This blog post has been reproduced by kind permission of Tara Seals and originally appeared here on Infosecurity Magazine.
It references an independent survey from IOActive which illustrates widely held concerns on the lack of a security first approach (an IoTSF axiom).
Nearly half (47%) of all respondents in the IOActive Internet of Things Security Survey distrust the security in IoT devices.
The consensus for that half was that less than 10% of all IoT products on the market are designed with adequate security. A staggering 85% believe that fewer than half of IoT products are secure.
Obviously, if true, this state of affairs can have far-ranging consequences as these devices connect to networks.
“While the IoT era of products brings innumerable advances and modern conveniences to the lives of consumers, the connected nature of these products creates unintentional ports to other sensitive and critical systems, data and devices,” the report noted. “When security is insufficient in even seemingly harmless household appliances, wearables or other IoT products, it presents endemic vulnerabilities and risks.”
The backhanded good news in this is that IoT isn’t the least trusted product category—a full 63% of respondents felt that IoT security is actually better than the security in software, computing hardware and medical devices.
“Consensus is that more needs to be done to improve the security of all products, but the exponential rate at which IoT products are coming to market, compounded by the expansive risk network created by their often open connectivity, makes IoT security a particular concern and priority,” said Jennifer Steffens, CEO at IOActive.
And indeed, Ericsson’s latest Mobility Report shows that IoT connections will overtake phone subscriptions by 2018. And, overall mobile connections will number 27.5 billion by 2021, with the IoT accounting for 15.7 billion of that total.
The additional tens of billions of devices are expected to include connectivity to the Internet and to each other, with sensors installed on everything from home thermostats and fridges to wind turbines, self-driving cars and even cattle and wheat fields.
“It’s important for the companies that develop these products to ensure security is built in; otherwise hackers are provided with opportunities to break into not only the products, but potentially other systems and devices they’re connected to,” Steffans said.
The survey showed that 72% of respondents believe security not adequately designed into products is the single biggest challenge facing IoT security. A majority of the security professionals surveyed also felt that uneducated users and user error (63%) and data privacy (59%) were challenges to IoT security.
Steffans added, “Companies often rush development to get products to market in order to gain competitive edge, and then try to engineer security in after the fact. This ultimately drives up costs and creates more risk than including security at the start of the development lifecycle.”
As remedies to these challenges, respondents looked to minimum security standards and enforcing mandatory product recalls, updates, or injunctions as the two most effective means for improving IoT product security. Additionally, 83% believe that public disclosure of vulnerabilities on its own is not enough, and that some form of regulatory action would be more effective.
If you agree with the survey findings and want to help make a change for the common good – you may wish to help IoTSF Working Group 1 establish a self-certification programme.
See here for more on IoTSF working groups.