The track record of the IoT has been chaotic and exciting in equal measure. As new products have rushed out of factory floors onto store shelves and into the homes, factories and offices of businesses and consumers alike, they’ve been confronted with great new capabilities and new risks too.

IoT exploded into public consciousness only a few years ago and was eagerly taken up by businesses and consumers alike. Hackers quickly took notice of this growing attack surface and quickly found laughably easy ways to exploit it.

Those vulnerabilities became a powerfully destructive force exemplified by the brief – if massive – success of Mirai malware. This malware would use a brute force attack to guess a device’s password out of a small library of commonly used passwords. Once it had successfully infected one device – it would scan for nearby devices and then start again. It was through the predictability of these devices’ inbuilt passwords and Mirai’s simple operation, that it managed to amass a botnet of millions of devices.

With the combined flood power of those devices, the controllers of the botnet managed to launch some of the largest DDoS attacks that had ever been seen to that date. In its short run of success, Mirai botnets broke successive records for sheer DDoS attack power, paralysing huge pieces of key internet infrastructure and even the entire country of Liberia.

The main botnet was eventually shut down – but the factors that enabled Mirai’s success are still often present in the modern IoT. Design and deployment errors are common and they often result in vulnerable devices and new attack vectors into the networks to which they are attached. Common problems include hardcoded passwords and firmware that can’t update; they could be made with insecure open source software and many lacked adequate encryption.

This lack of maturity in the sector contributed heavily to its relative insecurity. The meeting of hardware and software has been a steep learning curve for many manufacturers, who had often never worked with microcontrollers and embedded software before. Many products weren’t designed with security in mind, and security measures would be bolted on afterwards. Not only were IoT devices too new to have developed any real standards around how to build them securely but the IoT supply chain is long and complicated with multiple links where vulnerabilities are often introduced.

It has taken a long time for the industry to catch up, but much has been improved since that shaky start. Industry standards have been introduced and calls for Secure-By-Design IoT devices have mounted from governments, consumers and industry alike. There is now greater focus on the security of IoT devices and the ways they plug into consumer and commercial networks. Governments have also begun to roll out regulation – such as the EU Cyber Resilience act or the US Cyber Trust Mark – which means to compel the industry to seriously consider IoT security.

Yet problems still linger. In fact, data from DigiCert’s most recent Digital Trust survey shows that there’s still quite some way to go. To be sure, things have improved. All of the survey’s respondents, for example, now use digital certificates to identify their devices in the field, and 100% of respondents use strong authentication for users with IoT devices. That’s a clear improvement on the way many organisations handle their IoT devices. Yet there’s more work to be done.

Only one in seven respondents say that their enterprise trust practices around IoT are extremely mature. Going further, there are at least two glaring problems that enterprises are struggling to address. The first is that 87% communicate personally identifiable information from IoT over unencrypted channels. This is a problem on several levels. The first is that IoT deployments commonly involve hundreds of thousands of devices and sensors, collecting commercially and personally sensitive information. The lack of encryption in the transmission of the data opens it up to potential interception, manipulation or outright attack in the form of a Man in the Middle Attack.

The second is that 88% of organisations have a chief product security officer or centralised security practice that manages all IoT or connected devices. While it’s important to have someone overseeing those things, it still presents problems. IoT security is its own discipline and requires specialist knowledge and experience to protect. Across deployments of hundreds or thousands of devices those knowledge gaps may result in misconfigurations and accidents that create security problems later down the line.

Similarly, there are shortcomings in the way organisations manage those devices. Only 45% are “extremely capable” of monitoring security events for devices in the field, only 8% can update configurations and only 4% can update algorithms. Similarly, managing device identities is proving difficult: Only 39% are ‘extremely capable’ of auditing those identities, that drops to 24% when it comes to updating those identities and only 3% when it comes to revoking them.

Ultimately these result in a number of predictable problems. Most – 93% – say that their issues around IoT digital trust results in data breaches, outages and exploits. Meanwhile, 84% say that they lead to break-ins by malicious actors.

It’s important to note, the IoT is offering real help to organisations. Nearly all – 86% note that it is helping them with customer acquisition. 82% say that it helps them with digital innovation and 41% note that it’s helpful to employee productivity. 

However, our survey found a clear distinction between those harnessing the benefits of IoT and those suffering from the risks: The Leaders and Laggards. Those that were secure in their digital trust efforts around IoT managed to capture those benefits to greater extent than those who didn’t. 96% of Leaders enjoyed greater customer acquisition due to IoT deployments, as opposed to 64% of Laggards. 96% of Leaders excelled in digital innovation around IoT while only 59% of Laggards did. Similarly, 70% of Leaders enjoyed greater productivity while only 23% of Laggards did. The problems also become maximised. For example, no Leaders experienced compliance issues around IoT, while 50% of Laggards did.

The road to IoT security was always going to be a long and iterative process. There has been much progress made on the path, but there is still much ground yet to cover.

Article by Kevin Hilscher, the senior director of product management at DigiCert.

Comment on this article via X: @IoTNow_

• SEO Powered Content & PR Distribution. Get Amplified Today.
• PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
• PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
• PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
• PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
• Source: https://www.iot-now.com/2024/06/06/144749-the-iot-has-come-a-long-way-but-theres-still-a-lot-more-to-be-done/