IoT security remains one of the most important, yet least understood parts of a proper IoT implementation. The pervasive presence of IoT devices in our society makes it a significant concern. Wired mentions that IoT
devices have, in the past, been recruited to form massive botnets or to
mine cryptocurrency for malicious actors. While manufacturers have addressed these issues through patches, these IoT device failings speak volumes about how easy security has been to defeat in IoT deployments.
Science Daily mentions that improved IoT device security may be attained through a multi-pronged data analysis approach. While this is good
news for many industries that utilize IoT devices, the question remains of how many of those industries will adopt this approach. Chip development has proceeded quite rapidly when it comes to IoT devices. Unfortunately, the smaller size and more lightweight processing power usually mean that these newer chips don't even have a basic level of security. Most chip manufacturers are simply bypassing security implementation in their IoT chipsets because it's unimportant to them. At least, not until the IoT network sees a breach through their chips.
Ideally, IoT security should deal with the issue of breach prevention from when the chip is in its manufacturing stage. This development paradigm is termed by Jacob Riggs, a prominent security researcher, as 'secure by design' development.
Dealing with security at the earliest stages of development helps to avoid issues later down. Installing patches or secondary security measures on top of the existing architecture is never as secure as including security as a part of the chip manufacturing process. Advocacy for the safety of IoT systems, including establishing standards for chip manufacturers regarding IoT security, has fallen on the shoulders of the IoT Security Foundation (IoTSF).
The IoTSF themselves define their role as the organization ensuring
security standards for the IoT industry. The organization's concerns
are threefold - security, fitness of purpose, and resilience. It's a delicate
balance to maintain. For devices to remain fit for their goals, they will need
to adapt to security threats as outlined by a security researcher blog. The complexity in dealing with this comes from the method of updating the security protocols on these devices.
IoT security is a fluid landscape, with new threats rising to the surface every few years. If an IoT device needs to remain resilient and operational, it needs to have the ability to update its security protocols. However, these update channels also provide potential areas of weakness that may be exploited by malicious actors. Info Security Magazine mentions that throughout 2019, there was a significant uptick in the amount of IoT
breaches that occurred on IoT networks. This fact signifies that, instead of
becoming more secure, IoT may instead be more vulnerable as more malicious users realize how to gain access to networks.
Security, on the whole, can be compared to an arms race, but one that doesn’t have a clear end point. Developers and manufacturers looking for programmers at DevsData.com are dedicated to finding and clogging holes in the security protocols of devices. On the other hand, malicious users are more concerned with locating and exploiting these holes for their own benefit. Back when IoT devices were less prevalent, this concern wasn't as significant as it is today. However, the lax mindset attached to IoT security has persisted, even though the threat of a breach may no longer be limited to the IoT network. Many large businesses have their IoT systems tied into their intranet for easy access to data streaming solutions. A breach within the IoT provides an entry to the business's entire network. No amount of internet security could stop a malicious actor from wreaking havoc from this direction.
The IoTSF intends to develop security standards that are a starting point for further guidelines regarding IoT safety. However, these suggestions aren't the final say on the matter. The problem with a published standard when it comes to security protocols is that it gives hackers a list of approaches that they can avoid.
This open sharing of information makes their job potentially easier, and might even suggest locations where they can start probing the IoT network for vulnerabilities. As embedded reports, many IoT users have a hard time reporting their vulnerabilities, making responses to potential breaches more challenging to develop.
As mentioned before, IoT security is as strong as its weakest link. The reason is simply that malicious users will automatically shift towards the weakest link since it offers the most accessible pathway to attack.
All it takes for a user to gain unauthorized access to an entire IoT network is one device with inadequate security. Because of this, security experts in the field need to look at IoT security holistically. Modelling attacks on existing systems can advise manufacturers where they should place their focus when designing security for IoT chips.
With an established standard, combined with a better methodology for reporting vulnerabilities, we're likely to see IoT devices become more secure.
Even the least safe "weakest link" devices will present a formidable defense to would-be hackers. With all the negatives that come with the establishment of a standard, there are quite a few positives.
If anything, creating a framework for vulnerability reporting alongside an adaptable statement of standards within the IoT industry can only lead to a more secure IoT network for all. That's a goal we can all strive toward achieving.