Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
With IoT Expected to Rise in 2023, Device Makers and Security Pros Must Learn to Work Together
By Dan Berte, Director, IoT Security at Bitdefender
By all accounts, the Internet of
Things (IoT) market is as healthy as ever. The number of IoT devices in homes,
factories, cars, hospitals and other sites is expected to explode
in the coming years - from 13 billion in 2022 to an estimated 29 billion in
2029. 5G's faster speeds and higher reliability will propel the already high
demand by making it easier for more IoT devices to connect to the Internet.
At the same time, concerns over IoT
security are increasing year by year. As IoT's attack surface grows, cybercriminals are exploiting devices' inherent vulnerabilities
in attempts to breach corporate networks or take control of popular consumer
IoT devices. However, 94% of retailers
agree that the benefits of implementing IoT outweigh the risk. How can
organizations create an IoT strategy that doesn't sacrifice security posture?
These
two trends are on a collision course heading into 2023. While IoT's growth
contributes to the security problem, some industry watchers believe the
increasing number of cyberattacks could hold IoT back from achieving its full
potential. Is there a solution? If there is, it will require contributions from
a number of stakeholders.
Device makers need to collaborate
with the cybersecurity community and incorporate "secure by design" principles
in their development processes. Regulators need to build on existing rules to
provide better protections for IoT consumers. Buyers of IoT devices need to
double down on security best practices. And cybersecurity
professionals, ethical hackers and penetration testers need to step up their
own efforts to root out vulnerabilities and offer tangible solutions.
Inherent
vulnerabilities
So, why is IoT so
vulnerable to attack? There are a number of reasons. One is the lack of
security involving communications from device to device, such as camera to
computer, smart-home devices to web browser, and more. Threat actors seize upon these vulnerabilities to snatch credit card numbers,
passwords and other sensitive data. Another is that IoT device manufacturers
don't tend to release timely updates to address new security risks. Without
patches and bug fixes, consumers are wandering into a storm without an umbrella.
A third reason is the prevalent use of insecure or outdated components that
allow devices to be compromised.
This is just a short
list. Other contributing factors include insufficient authentication, use of weak
passwords, insufficient privacy protection, insecure network services and
insecure default settings on devices that are shipped. The fact that IoT
devices inside corporate networks often aren't certified or monitored regularly
by IT departments makes them highly attractive to cybercriminals as a potential attack vector.
What device makers should
do
Device makers should
take significant steps forward by partnering with the cybersecurity pros who
can quickly identify vulnerabilities in their product lines. Manufacturers can also
take steps like offering bug bounty programs that pay sizeable rewards. Or, at
the very least, create a dedicated page on their websites where third-party
researchers can easily reach to report issues they find. Most manufacturers
offer only corporate support numbers that connect to general customer care reps
who aren't trained in vulnerabilities and aren't incentivized to navigate a
solution. Creating a direct contact channel saves manufacturers time, money and
customer blowback.
Device makers should
also adopt "Secure By Design" principles patterned after UK legislation passed
in 2021. The principles are straightforward. One, inform customers at the point
of sale how long a smart device will receive security updates. Two, stop
selling devices with universal default passwords. Three, as stated above: Provide
a public point of contact for anyone - cyber professional or amateur - to
report a vulnerability.
Cyber
regulations
In
2020, U.S. and European governments passed a round of measures to strengthen
regulations on IoT cybersecurity. The U.S.'s National Institute of
Standards and Technology released the Foundational
Cybersecurity Activities for IoT Device Manufacturers
guidelines. The European Telecommunications Standards Institute released a
technical specification guide for Cyber
Security for the Consumer IoT marketplace. And the U.S. IoT
Cybersecurity Improvement Act set down rules for government agencies'
purchases of IoT gear.
But
three years later, IoT regulation is still spotty and inconsistent, lacking a
unified set of recommendations and specifications that can work on a global
basis. Until regulators collaborate on a set of
international IoT security standards, stakeholders will continue to grapple
with high levels of security risk. Maybe that will begin to happen in 2023.
Ways to protect IoT
IoT users have a
responsibility to protect themselves. To counter the inherently weak security
that devices come with out of the box, businesses
should use strong authentication methods, like two-factor authentication or
biometrics. They should use encryption whenever possible to protect data in
transit. And they should limit their purchases of devices to manufacturers who
have a good track record of releasing timely updates.
Leveraging
outside technologies and services can provide more protection for IoT. One set
of modern solutions used increasingly to secure IoT implementations are those
focusing on XDR, or Extended Detection and Response. The goal of XDR is to
detect attacks across all environments (including IoT devices) and provide
quick responses. Another acronym, MDR, covers services for Managed Detection
and Response. MDR services unleash teams of outside experts to harden security
systems, detect intrusions, create customized responses and report on incidents
and performance.
Cyber consultants can play an important role working
with manufacturers to plug gaps in their products' security systems. In one
recent case, Bitdefender found critical vulnerabilities in EZVIZ wireless
security cameras that many use to protect their homes. Researchers noticed that
hackers were able completely compromise the cameras including accessing
the video and audio feeds. Attackers were able to steal images, inject
malicious code and recover stored passwords in an estimated 10 million devices.
EZVIZ responded quickly to notify users to update their software with available
patches immediately.
With IoT playing a larger role in everyday
life, it's becoming more important than ever to keep connected devices secure. Cybersecurity is a team sport. It's
time for all stakeholders - users, manufacturers and governments - to get more
proactive in 2023 to ensure that IoT's future is safe and sound.
##
ABOUT THE AUTHOR
Dan Berte is Director of IoT Security at Bitdefender. Bitdefender
provides cybersecurity solutions with leading security efficacy, performance,
and ease of use to enterprise organizations and consumers. Guided by a vision
to be the world's most trusted cybersecurity solutions provider, Bitdefender is
committed to defending organizations and individuals around the globe against
cyberattacks to transform and improve their digital experience.