As the Internet of Things continues its march towards encompassing everything, the questions regarding consumer trust and security remain at the top of the list. And while the demands of the connected society are unlikely to see a drop in the number of IoT-enabled devices coming to the consumer market, there is a growing expectation that device vendors will realize that easily exploitable security loopholes need to be closed.
Over the last five years, the number of connected devices has risen at a staggering rate, with the consensus being that malicious actors see IoT-enabled devices as the best way to spread chaos through unprotected firmware. The number of connected devices is expected to breach the 20 billion mark by 2023, and there are well-founded concerns that the IoT will remain a perfect portal for hackers.
Let's not forget that the Mirai botnet generated global headlines after it used millions of IoT-enabled (and unprotected) devices such as home routers and security cameras to launch a dedicated denial of service attack in 2016. As a result of this unprecedented breach, most of the U.S. East Coast was without access to the internet for several hours.
Despite the warnings, the majority of holes remain open.
A recent survey of 950 IT decision makers by digital security provider Germalto said that around 48 percent of companies can detect if one of their IoT devices suffers a breach, with 59 percent seeking clarification as to who is responsible for protecting IoT. Some have even called for governments to be involved, irrespective of the fact that numerous countries have announced regulations that are specific to IoT security.
"Given the increase in the number of IoT-enabled devices, it's extremely worrying to see that businesses still can't detect if they have been breached," said Jason Hart, CTO, Data Protection at Germalto. in a press release. "With no consistent regulation guiding the industry, it's no surprise the threats – and, in turn, vulnerability of businesses – are increasing."
On the plus side, there are signs that the industry wants to improve both consumer confidence in IoT devices and the security of the devices themselves. This takes on added significance when you factor in the possibility that more than one trillion devices could be internet-enabled in the not-so-distant future.
VentureBeat reported that chip processor ARM has joined forces with security lab Brightsight to launch a comprehensive approach to IoT security testing called PSA Certified. According to the news source, the testing will allow device makers to get security assurance that relates to the level of robustness required. For example, a smart device sensor might have a lower threat level in the home than, say, an industrial plant and PSA Certified will provide consumers with the assurance that this device has been independently tested before it reaches the marketplace.
"With a trillion connected devices, we will need to build trust and implement the right security," said Chet Babla, vice president of engineering at Arm, in a press briefing. "This is available now for silicon vendors, operating system vendors, and original equipment manufacturers (OEMs). Several are already certified at level one now. Trust is going to be essential for digital information."
In addition to the ARM/Brightsight partnership, researchers at IBM are working on a virtual patch that could provide IoT vendors with advance detection of threats. According to TechExplore, the patch – which is still in the research phase – has the potential to be a game changer in the security landscape. Rather than developing a single-use solution, the research team wanted to reduce the amount of time that developers spend on applying security patches after a vulnerability is discovered, with the ultimate aim of stopping a malicious act before it has a chance to wreak havoc.
"How do you test the ability to patch ahead of threat discovery? The answer is simple: we go back in time," said lead researcher Fady Copty. "We used old versions of the applications for the data generation phase, trained the model using this data, and tested the models on threats found years later and documented in the CVE database. This gave us amazing results in ahead-of-threat patching, where the model was able to predict threats found only years later."
Time will tell if these two projects help plug the IoT security gaps. At the very least, they could give the vendors and, by association, the consumer more confidence in their connected devices.
To learn more about how Perle's suite of products can used to improve your security protocols, please read our customer stories to find out how we have helped other industry sectors protect their system infrastructure.