If hype cycles are anything to go by we’re almost certainly teetering on the brink of the trough of disillusionment with the IoT. Recent research claims that 60% of test deployments have failed. But while some pilot projects may have faltered there isn’t yet the weight of devices in deployment to suggest we’ve peaked. Rather, adoption itself seems to be faltering.
IoT adoption hasn’t been the runaway success envisaged and this is down to a number of issues. Firstly, the IoT-enablement of devices which don’t necessarily warrant this additional connectivity. Take the IoT fishtank which regulated feeding, water temperature and quality, says Ken Munro, partner at Pen Test Partners.
That may sound like a labour saving device but ultimately it saw a Casino where the tank was installed lose 10GB of data to a device in Finland. IoT security doesn’t stop at the device. What this illustrates is that such devices are being used to create exploitable backdoors on to networks, allowing the theft of credentials and data exfiltration.
Longevity concerns are also hampering adoption, with devices often swapped out rather than updated causing users to question the viability of the investment. Then there’s the question as to whether the manufacturer has the resource to fix any issues that may come to light?
Security vulnerabilities emerge over time and if that does happen and your devices need to be patched, will the manufacturer invest the time needed to oversee this or deny culpability or even withdraw support?
Protecting the existing installed base is a real headache for manufacturers. If you peruse the Shodan website you’ll see hosts of deployed IoT equipment (and worryingly even Industrial Control Systems) with details on the IP address, the operating system run, and the version of software in use. And the FCC helpfully publishes the schematics for soon-to-be-released IoT devices complete with circuit diagrams for those wanting some up close detail.
In many cases, an attacker can identify devices from Shodan and simply obtain the default credentials to gain access. We once found a handy ‘super password’ list of daily log-on credentials for the entire year published on social media site by a technician. Clearly, supply chain security tends to be lax, with this case illustrating just how easy it is to get hold of ‘confidential’ data.
Struggling in the face of these odds, manufacturers are now looking to sell on data to third parties. That may make sense commercially but it further compromises the security and privacy of the userbase. It could see the floor plans for your office, for instance, sold on if you’re the user of an IoT vacuum cleaner. And what if that information makes its way on to the blackmarket? Building Management System (BMS) data could be particularly useful. Think of the extortion that would be possible if an attacker were to put ransomware over smart thermostats.
Solving the problem
The cynical among you will be questioning whether the end user shouldn’t also shoulder some of the responsibility and it’s true that few reconfigure devices upon set-up. That’s […]