The increasingly connected world in which we live and the proliferation of internet-enabled devices has revolutionized the way we think and interact with technology. Never before has this much data from such a multitude of sensors been available at our fingertips. This new Internet of Things world stands poised to impact the way we live on a daily basis.
It should come as little surprise that organizations across all sectors are eager to incorporate IoT devices into their existing networks as a way to make their businesses more efficient and generate as much information as possible is this era of big data analytics. However, one of the biggest drawbacks of this new wave of connected technology is the ability of hackers to tap into these various products and leverage them for nefarious purposes. In these early days of the IoT, physical security devices, namely IP cameras and DVRs – have been among the most widely compromised by cyber criminals.
Just last week, the Wall Street Journal reported that a recent distributed denial of service (DDoS) attack against KrebsOnSecurity, the website of cybersecurity journalist Brian Krebs, and French web hosting provider OVH, was carried out using a large number of cameras and video recorders. Earlier this year, website security firm Sucuri traced a DDoS attack against one of its customers back to a botnet that was leveraging more than 25,000 cameras.
Of course, launching a DDoS attack is not the only way a hacker could use compromised IoT devices. They can also use routers, cameras, printers and a whole host of other products as an entry point into a larger network from which they could steal sensitive data or even tamper with critical systems. It is for this and myriad other reasons that the Cloud Security Alliance’s Internet of Things Working Group on Friday released a new guidance report intended to help device makers design and develop more inherently secure IoT products.
According to Brian Russell, chair of the CSA’s IoT Working Group, many of the IoT products on the market today lack even basic security controls and are still being used with default usernames and passwords.
“That’s one of the things we wanted to do with this report was provide ammunition to the manufacturers and vendors of these types of devices to say, ‘Hey, take a step back, focus on some fundamental security and engineering concepts, understand who may be trying to break into your devices and take, at the very least, the minimum steps necessary to secure those products so they’re not open to becoming the next node in a botnet,’” Russell says. “We can’t go back and retrofit all of the devices that are already out there and vulnerable, but at least if you’re a startup or some other vendor that’s trying to put an IoT-type product out into the market, you can have some guidance that tells you how to defend against this happening to you a year from now.”
One of the reasons most frequently cited as to why more IoT devices do not have stronger safeguards built into them is that the pressure to get these products into the marketplace means that the time developers have to focus on security is minimal. Additionally, Russell says that manufacturers are challenged from the standpoint that they now have to think about security considerations for products that were never previously exposed to these types of vulnerabilities.
“You’re taking products that weren’t typically connected to the Internet, didn’t have to go through robust security engineering during their development lifecycle and so you have organizations that aren’t as adept at figuring out how to secure systems as maybe a software vendor is,” Russell adds. “Also, you combine that with the fact that we’ve seen reported shortages of skills in the security industry, so there are not a lot of resources to go around telling organizations this is what you need to do to secure your systems. All of these things come together and you have this perfect storm where the result is what we’ve seen where products are released and they’re just not secured.”
The report specifically lays out 13 considerations for developing “reasonably secure” IoT devices. These include:
- Secure Development Methodology
- Secure Development and Integration Environment
- Identity Framework and Platform Security Features
- Establish Privacy Protections
- Hardware Security Engineering
- Protect Data
- Secure Associated Apps/Services
- Protect Interfaces/APIs
- Provide Security Update Capability
- Implement Secure Authorization
- Establish Secure Key Management
- Provide Logging Mechanisms
- Perform Security Reviews
Of these 13 different guidance considerations, Russell says that using a secure development methodology and performing security reviews are probably two of the most important things an IoT device developer can do.
“We start with secure development methodology and I think just sitting down and understanding what it means to develop a secure product and what the threats are to you particular product, that’s highly valuable to anybody because it opens your eyes and it starts to show you, as a product developer, that there are going to be real people that are trying to compromise your product for certain end outcomes,” Russell explains. “Performing security reviews is equally important, whether it is in-house security reviews trying to understand if you can compromise the software of the firmware update processes, for example, or third parties who can go out and do this testing for you as an IoT developer and validate that after spending a certain amount of time that they haven’t been able to find any vulnerabilities. Following those two steps doesn’t mean your product is going to be completely secured but at least you’ve gone through some level of rigor to hold up your responsibility in that regard.”
Russell says he is disappointed that organizations continue to make the same mistakes in the development of their connected products and systems, despite the fact that guidance reports similar to this one continue to be issued by the CSA and other organizations.
“We actually published guidance for implementers of IoT systems over probably a year and a half ago where we outlined some of the fundamental things you need to do as an integrator of these products – don’t send your passwords in the clear, don’t use easy to guess default accounts that aren’t required to be changed upon first use, and things as simple as that,” he says. “It is really sort of disheartening that those sorts of mistakes are still being made.”
“This is a chance for vendors to level-up on their security,” CSA Senior Analyst John Yeoh says. “This is chance for vendors not to ignore any low-hanging fruit in those fundamentals. Hopefully, we won’t need a major breach to happen in order to have some of these principles adopted. This guidance is available for free; you don’t have to pay for it.”
For more information or to download the report, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, click here.
