Image

“Product manufacturers weren’t focused enough on security and privacy as a design priority, putting consumers at risk for an attack or physical intrusion,” the report states.Veracode’s results mimic those of Hewlett-Packard’s 2014 Internet of Things Research Study, in which its Fortify application security unit found 250 unique security vulnerabilities after testing the 10 most popular Internet of Things products at that time. This made for an average of 25 vulnerabilities in each product, which included “smart” products like webcams, sprinkler systems, and home alarms. Most of the IoT products analyzed by Veracode and HP run on stripped-down versions of Linux and are, therefore, susceptible to the same security vulnerabilities that might be found on a computer. This begs the question: Why is so little effort being made to secure Internet of Things applications? In most cases, cost is a significant factor. As Mark Stanislav notes, how many IoT products are crowdsourced by people who may not have experience in security themselves and who may lack the funds to adequately test their products for security vulnerabilities? This observation ultimately helps to explain the reasoning behind platforms, such as Onion Omega, which uses customizable hardware in an effort to make the development of IoT applications less expensive. At the same time, however, business risk is overriding security risk in the minds of many executives. According to a recent survey conducted by Atomik Research on behalf of Tripwire, 63 percent of C-level executives expect business efficiencies and productivity to force them to adopt IoT devices regardless of the security risks, whereas only 27 percent of them are “very concerned” about the risks. Most of these executives are clearly more concerned about the projections for the expanding Internet of Things market, with 75 billion “things” and $263 billion in IoT-related services expected in 2020, than they are about these products' security. Security is currently not a major concern when it comes to the Internet of Things, but it should be. Katie Moussouris, the Chief Policy Officer for HackerOne, wrote an article in which she reminds us how the “Age of the Great Worms” in the early 2000s forced software vendors to learn the value of security the hard way. With the Internet of Things not far on the horizon, it is the collective responsibility of security professionals and developers to recall these lessons and apply them to the Internet of Things. We must harden IoT products via a Software Development Life Cycle. Otherwise, we risk repeating our mistakes of the early 2000s, only this time with many, many more connected devices.