Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
2/10/2020
11:40 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

6 Factors That Raise the Stakes for IoT Security

Developments that exacerbate the risk and complicate making Internet of Things devices more secure.
Previous
1 of 7
Next


The enterprise is finally coming to realize 
just how risky Internet of Things (IoT) devices are to their security postures. Whether it comes from unencrypted communication with devices, hard-coded passwords, vulnerability-ridden unmanaged devices, or insecure configurations, a huge flaw always seems to be lurking around the corner with regard to IoT deployments.
 
It's only natural for new-ish technology. IoT is following a common progression in security maturation that's happened so many times in everything from Wi-Fi to Web apps.
 
However, as IoT progresses, a number of factors add a greater depth to the IoT problem. Some up the ante considerably by putting way more at risk -- either in consequence or cost -- when an IoT device is compromised. Other factors expand the risk surface by exacerbating already extant vulnerabilities in the IoT ecosystem.
 
Either way, read on for some of the most common factors that raise the stakes for IoT and make the problem more acute within the enterprise.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DavidS950U01
50%
50%
DavidS950U01,
User Rank: Apprentice
3/2/2020 | 1:08:42 AM
Question about IoT and smart communities; government duty to regulate and protect.
The article names deployments that could be attcked, such as factories, hospitals or body-connected IoT devices, and facilities. I am curious about the negative potentials presented in the smart communities scenarios. What are the dangers? Paralysis of IoT-dependent traffic control and surveillance, for example? And if not paralysis, what about misdirection (a la Stuxnet)?

Next: it's nice that government regulations will role out in 2020--but where? In this country? With the vaunted repeal of 1200 (and counting) "job-killing" regulations that were originally created to protect public health and safety, exactly which competent agency employees remain to do the regulating? (Think State Department, EPA, CDC, etc.) I think it prudent to write to our elected representatives and make the case for, let's say, following the European example.
lancop
100%
0%
lancop,
User Rank: Moderator
3/1/2020 | 12:38:10 PM
IoT Security will join Windows 7 as the latest additions to growing security vulnerabilities
You have brought up some excellent points in your article, and as I was just contemplating an Arduino-based IoT project my thoughts immediately turned directly to security concerns. An IoT device sitting right in the middle of several renewable energy generators and their live loads has the potential of becoming a very dangerous single point of failure should it get hacked by malicious threat actors. So, obviously my IoT technological considerations also have to include proactive security measures to shield the final product from 3rd party tampering.

The proliferation of IoT devices in all environments, both consumer & commercial, means that network administrators now have a whole new class of poorly managed, network-connected devices that also communicate to service provider servers that are in an unknown state of security preparedness. Service providers that will be creating & abandoning products on whatever timescales are necessary for them to remain profitable. Not a defensible battlefield where a CSO & Security Team have much of a chance against multiple, globalized attackers with the tactical advantage of needing only to suss out a single vulnerable device to gain a foothold inside the network.

Meanwhile, Microsoft recently abandoned millions & millions of Windows 7 devices that will no longer receive security patches despite the fact that they are still deployed & fully operational. Some are in ATM machines, some are in industrial control systems, many are in retail POS stems, small businesses and residences. Many simply cannot be in-place upgraded, and many are too important to be retired or replaced. And, for others, they simply cannot afford to buy all new computers & software and, perhaps, update legacy software and re-train their technical support staff. So, yet another massive security vulnerability that is brewing right under our noses but going largely unaddressed.

My takeaway from all of this is: information technology will forever be essentially insecure if connected to the internet. Billions of devices will be just a hack away from opening the city gates and letting the invading hordes pour in to wreak havoc & seize the treasure stored within. It is essentially an indefensible position on a low hill in a hotly contested forever war with ever more adversaries armed with ever better weaponry. And, always, the enterprise is just a click away from a major security breach...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5537
PUBLISHED: 2020-05-25
Cybozu Desktop for Windows 2.0.23 to 2.2.40 allows remote code execution via unspecified vectors.
CVE-2020-13438
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid read in jfif_encode in jfif.c.
CVE-2020-13439
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has a heap-based buffer over-read in jfif_decode in jfif.c.
CVE-2020-13440
PUBLISHED: 2020-05-24
ffjpeg through 2020-02-24 has an invalid write in bmp_load in bmp.c.
CVE-2020-13433
PUBLISHED: 2020-05-24
Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php hidden parameter.