Companies defy cybersecurity common sense by trusting IoT devices

Businesses and consumers had rushed to install connected video cameras, home appThe pushing of billions of insecure Internet of things (IoT) devices into the market has already “poisoned” the Internet with a level of vulnerabilities that will be hard to claw back from, one security specialist has said in warning that “the damage is already done”.

Businesses and consumers had rushed to install connected video cameras, home appliances, smartwatches and other IoT devices based on an underlying assumption that their manufacturers were managing security correctly, Fortinet global security strategist Derek Manky told CSO Australia – but this assumption was simply wrong.

IoT devices act as launch pads for cyberattacks

“I think it’s completely backwards,” he explained. “These devices should be inherently not trusted because they’re the largest culprits that we see for attacks. They’re wide open for attack, there are no patches available, and most of these devices already live in enterprise networks. They can be used as launchpads [for other attacks] because they’re not security-inspected traditionally.”

A new analysis from Gemalto has highlighted the overall threat that IoT poses. Some 57 percent of respondents said they are increasing their security offering as a result of greater IoT investment, with just 53 percent saying they encrypt the data that their IoT devices produce.

Growing concern about IoT security has driven initiatives for stricter security testing and labelling regimes, with bodies like the European Union Agency for Network and Information Security (ENISA) among the bodies tackling the issue.

Businesses often previously installed IoT-like devices on airgapped networks that minimized their exploitability to outside intruders. However, the growing demand for connectivity and manageability of such devices had produced unintended security vulnerabilities – and black-hat hackers, he warned, are wasting no time tapping into automation and artificial-intelligence technologies to find and exploit them.

“For the vast majority of consumers, patching software on a smart device, or updating its firmware, is something they won’t be aware of, and may not understand how to do,” warned RIoT Solutions managing director Rob Merkwitza, who warned that recent exploits like the KRACK Wi-Fi vulnerability had exacerbated the potential vulnerability of IoT devices that tend to favor Wi-Fi as their connectivity method of choice.

In industrial scenarios, Merkwitza added, “there’s the mentality that if something isn’t broken, then it shouldn’t be fixed. Managers of industrial Internet of Things (IIoT) equipment may not realize that their devices are vulnerable to the attack, and so they won’t patch them.”

“Industrial systems that are going to be updated also need to be handled carefully because of the dependencies associated with the equipment. Careful testing, to make sure that everything keeps working after a patch has been issued or firmware made available, will have to be carried out.”