Survey: 85 percent of senior security pros say more than half of IoT products are not secure
In a new survey, 83 percent of senior security pros said that public disclosure of IoT vulnerabilities, in and of itself, is not a significant enough step toward improving IoT product security.
It's not exactly a shock that experts still regard the Internet of Things (IoT) as a potential security minefield. However, the overwhelming proportion of executives who continue to distrust IoT as a secure technology does ring some alarm bells, based on the results of a new survey from research-oriented security service firm IOActive.
In IOActive's recently released IoT Security Survey, 85 percent of senior security professionals believe that less than half of IoT products presently on the market are secure, while 47 percent believe less than 10 percent are safe.
On the other hand, what's even more unusual is that 63 percent of respondents indicated that non-IoT product categories – including hardware, mobile technology, software and medical vehicles – is in even worse shape than IoT, suggesting that security practices across the board are highly inadequate.
Asked to cite the primary challenges facing proper IoT device security, 72 percent of respondents said the biggest impediment was a failure to bake security mechanisms into the device itself. “Things like not using encryption to transmit data from one device to another. We see that on a regular basis,” Daniel Miessler, director of advisory services at IOActive, said in an interview with SCMagazine.com. Or “having different security requirements for mobile applications vs. web applications.”
Weak cloud security, whereby credentials are susceptible to a brute-force attack, is another common problem, he added.
These are very fundamental mistakes that companies are making. That's the type of stuff want to see [fixes] built in if we want to see any kind of improvement,” said Miessler.
The next most commonly cited challenges to IoT security were uneducated users and user error (63 percent), and data privacy (59 percent).
The majority of survey-takers, 83 percent, also agreed that public disclosure of IoT vulnerabilities, in and of itself, is not a significant enough step toward improving IoT product security, and that some form of regulatory action would be more effective. Setting minimum security compliance standards and issuing mandatory product recalls, updates and injunctions were the top two suggestions for measurably improving IoT security.
“We're already seeing a top-down regulation approach where at some point the government is going to go after or in some way sanction companies who don't put what is deemed to be minimum security into their products,” hopefully inspiring consumers to feel more confident, said Miessler. At the same time, Miessler believes consumer confidence and demand will also grow as an increasing number of IoT manufacturers take the necessarily steps to market their products as safe and secure.