Three flaws at the heart of IoT security

This blog has been syndicated from SCMagazine UK, contributed by Thibaut Rouffineau – head of devices marketing.

According to the latest estimates by Gartner, the total number of connected devices will reach 6.4 billion by the end of this year. From connected homes, to autonomous vehicles, to futuristic smartdust, the Internet of Things has finally moved beyond the realm of theoretical concept and into our day-to-day lives.

As the presence of IoT devices has become more apparent however, so too has its Achilles heel – security. In the last six months alone, we’ve seen some of the largest DDoS attacks in history, all of which have been achieved through a vast network of infiltrated IoT devices. Given the scale of these attacks, it’s important to understand exactly how the Internet of Things is being infiltrated, what the existing issues are within the IoT, and ultimately, how best to fix them.

With this in mind, here are three of the biggest flaws that currently sit at the very heart of IoT security, along with a few tips for how developers, retailers and even governments can come together to make the internet of things safer for everyone:

1. The IoT product lifespan is too short
Through the combination of low barriers to entry and the huge potential for future products and applications, the Internet of Things represents a very attractive market for the business community. The result has been an IoT gold rush, with many independent developers and existing device manufacturers jumping on the bandwagon in an attempt to get their share of this exciting new sector.
Unfortunately, every gold rush has its losers. With so many companies rushing into a relatively new space – where many of the business models remain untested – it seems only natural to expect a reasonable number of false-starts along the way.

According to estimates from Canonical, over two-thirds of new IoT ventures are doomed to fail, with many projects surviving no longer than 18 months. When these businesses ultimately fail, their various IoT devices are left without ongoing support and vital security updates. The result has been an entire ecosystem of outdated an ultimately unsecured IoT devices just waiting to be hacked.

2. Nobody has taken ownership of the IoT
Across the various production stages of the average IoT device, it’s not always clear who should be responsible for ensuring that an end product is kept secure. Disconnects between different companies involved in the production process mean that, in many cases, security is treated as “someone else’s problem”. This is not helped by the fact that security during the development and maintenance cycles is almost always seen as a cost centre, with different departments passing the buck further down the line rather than taking on responsibility and absorbing the additional costs.

The result of this mentality is potential security holes being left open at all stages of the design process, with physical vulnerabilities being built into hardware, undocumented backdoors being incorporated within the operating system, and a lack of updates opening further vulnerabilities at the application level. To address this, rather than pushing responsibility further down the chain, all stages of the design process must start to incorporate some consideration for the end security of a device.

3. Lack of standardisation in IoT updates
According to research from Canonical, 40 percent of consumers have never performed an update on their connected devices. Given this fact, and that most users simply don’t know how to update IoT devices themselves, security patches must be delivered automatically in a consistent and reliable way.

This is especially true for those devices that do not provide users with an external user interface – something that is becoming increasingly true across the Internet of Things. In addition to providing automatic, centrally-managed updates, IoT device manufacturers must also find ways to roll those updates back as and when required. In several instances, faulty software updates have led to IoT devices being made less secure. In these instances, centralised rollback mechanisms are vital to ensure the long-term security of an IoT device.

While all of these flaws sit at the very heart of IoT security, they are just the tip of a much larger iceberg.

As recent events have shown, the Internet of Things is suffering from numerous vulnerabilities and potential security threats, from botnets and hackers, to spyware and cyber-attacks. To solve this issue, such concerns must be addressed from the ground up at all stages of the IoT. Governments need to provide a sensible level of regulation to limit the ‘gold rush’ mentality of new IoT firms. IoT device manufacturers must also consider the role of security throughout all stages of their designs. Developers themselves need to start incorporating more intelligent and automated update systems, relying on standardised operating systems and centralised software updates rather than numerous bespoke OSs. Even consumers must play their part, thinking carefully about the products they buy and the approaches they take to ensuring maximum security for their own home networks.

IoT security is not an issue that will be fixed overnight, but by incorporating security concerns from IoT infrastructure right through to post-purchase support we can help to make the Internet of Things safer, more reliable and ultimately more secure in 2017.

Original source from SCMagazine here

Internet of Things

From home control to drones, robots and industrial systems, Ubuntu Core and Snaps provide robust security, app stores and reliable updates for all your IoT devices.

Newsletter signup

Select topics you’re
interested in

In submitting this form, I confirm that I have read and agree to Canonical’s Privacy Notice and Privacy Policy.

Related posts

Infographic: Ubuntu from 2004 to 20.04 LTS

Today, the first point release of Ubuntu 20.04 LTS went live! To celebrate, we wanted to share how Ubuntu has evolved since the first release in 2004 to where...

Advantech releases EPC-C301 for machine vision applications with Ubuntu 18.04 LTS

Advantech, a leading global provider of intelligent IoT systems and embedded platforms, is pleased to announce EPC-C301, a compact fanless box PC powered by...

Mitigating BootHole – ‘There’s a hole in the boot’ – CVE-2020-10713 and related vulnerabilities

Responsible disclosure and coordinated response as a benefit to all Today we released USN-4432-1 announcing updates for a series of vulnerabilities termed...