Article

I predict a rIoT

With the majority of IoT device owners not updating security, manufacturers are under increasing pressure to build security into their development.

The abundance of connected devices is growing at an ever increasing rate, with Verizon recently reporting that the worldwide Internet of Things market spend will grow from $591.7 billion in 2014 to $1.3 trillion in 2019 with a compound annual growth rate of 17%. More and more components of our home and businesses are now finding themselves part of the IoT.

In spite of this increasing interest in IoT and awareness of cyber security, many users appear unmotivated to keep their devices updated. A recent survey by Ubuntu found that only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices. As such, consumers are unintentionally leaving themselves exposed to attack, from Distributed Denial of Service (DDoS) attacks to invasions of personal privacy or theft of personal data.

In 2016 we saw our first real evidence that attackers would actually take advantage of vulnerabilities in IoT. For a long time, many people in IoT downplayed the role in security and for many end users IoT security was not seen as being as important, for example, PC or smartphone security. Users don’t bank using IoT, they don’t put their credit cards on IoT, so why worry if their new smart vacuum cleaner is hacked? Many people are attracted to IoT because of its convenience; having to perform firmware updates and have the device offline stands in the way of this.

So if there is nothing valuable stored on the device, why would anyone write malware to attack it? IoT devices have one asset that is often overlooked: their connectivity.

Attacks like the Mirari malware targeted IoT devices and then used them to attack web sites through DDoS attacks. Mirai itself was used in the recent DDOS attack on domain name system supplier DYN and brought down huge chunks of the US’s internet. However, the owners of the IoT devices themselves were left relatively unaffected.

So should we as owners not worry about this type of malware? After all, we were not the target of the attack, merely the proxy.

Yet there are other, more sinister vectors yet to be explored by attackers against IoT. Certainly some such as the potential for invasion of privacy may cause us concern, but this is limited to IoT cameras. Recently industrial control systems were shown to allow an attacker to remotely read and write memory, in essence creating a remote file share. If a similar attack could be designed for IoT, then your home could end up sharing files and data on behalf of an attacker.

If users expect their IoT devices to be secure, and remain secure in the course of their lifetime, then the onus is on the device manufacturer to build security into the development of their products. A recent IEEE survey suggests that IOT developers are finally taking heed of the issue, with security placing above interoperability, connectivity and performance as the top concern for developing IoT solutions.

However, even with manufacturers realising the need to build security into their products’ development, until IoT consumers see security as a major concern, they are not likely to pay extra for a more securely designed product.

Unfortunately if new attacks begin targeting IoT owners, then manufacturers may find themselves in a very costly position of either physically replacing devices under warranty or leaving their customers exposed. Given how effective malware like Mirari has been, these types of attack are only likely to increase and the pressure by government and customers alike will encourage the enforcement of security. For IoT manufacturers that fail to take note, they may well find themselves playing catch-up or becoming marked out as “untrustworthy” and failing in this competitive market. IoT security will become more and more critical to a successful brand and a trusting customer base.

 

 

Accreditations

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.