Security news that informs and inspires
a network map

To Fix IoT Security, ‘We Need to Aim at the Security Have-Nots’

SAN FRANCISCO–On the long and ever-growing list of security priorities for enterprises and SMBs, IoT devices tend to fall somewhere near the bottom, something that attackers of all stripes have gladly taken advantage of for many years. But government and private sector experts alike are working to change that through regulatory efforts, advocacy, and technical solutions that they hope will raise the security bar and make it easier for organizations to manage and secure IoT devices.

IoT security often is framed as a consumer issue, tied to devices such as home routers, smart appliances, connected light bulbs and all manner of other devices that mostly have no business being on the public Internet. But there are billions of IoT devices sitting on enterprise networks, as well, and many of them have publicly known vulnerabilities in them, a situation that most security teams IT administrators understand, but often don’t have the time or resources to address. And in many cases, even if a team does have the resources to update or patch IoT devices, it may not be possible.

“These devices are mostly uninspectable, not just by the user but also by the IT admins. Even if they want to hire the right folks to update them, they can’t inspect everything. Those devices are incredibly unmanageable and vulnerable. They’re not built to even remotely the level of security resilience that you see even on a general purpose consumer computer,” Window Snyder, founder and CEO of Thistle Technologies, and a former Apple and Microsoft security leader, said during a panel discussion on IoT security at the RSA Conference here Tuesday.

“We need to develop the kind of confidence in the update process for these devices that we have for things like our phones. The updates for phones are very reliable and we don’t even think about installing them now. We need that kind of reliability. The degree of management that we expect for the enterprise.”

Cybercrime groups, APT teams, and even lone operators have been making a meal out of IoT devices for more than a decade now and have met very little in the way of resistance. IoT devices typically are built for convenience and are meant to have relatively short lives. Security is usually an afterthought, if it’s considered at all, and for the most part, IoT devices run some form of embedded Linux. When a new vulnerability is disclosed in Linux or one of the libraries used in popular IoT devices, attackers have no trouble finding vulnerable targets to go after. Patching those bugs is no simple task in most cases, thanks to often opaque update processes. For example, the small routers used in many SMBs and homes are favorite targets for attackers because updating them is difficult and a failed update can render the device unusable, so they stay vulnerable for long periods of time, if not indefinitely.

“I look at those routers as the first real IoT devices. They’re kind of the canary in the coal mine. The incentives of the person who owns the router are different from the attacker who might think about how to use that router. A small business owner might think, I don’t have anything to steal, why should I update this? They don’t think it’s a security risk, so the incentives aren’t there for them,” said Chris Wysopal, CTO of Veracode and a longtime security researcher.

Aside from the difficulty of patching, another major component of the IoT security challenge is the short shelf life of many devices. Once a device reaches end of life and the manufacturer stops supporting it and providing security updates, owners often have no real options for addressing any security or usability issues. That obsolescence is a feature, not a bug, for the manufacturers. But for owners, it can be a security nightmare.

"“We need to aim at the true security have-nots.”

“There needs to be a conversation between the government and manufacturers about end of life and updates,” said Allan Friedman, a senior advisor and strategist at the Cybersecurity and Infrastructure Security Agency. “We need to aim at the true security have-nots.”

Finding a way to allow device owners to have some measure of control and manageability of their IoT devices has proven to be a difficult task. Several states have enacted right-to-repair laws that enable device owners to modify or fix their devices, but those are the exception rather than the rule.

“I’d like to find a way to create a graceful default for end of life devices so things go into the public domain after a manufacturer stops supporting it or goes out of business. Right now, how do we know if we’re allowed to work on devices? If the company is gone, there needs to be a way to do this,” said Tarah Wheeler, CEO of Red Queen Dynamics and veteran security technologist.

“Having a de facto graceful exit for people who want to work on those things is important.”

The federal government has made some efforts to address IoT security, but it’s still early days for that.

“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” the Biden administration said after releasing an executive order on security in 2021. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up."

A new non-profit called the Secure Resilient Future Foundation is launching this week in an effort to help address the IoT security problems through advocacy and collaboration with the government and industry. Wysopal and Wheeler are both part of the effort, as is Paul Roberts, a longtime security journalist and right-to-repair advocate.