A recent study found approximately 28 percent of Internet of Thing (IoT) device designers indicated that the products they are designing are capable of causing injury or death in the event of a malfunction yet security standards are still extremely low.
Furthermore, of those products, the respondents anticipated that nearly half will be always or sometimes connected to the Internet which opens them up to potentially being manipulated by threat actors, according to the study Barr Group consultancy.
The study surveyed more than 1,700 qualified respondents and found that quarter of the designers of internet-connected products that could be dangerous do not have security as a design requirement. Of the products that the designers are working on, 19 percent follow no coding standards, 36 percent use not static analysis tools, and 42 percent conduct only occasional code reviews or none at all.
“When safety-critical devices come online, it is imperative that the devices are not only safe but also secure,” Barr Group CTO Michael Barr said in a press release. “Considering the many security concerns that currently exist in the IoT, any connected device that has not been designed with security in mind is at risk for tampering, and the results for safety-critical devices can be catastrophic
Connected devices such as medical devices and other critical systems that are connected to the internet pose the most serious threats, and researchers found that 22 percent of embedded systems engineers working on safety-critical products that would be deployed online said security was not even on their requirements list.
“Designers are taking a sluggish approach to securing these devices because at the end of the day, consumers don't care about it,” Vera CEO and co-founder Ajay Arora told SC Media. “Once it becomes a differentiating factor in consumer buys, then they will start taking security more seriously. Security is often viewed as expensive and a slow down to the overall manufacturing of the product.”
“Any devices that can record video, audio, or capture information via an interface, like a keyboard, are most vulnerable today,” Arora said. “Also, devices that are extremely cheap to manufacture and have low margin are pose a big risk. If they are in a highly competitive market, the race to market is often the reason flaws are overlooked.”