IoT security is a bit of an oxymoron. There has been almost no security built into the IoT hardware devices that have flooded the market in recent years. It’s similar to what we saw with the advent of apps and mobile technology, when, seemingly overnight, everyone became an app developer or was putting out mobile technology products. The result was that these products had a ton of bugs and security vulnerabilities, and it was only much later that they got fixed.
Now, IoT is recreating this phenomenon—but with the important caveat that it’s actually going to be harder to fix the bugs. We suddenly have all these hardware devices spread across the world that had no security built into them from the beginning. But unlike apps, there’s typically no way to easily patch these devices. That’s a huge problem, and companies need to recognize that if they care about security, in some cases, this may mean they have to throw out their existing devices and start anew.
Right now, companies are incredibly vulnerable. While many businesses have thought security for IoT devices unnecessary because nothing is stored on the devices, this isn’t the case. Additionally, to those of us in the industry, it’s no secret that hardware security is at least a decade behind software security. The appeal of being able to sell products connected to the internet (regardless of whether we really need our coffee pots online), and the rush to get these products to market as quickly as possible, has outstripped any thought about how we’d manage to make all these devices secure.
And that leaves us where we are now—in a very precarious situation.
Opening our eyes
I would argue that no recent incident more clearly exposed just how vulnerable enterprises are with the security of their IoT hardware than the Mirai botnet episode. At the time, it was the most powerful DDoS (distributed denial-of-service) attack the world had seen.
This incident illustrated how exposed companies can be as a result of their IoT devices. Even though companies hadn’t thought of their IoT products as computers, Mirai showed that they essentially are, and very powerful botnets can be put together using IoT products as a result.
We’re now at a point where many companies are recognizing that this is a problem that has to be solved. Thus, similar to the changes the software industry underwent in the past, it’s now time for IoT hardware to focus more on security—even though, as I mentioned, the fix will be more difficult.
When I am working with CISOs who are Zscaler customers, I love to ask them, “Hey, could you give me a good view, a good report, of all of the non-managed devices in your network, such as the non-laptops, the non-tablets…everything that’s connected?” And the answer is inevitably no.
This is deeply concerning because it shows we haven’t even tackled phase one of the IoT security problem, which is visibility. I’m confident in looking back at the Mirai episode that the vast majority of the companies that had vulnerable devices have no idea to this day that they even participated in that botnet because they’re not monitoring their IoT devices. They had no idea their webcams were part of the attack because they have nothing to detect such a breach.
I don’t believe the government can move with enough speed or sophistication to solve this problem, so it’s imperative that both IoT product producers and enterprises as a whole move to solve it on their own. This has to start with an education program that emphasizes (and perhaps even markets IoT products) that security has to be a concern with these devices.
Every CISO needs to recognize that IoT device security needs to be part of your security program and your vendor program. IoT security needs to become part of your pen-testing program, so you’re not just pen-testing your web servers; you’re pen-testing your photocopiers and webcams as well.
Until we recognize this, we’re leaving our products, and ourselves, incredibly vulnerable to future attacks. While the solutions won’t come easily, we have to start working on them now.
Read the ThreatLabZ research report, IoT Devices in the Enterprise