The Biggest IoT Security Threat: Failure of Imagination
IoT security experts agree that a rise in security failures is inevitable this year given that more and more companies are deploying IoT sensors and devices, many of which are not properly secured. In fact, analysts with Forrester and Strategic Cyber Ventures go so far as to predict widespread and large-scale security breaches. We believe the real reason for weak security is not a failure of technology, but a failure of imagination.
The interconnectedness of the IoT has created a condition analogous to the rise of Big Data: the possible kinds and combination effects of IoT security failures have gone beyond our minds’ ability to identify and estimate risk. Not incorporating security that anticipates ever-more-sophisticated attacks leaves IoT devices and connected networks vulnerable. On a more prosaic note, many manufacturers simply don’t believe their products are likely targets. They fail to imagine the scenarios that could cause their products to become the doorway an IoT hacker uses to wreak havoc locally (within the local network of the attached device) or to a much wider community (such as spawning a DDoS attack like that against Dyn in 2016).
By failing to imagine the possibilities of an attack, manufacturers of consumer and industrial IoT products and sensors have gone to market with devices that not only have minimal or insufficient security, but in many instances, have no security at all. As a result, they’ve found themselves being reactive instead of proactive. They are often fighting the battles of yesterday, with the attackers perpetually one step ahead.
The primary long-term threat that cryptographers are currently researching is quantum attacks. With this threat rapidly moving to the “near-term” (relative to our industry at least), what other threats might be lurking in the pipeline? We can’t wait for bad actors to find new vulnerabilities in our defenses, and then rush to patch them. All of us in the IoT security industry need to exercise our imaginations to anticipate and plug security holes before they occur.
A companion to the failure of imagination is a lack of urgency. According to the Ponemon Institute’s 2017 Study on Mobile and Internet of Things Application Security, 58% of IT and application security practitioners said they were concerned about being hacked via the IoT, but as many as 44% admitted they were doing nothing to protect themselves. It is unsurprising, then, that the same study found only 30% of respondents felt their organizations had sufficient budget to protect mobile and IoT devices.
We appreciate that investing to increase IoT device security has an uncertain payback for manufacturers. However, this investment provides insurance against the devastating and significantly more costly consequences of a security failure, which can include revenue loss, stock price drops, and irreversible brand damage.
Today’s fix-it- in-the- field approach to security will always leave us scrambling. Instead of reacting to the risks of the past, it behooves us to imagine new dangers and look farther over the horizon in search of solutions.
If you are seeking to address IoT security on resource-constrained devices, request our IoT Embedded Security Development Kit. This SDK enables you to use SecureRF’s quantum-resistant cryptography protocols to quickly and easily implement authentication, confidentiality, and non-repudiation on your low-resource devices.