In my last post about IoT security, we discussed how lax consumer attitudes about securing devices and wearables could be a contributing factor to their insecurity. In this post, we will examine another angle: securing IoT devices on the application level. This time we'll go straight to the source and look at what enterprise users think and do to secure their use of IoT.
While a recent survey by the Ponemon Institute shows that enterprises are definitely concerned about the security of IoT applications, the complexity and lack of oversight is creating barriers which make them more difficult to secure.
We already know that device firmware can be very basic in terms of its user interface, which limits end users' ability to opt for more security, change passwords, or update the firmware on their own. But IoT devices used by businesses require much more planning and oversight, including secure development, quality assurance, testing, and application level security controls that can be updated over time as threats evolve.
Is Security of IoT Apps a Priority for Enterprises?
Many organizations already use apps in their day-to-day operations, and some of those apps are built for IoT devices operated by the organization. Since it is part of their infrastructure, do organizations worry about an attack against IoT apps that are used in the workplace? It seems they do, but they also appear to have a more difficult time securing IoT apps or mobilizing to address the potential threat.
A new report from Ponemon Institute, IBM Security and Arxan found that 59 percent of companies using IoT devices are concerned about getting hacked through an IoT app, and 75 percent say the use of IoT apps increases security risks very significantly or significantly. Yet, despite the concern, organizations are not taking action against the threat. 44 percent of respondents knew their organization was not doing anything to address IoT app security, and 11 percent were unsure about any action being taken by theirs.
This may seem careless at first sight, especially knowing that IoT attacks are increasing, but it can be based on the uncertainty of organizations as to whether or not they have actually experienced any security incidents due to insecure IoT apps. Only 44 percent of organizations in the survey believed they did experience such an incident in the past, the rest were less sure.
On top of the lack of certainty, it appears that those who should be responsible for IoT app security are not always in the security function, but rather in other lines of business – application development and head of product engineering were some of the roles mentioned. Only 5 percent of survey respondents in the study said the CISO is primarily responsible for IoT app security. These factors can easily make decision makers allocate budgets to the more burning security needs of the organization, completely missing the mark on more serious threats that weaken the organization's security posture.
IoT Apps Perceived as Harder to Secure
Another issue keeping IoT apps in the darker ages of information security is a perceived difficulty in securing them. 84 percent of organizations surveyed by Ponemon indicated that IoT apps were harder to secure than mobile apps, mostly because user convenience is often prioritized over security. Over half of the respondents indicated a lack of quality assurance and testing procedures for IoT apps. To that effect, almost half of our study respondents said testing of IoT apps does not occur in their organization while an average of 38 percent of IoT apps tested contained significant vulnerabilities. This would hardly ever happen when it comes to applications running on PCs or mobile apps used by businesses today.
Is IoT Just Suffering Growing Pains?
Given the relative novelty of the IoT compared to other apps and devices, one might think that the insecurity of IoT apps can be a temporary growing pain, and that gradually, awareness and real world attacks will create a stronger drive to secure IoT apps. But must we, as a security community, always learn from painful experiences even though we already know the result?
Look back about a decade ago and you will recall mobile devices were considered harder to secure, and in many cases, insecure mobile apps are still running on insecure operating systems to this very day. In late 2015, University of Cambridge researchers even put some hard numbers to Android's security status and concluded that "on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities."
Given this precedent of security lagging behind in the introduction of new technologies, can we expect IoT apps to be more secure at this point even if they're at an earlier stage in their ‘life'? I would argue that we can. And lest we forget, vulnerable and exploitable assets are exactly what attackers will look for in the reconnaissance phase of a looming attack.
There are secure app guidelines that do not need to increase the investment of resources, but still make a difference for any organization creating and using IoT apps for the business:
- Follow guidance for secure coding from organizations like OWASP
- Don't rush to release – the stakes are too high
- Patch on time and make sure over the air (OTA) updates are extended into the supply chain for both software and equipment of IoT devices
- No hardcoded credentials allowed – static secrets never remain secret
- Set up strong default configurations and set security as the default option
- Pen test your IoT apps when you commission other testing projects in the organization
- Manage the data the apps emit; and secure it as well!
By learning lessons from the security of applications and devices that we have known for decades now, we can avoid repeating the same mistakes with the security of IoT apps much earlier on in the game.