What is the Problem with IoT Security?

Security guru Dan Geer notes that the cybersecurity industry came of age with the introduction of Windows 95 and its built-in TCP/IP stack. Suddenly every home computer was on the Internet in a world “where every sociopath is your next-door neighbor.” These home computers were poorly administered by amateurs. At that point, malware and cybercrime became the Internet’s fastest growing enterprise. Today, we are repeating that mistake with a global pandemic of compromised IoT devices. Specifically, the hockey stick growth maps of cyber-mayhem look unnervingly, similar to what we experienced 24 years ago with PCs.

Consumer-Grade Technology

To begin with, most IoT devices lack nearly all of the security features of a mature, robust, general-purpose home computer system. And that’s saying a lot, if you consider the “security features” of your average home computer. But IoT is even weaker. How weak? Well…

Most don’t have any automatic patching capability, much less a system to warn the operator of the need to patch. They use extremely poor authentication mechanisms—our IoT Security is dependent on a telnet password of 12345. They usually don’t have forensic capability and, in many cases, not even logging functions. If they do, logging is lightweight or easily compromised by an attacker. Manufacturers rarely provide “secure” modes of operation or hardening procedures to lock down features. In fact, most IoT devices rarely offer any precautions to their users about placing these devices on the Internet or that any dangers exist at all.

The Monoculture Problem

Nearly all IoT operating systems are derived from Linux, because of its portability, speed, and open, free license. A decade ago, Linux malware was very rare. With the growth of IoT and Android, Linux malware is rivaling Windows malware in prevalence. And like the old worries about Windows, we have a serious “monoculture” problem. In agriculture, a monoculture refers to a single species of crop or livestock that is vulnerable to a single disease that could wipe out the entire population in a single pandemic. In 2003, security pundit Bruce Schneier noted, “The basic problem with a monoculture is that it’s all vulnerable to the same attack.” A single IoT exploit or malware/thingbot is a weapon that can be used to attack thousands, if not millions, of IoT devices with a click of the mouse.

Lack of Security Tools

Since we just talked about the power and prevalence of IoT malware, we should mention that, if an attack were to strike, you don’t have much recourse except to reflash the software (assuming it’s possible and you can figure out how) or throw the device away. The anti-virus market for Linux-based systems, much less IoT devices, is not nearly as mature or sophisticated as the Windows market. Of course, anti-virus is highly unlikely to be installable on an IoT device. Because of the size and limited capability of these devices, there are no on-box security tools available for IoT devices. Those that are available mostly work off box, on the network to which the IoT device is connected, which provides significantly less visibility and control over the device itself.

Abundance of Long-lived, Unpatched Vulnerabilities

The average lifespan of a refrigerator is 17 years. Can you imagine how quickly a 17-year old operating system would be hacked when connected on the open Internet? IoT devices may or may not have more vulnerabilities than any other nascent platform. But as we said, these devices are rarely patched and poorly managed, but also ubiquitous and numerous.

Let’s look closer at the lifespan of an IoT vulnerability.