The Internet of Things (IoT) is one of the greatest forces driving technology today. According to Statista, the number of IoT devices is expected to reach 1.2 billion by the end of 2018. That number will grow to over 20 billion by 2020, per Gartner’s estimates, with more than 65 percent of enterprises deploying IoT products at that time. Such growth in IoT poses a risk to organizations. More devices means potentially more vulnerable products that digital attackers can infect with malware like Mirai and enlist in distributed denial-of-service (DDoS) attacks. In total, Gartner predicts that a quarter of all identified attacks against enterprises will involve IoT by 2020. With security obviously a major consideration with the Internet of Things, Tripwire decided to survey 167 Black Hat USA (BHUSA) attendees to determine how they felt about IoT security. Overall, Tripwire discovered that IoT security weighed heavily on the minds of survey respondents. Sixty percent of those that participated in its survey said they were more concerned about IoT security in 2018 compared to the previous year. More than a quarter (28 percent) revealed they weren't more or less concerned but clarified that they were still concerned. When asked to attribute their concern to specific issues surrounding consumer IoT security, BHUSA attendees ranked the exposure of personal data highest. Botnets and network compromise weren’t far behind, with physical safety and device bricking placing lowest. Such concerns weren’t unfounded. Twenty-one percent of those surveyed said they found an IoT device on their home network or work network that had been compromised or involved in a breach. An additional 14 percent said they suspected an issue with one of their IoT products but admitted they weren't sure. Craig Young, a a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT), put this finding into perspective.
This is already shocking, but the truth is that security professionals lack basic tools for identifying compromised IoT, and there could be many more compromises which fly under the radar.
Young is familiar with the challenges associated with IoT security. He recently disclosed a privacy issue he discovered with Google's IoT devices that allowed attackers to pinpoint people's precise locations. (You can read about the bug on Brian Kreb's website and here.) He also hosted a training on IoT hacking at Black Hat USA this year. “My class, A Guided Tour of Embedded Software Hacks, walked students through how to emulate devices and find various vulnerabilities in devices as well as how attackers could exploit these flaws using client-side web attacks like CSRF and DNS rebinding,” Young said. “The goal of this work is to help students recognize flaws in their own devices.” Survey respondents collectively said that there’s more work to be done to properly secure the Internet of Things. And this goes beyond home devices. Sixty-nine percent of respondents revealed they do not believe there has been significant progress in securing voting systems over the past year, whereas 54 percent said the same about industrial control systems (ICS). Given these perceptions, it will be interesting to see what researchers discover at DEF CON's IoT, Voting System, and ICS Villages. In the meantime, it’s important that consumers take a level-headed approach to the Internet of Things. IoT devices delight in several ways, but it's important to understand the potential risks before plugging them in. Users should therefore make sure to read reviews of an IoT product before purchasing it and make sure it comes with the ability to receive remote updates. For their part, security professionals should consider using network segmentation to isolate IoT devices from business critical assets.
