the priority of manufacturers. A report from Forrester Research, Inc. reveals that “IoT security technologies are still in the Creation phase.”

“For security and risk pros, the IoT brings an enormity of additional devices to manage, new forms of vulnerability such as physical property damage, and a wide range of new technologies to master. But we found the technologies to be nascent, which is startling given how many devices are already deployed,” the Forrester report notes.

This finding is quite disturbing given how companies are pushing consumers to adopt the connected everything concept. Especially now that Shodan, a search engine for the connected world, added a way for its paying customers to search for unsecured connected cameras. Also, this is not the first time vulnerable IP cameras have been exploited. In 2014, a Russian website broadcasted live feeds of thousands of unsecured cameras, including baby monitors, from across the globe.

Will we ever feel safe?

In an interview with Ars Technica, security researcher Dan Tentler reveals how broken webcam security is. He explains that consumers do not value privacy and security, thus many are unwilling to pay for it. Because of this unwillingness, manufacturers do not want to shoulder the cost of putting security implements in their products to keep production cost low, thus resulting in unsecured devices.

Though manufacturers may put the blame on consumers, Tentler believes that we are past the time of raising consumer awareness. It’s time to twist the arms of vendors to put tougher security on their products.

One entity that has the power to twist vendors’ arms is the Federal Trade Commission. In the past, it has busted TRENDnet, Inc. due to the “lax security”  and “false representation” of its SecurView IP cameras. A hacker found a flaw in the IP cameras’ security which resulted in the posting of links to live feeds of almost 700 cameras. The FTC has also released a guideline for best practices which includes a recommendation to implement security while the devices are being manufactured and not just place it as an afterthought.

How device makers can secure IoT

INSIDE Secure SA suggests device manufacturers add cryptography to ensure communications and authentication between software inside a device and between devices, and ensure that software is only allowed to run in a manner designed by the coder.

Furthermore, INSIDE Secure recommends that device makers add remote security monitoring to alert [developers] if there is a software or network breach. It is believed that hackers are always a step or two ahead of developers, which makes creating a white or black list for known attacks useless. By adding security monitoring, developers can keep an eye on the software and act fast if a breach is detected.

Icon Laboratories, Inc. has even made it easier to secure IoT with its Floodgate Security Manager which is a security management software suite specifically designed to protect IoT gadgets and embedded devices against cyber-attack. The suite can be operated as either an on premise or a cloud-based security manager. It provides device status monitoring, security policy management, command audit logging, and security event logging and reporting for devices running Icon Labs’ Floodgate Agent or other lightweight IoT management protocols such as COAP and MQTT.  It provides comprehensive reporting and auditing capabilities to help achieve EDSA Certification, ISA/IEC 62443 Compliance, and/or compliance with the NIST Cybersecurity framework.

Trustwave Holdings, Inc. also offers its own security tool called the Trustwave Managed IoT Security service which promises to keep the connection between the connected device and the cloud secured; find weaknesses in connected products and services; and monitor and secure infrastructure and services that empowers delivery of IoT services to reduce compromise risk and protect customer data and privacy. The Trustwave Managed IoT Security platform was developed in collaboration with Trustwave SpiderLabs, a group of ethical hackers that performs penetration tests on apps and devices.

You can read more about securing IoT here.

photo credit: Nick Kenrick. via photopin cc