If you’re wondering why most security flaws affecting IoT products lack complexity and are easy to exploit, a recent survey may offer an answer. At least with some manufacturers, the problem is not because of their indifference to the matter, but because they look at it the wrong way.
The study by The Security Ledger and LogMeIn shows that security in a connected product ranks second in importance on participants’ list of priorities. This contrasts with the current state of insecurity in IoT products. However, it also offers an explanation for the paradox: makers seem to worry about risks coming from a sophisticated threat actor, instead of the less-skilled attacker who does the most damage. Basically, they are trying to address a matter that is not urgent and will likely continue to exist despite their efforts to eliminate it.
According to the report, attacks that are common and easy to carry do not receive the attention they deserve when building a connected device. Respondents were relatively unconcerned with problems like account hijacking, backdoor accounts, configuration weaknesses, lack of brute-force protection, vulnerabilities in mobile apps or lack of encrypted communication; hackers are drawn by exactly these weaknesses because they are widespread and easy to exploit.
Conversely, compromise through malicious software updates was seen as a more pressing problem, although this type of attack is unconventional for ordinary cybercriminals who run routine operations to infect smart devices. Another reason they avoid this method, at least for the moment, is that it requires stronger technical skills and more effort.
When designing and implementing security in their products, “makers, at least those represented by our survey population, may be overlooking a host of problems and threats that they are in a position to address, and that would make a meaningful impact on the security and integrity of deployed devices,” the study reads.
The conclusion is based on answers from 400 professionals in companies experienced in delivering and maintaining a connected device on the market, or currently developing such a product. Participants included executives, product architects, managers and designers at firms in North America, of which 22% were in the consumer electronics industry. Employees from companies making smart home products accounted for 13% of the respondents.
Manufacturers could improve security in their smart products, better protecting their businesses, by implementing code that passes certain standards. Automated verification may reveal software flaws and bugs that could be addressed earlier in the development stage and reduce the attack surface on the device. A solid update mechanism that can deliver new firmware versions securely and automatically is a complementary feature that should make a difference for consumers when choosing one connected device over another.
Image credit: Sacha Chua
tags
September 06, 2024
September 02, 2024
August 13, 2024