IoT vulnerabilities in the wild: the good, the bad, and the ugly
It shouldn't be news to anyone now that there are a lot of poorly secured IoT devices out there. Every week, there is a new article about devices being hacked, a new malware strain, and an endless stream of security updates for devices where end users are never notified.
A lot of these brand new devices aren't actually that new. That shiny new WiFi-enabled security camera you got on sale for $30.00? It's using all the same parts and code as a webcam with a network connection tacked on, wrapped in a new name and package. Its code was always vulnerable, but now it's online, which means its vulnerabilities now matter a lot more.
I'd like to let you in on a little fact. There aren't that many security researchers in the world. It wouldn't surprise me if there were more devices put on the market in a year than the total number of professional security researchers. This disparity requires researchers to focus on a problem domain, and there are trends of what researchers are looking at.
With attackers starting to go after these small devices, security researchers have had to swivel their attention to match. As this attention ramps up in this rich field of generally poorly-secured devices, more and more vulnerabilities will be found and reported. This peak of vulnerability is especially hard because now it's hitting us in our homes.
The vulnerability reports from the security researchers now don't mean much unless the issues get patched by the manufacturer. A lot of companies out there simply don't provide updates at all, and if they do patch a vulnerability, it's likely only offered for the next device version that you have to purchase.
For the companies that do make their updates available, a lot of them require the device owner to manually check for and install the update. This is not a realistic recipe for success, given a study by Google determined that 66% of non-security experts do not install updates immediately, but rather eventually or never. Plus in all likelihood, the device owner is, more times than not, never informed about there being an update available in the first place, even if they would go through the usually onerous process of a manual firmware update.
As the attention grows on manufacturers, government regulations such as the EU's Cybersecurity Act are on the rise. Device manufacturers have been prioritizing these issues, and the landscape has been slowly improving on new devices. Their updates are becoming more common and automated. Companies are actually listening to the reports they receive and are starting to follow better development practices as well.
But, this doesn't help with all the old devices that are still out there, or with the new devices made from manufacturers who aren't taking responsibility for the security of their products.
So, what do we do about these devices? We could just throw them out when a vulnerability is discovered, but we rely on these devices for entertainment, security, information, communication, and beyond. We are living in the digital age where these devices are built into our everyday lives, and we treat them as casual extensions of our capabilities. They are also working just fine for their intended purposes...
Eventually, we'll be past the IoT vulnerability peak, just as we've been past so many others. But with 2.9 billion global cyberattacks recorded on IoT in just the first half of 2019 and over 20 billion IoT devices predicted to be in use by 2020, there's a long way to go. During this time, we need extra protection and awareness for these vulnerable devices.