Today’s columnist, Matt Wyckhouse of Finite State, says to lock down IoT devices, manufacturers have to build security in from the start. infomatique CreativeCommons CC BY-SA 2.0

Embedded, internet-connected devices control the most critical infrastructure on the planet. And their importance will grow with an estimated 55.7 billion IoT devices expected to hit the market globally by 2025.

Yet security spending doesn’t match the tremendous impact of these devices. A recent Microsoft Security Signals survey found that just 29% of companies have any budget allocated to protect firmware at all.

Threat actors have noticed. The Security Signals research said that attacks on firmware increased five-fold in four years. As a vector, consider this low-hanging fruit. For end-users, especially organizations that purchase dozens or hundreds of devices, the cost and difficulty of patching embedded devices has led to a new caution. Manufacturers have experienced slower deal cycles and more demands for security reviews.

To meet the demands of this emerging world, device makers need a new approach for IoT and embedded device security. Too often, they attempt to use legacy tools that were designed to secure web applications. But these AppSec tools are wholly incompatible with connected device firmware, leaving manufacturers scrambling for a solution.

Why devices need different security

Applications and devices are different, and that drives new security needs. The nature of this difference is pretty simple. Applications are singular programs. Devices are built around firmware that contains hundreds of programs along with hundreds or thousands of configuration files and settings. It relies on a technology stack (including hardware, bootloaders, OS components, and drivers) delivered through a complex and often opaque supply chain. When analyzing devices for security vulnerabilities, security pros can draw from similar processes to those found in AppSec, but rather than analyzing source code they must analyze the binary code that makes up device firmware.

Software coding vulnerabilities in device firmware are not the only security issues that device manufacturers need to worry about. The most common security issues that we see are the result of misconfigurations. That includes insecure configuration settings for the operating system, boot sequence, peripheral firmware, network services, third-party software, and configurations on the end-users’ side. Configuration issues can lead to serious consequences. For example, shipping a product with hardcoded service account credentials can lead to reputational damage or fines because of regulations. These settings usually live inside configuration files or third-party binaries, which are often overlooked.

How device manufacturers can stem the tide

To analyze this more complex ecosystem, security teams need tools and processes built specifically for device firmware. In other words, the tooling must analyze an entire system of programs and their configurations.

Manufacturers should focus on identifying the risks within their devices using ground truth data. This includes generating a Software Bill of Materials for their products – a comprehensive list of all components, firmware, operating systems, versions, and everything else found on their devices. Additionally, they should search for any embedded user accounts, hard-coded cryptographic keys, and misconfigured services that make it easier for malicious actors to compromise these devices.

Manufacturers should learn from the AppSec lesson of “shifting left” in their security process—the process of testing and mitigating vulnerabilities early in the development cycle to avoid costly fixes after deployment. Finally, they should work with their customers to ensure that their products are configured properly. While it’s difficult to do this at scale, automated tools have recently emerged to dramatically reduce corporate investments in robust product security.

Security as differentiator

We’re seeing large purchasers – namely government, critical infrastructure, and large enterprises – consider security as part of their purchasing decisions. Deals are slowing, sales cycles are getting longer, and that’s putting pressure on manufacturers.

Some companies are demanding the right to conduct independent security checks of the devices and any corresponding security updates. They also want communications channels to alert their findings. As large purchasers flex their muscle, there’s hope that security benefits could trickle down to consumer devices.

Security isn’t a one-sided concern. Device manufacturers that I’ve encountered have good intentions when it comes to security. They recognize that security issues present a threat to their business. Beyond that, they genuinely care. But they often don’t know where to look when it comes to finding security solutions that meet their needs. Legacy application security tools are ubiquitous, but they aren’t suitable for the job.

The security needs of IoT devices are complex and current approaches don’t work. Device manufacturers and their customers need to radically rethink the way security gets built into the device because the best way to secure 55.7 billion devices is to build them securely from the start.

Matt Wyckhouse, CEO, Finite State