Don’t believe the hype: Why the IoT is stalling

Ken Munro at Pen Test Partners

If hype cycles are anything to go by we’re almost certainly teetering on the brink of the trough of disillusionment with the IoT. Recent research claims that 60% of test deployments have failed. But while some pilot projects may have faltered there isn’t yet the weight of devices in deployment to suggest we’ve peaked. Rather, adoption itself seems to be faltering.

IoT adoption hasn’t been the runaway success envisaged and this is down to a number of issues. Firstly, the IoT-enablement of devices which don’t necessarily warrant this additional connectivity. Take the IoT fishtank which regulated feeding, water temperature and quality, says Ken Munro, partner at Pen Test Partners.

That may sound like a labour saving device but ultimately it saw a Casino where the tank was installed lose 10GB of data to a device in Finland. IoT security doesn’t stop at the device. What this illustrates is that such devices are being used to create exploitable backdoors on to networks, allowing the theft of credentials and data exfiltration.

Longevity concerns are also hampering adoption, with devices often swapped out rather than updated causing users to question the viability of the investment. Then there’s the question as to whether the manufacturer has the resource to fix any issues that may come to light?

Security vulnerabilities emerge over time and if that does happen and your devices need to be patched, will the manufacturer invest the time needed to oversee this or deny culpability or even withdraw support?

Divulged details

Protecting the existing installed base is a real headache for manufacturers. If you peruse the Shodan website you’ll see hosts of deployed IoT equipment (and worryingly even Industrial Control Systems) with details on the IP address, the operating system run, and the version of software in use. And the FCC helpfully publishes the schematics for soon-to-be-released IoT devices complete with circuit diagrams for those wanting some up close detail.

In many cases, an attacker can identify devices from Shodan and simply obtain the default credentials to gain access. We once found a handy ‘super password’ list of daily log-on credentials for the entire year published on social media site by a technician. Clearly, supply chain security tends to be lax, with this case illustrating just how easy it is to get hold of ‘confidential’ data.

Struggling in the face of these odds, manufacturers are now looking to sell on data to third parties. That may make sense commercially but it further compromises the security and privacy of the userbase. It could see the floor plans for your office, for instance, sold on if you’re the user of an IoT vacuum cleaner. And what if that information makes its way on to the blackmarket? Building Management System (BMS) data could be particularly useful. Think of the extortion that would be possible if an attacker were to put ransomware over smart thermostats.

Solving the problem

The cynical among you will be questioning whether the end user shouldn’t also shoulder some of the responsibility and it’s true that few reconfigure devices upon set-up. That’s partly because it can be very difficult to do so. If you do succeed, have you also changed the default PIN on mobile apps or web apps which are used to control the device? It’s still questionable if this is worth doing given that a four or six digit PIN takes a matter of hours to crack.

The current lack of confidence can only be attributed to poor security and that means manufacturers need to up their game. They need to attend to secure mobile app development, strong session management and encryption on web services, secure implementation of the chosen wireless standard, and on the device itself, disable unused functionality such as serial ports or debug ports, apply obfuscation techniques and implement secure key storage while the firmware should be encrypted and signed.

Regrettably, until vendors begin prioritising security, IoT adoption will falter. It only takes another audacious malware attack, perhaps over a universal interface such as port 80, to damage uptake irreparably. Right now the industry needs to focus on building trust and that means adopting either self-imposed or legislative regulation.

The author of this blog is Ken Munro, partner at Pen Test Partners

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow


Ericsson, Thales launches IoT accelerator device connect with eSIMs for enterprises

Posted on: December 2, 2022

Ericsson’s Internet of Things (IoT) business, in partnership with Thales, launches IoT Accelerator Device Connect, a service offering generic eSIMs unbundled from pre-selected Service Providers. For the first time, enterprises have the flexibility to select one or more Service Providers easily and instantly at the time of device activation. This new business model dramatically accelerates

Read more

Airtel Business wins IoT solution mandate for Smart Meters from TPWODL

Posted on: December 2, 2022

Burla, Odisha, 29 November 2022 – Bharti Airtel (Airtel), India’s communications solutions provider has announced that it has won a cellular IoT solution mandate with TP Western Odisha Distribution Limited, (TPWODL), a Joint venture between Government of Odisha and Tata Power. The mandate will see Airtel power 200,000 Smart Meters with IoT solution, of which 70,000

Read more

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more