Don’t believe the hype: Why the IoT is stalling

Ken Munro at Pen Test Partners

If hype cycles are anything to go by we’re almost certainly teetering on the brink of the trough of disillusionment with the IoT. Recent research claims that 60% of test deployments have failed. But while some pilot projects may have faltered there isn’t yet the weight of devices in deployment to suggest we’ve peaked. Rather, adoption itself seems to be faltering.

IoT adoption hasn’t been the runaway success envisaged and this is down to a number of issues. Firstly, the IoT-enablement of devices which don’t necessarily warrant this additional connectivity. Take the IoT fishtank which regulated feeding, water temperature and quality, says Ken Munro, partner at Pen Test Partners.

That may sound like a labour saving device but ultimately it saw a Casino where the tank was installed lose 10GB of data to a device in Finland. IoT security doesn’t stop at the device. What this illustrates is that such devices are being used to create exploitable backdoors on to networks, allowing the theft of credentials and data exfiltration.

Longevity concerns are also hampering adoption, with devices often swapped out rather than updated causing users to question the viability of the investment. Then there’s the question as to whether the manufacturer has the resource to fix any issues that may come to light?

Security vulnerabilities emerge over time and if that does happen and your devices need to be patched, will the manufacturer invest the time needed to oversee this or deny culpability or even withdraw support?

Divulged details

Protecting the existing installed base is a real headache for manufacturers. If you peruse the Shodan website you’ll see hosts of deployed IoT equipment (and worryingly even Industrial Control Systems) with details on the IP address, the operating system run, and the version of software in use. And the FCC helpfully publishes the schematics for soon-to-be-released IoT devices complete with circuit diagrams for those wanting some up close detail.

In many cases, an attacker can identify devices from Shodan and simply obtain the default credentials to gain access. We once found a handy ‘super password’ list of daily log-on credentials for the entire year published on social media site by a technician. Clearly, supply chain security tends to be lax, with this case illustrating just how easy it is to get hold of ‘confidential’ data.

Struggling in the face of these odds, manufacturers are now looking to sell on data to third parties. That may make sense commercially but it further compromises the security and privacy of the userbase. It could see the floor plans for your office, for instance, sold on if you’re the user of an IoT vacuum cleaner. And what if that information makes its way on to the blackmarket? Building Management System (BMS) data could be particularly useful. Think of the extortion that would be possible if an attacker were to put ransomware over smart thermostats.

Solving the problem

The cynical among you will be questioning whether the end user shouldn’t also shoulder some of the responsibility and it’s true that few reconfigure devices upon set-up. That’s partly because it can be very difficult to do so. If you do succeed, have you also changed the default PIN on mobile apps or web apps which are used to control the device? It’s still questionable if this is worth doing given that a four or six digit PIN takes a matter of hours to crack.

The current lack of confidence can only be attributed to poor security and that means manufacturers need to up their game. They need to attend to secure mobile app development, strong session management and encryption on web services, secure implementation of the chosen wireless standard, and on the device itself, disable unused functionality such as serial ports or debug ports, apply obfuscation techniques and implement secure key storage while the firmware should be encrypted and signed.

Regrettably, until vendors begin prioritising security, IoT adoption will falter. It only takes another audacious malware attack, perhaps over a universal interface such as port 80, to damage uptake irreparably. Right now the industry needs to focus on building trust and that means adopting either self-imposed or legislative regulation.

The author of this blog is Ken Munro, partner at Pen Test Partners

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Yellowfin explores the future of data storytelling and reveals the impact narrative and automation will have on business analytics

Posted on: October 27, 2021

London. 27 October, 2021 – Yellowfin, the analytics vendor that combines action-based dashboards, automated discovery, and powerful data storytelling, launches a white paper exploring ‘The Future of Data Storytelling: how narrative and automation will redefine the next decade of analytics’, offering valuable insight to organisations on the power and potential of future augmented and automated

Read more

Renesas and wolfSSL enable ready-to-use IoT security solutions based on embedded TLS stack

Posted on: October 27, 2021

TOKYO, Japan and EDMONDS. Washington, October 27, 2021 ― Renesas Electronics Corporation, a supplier of advanced semiconductor solutions, and wolfSSL, a provider of embedded security solutions, announced a multi-year licensing agreement whereby customers of Renesas’ 32-bit MCU offerings can obtain a free commercial license for the wolfSSL TLS (Transport Layer Security) stack with integrated Renesas hardware

Read more