April Round Up of News that Proves Trust Is The Point
IoT security issues are becoming more and more common. Every new survey seems to reveal that consumers are wary about the connected devices they bring into their homes.
Is it any wonder when they read about privacy leaks and systems open to hacking on every front?
Samsung is the latest big brand shown to be vulnerable to attacks. Researchers at the University of Michigan reported how malicious apps downloaded from the SmartThings store can wreak havoc simply because they are granted more permissions than are needed. With blanket permission, the app can link to other apps and functionality, in some cases they can manipulate smart locks, change passwords and set off alarms.
“Researchers demonstrated their discovery through an app that monitors the battery life of a variety of Samsung SmartThings products. After installing and granting the malicious but normal looking app permissions on the smartphone, it not only monitors battery but also has the ability to manipulate the lock's functionality. It does this by automatically sending out an SMS to the app's developer each time the user reprograms the smart lock's pin code.”
Most users skip through the permissions portion of the download too quickly. They trust the developer is only asking for the required access. The researchers found that of the 499 apps used in the study, 42% asked for more permission than was needed.
Samsung has responded by saying they have updated their developer guidelines.
The attention IoT security issues have garnered in the last year is beginning to have an impact on IoT developers. Evans Data Corporation released the results of their survey of 500 IoT developers, which found that 31% recognized the security threats posed by IoT software.
While 87% of the survey respondents reported that security is important to their organization, the devil is in the details as to whether they feel security is somewhat or extremely important.
Another survey performed by Spiceworks with 440 IT professionals revealed that there is plenty of concern with allowing IoT devices into the workplace.
“Respondents' leading concerns were entry points into the network (84 percent), insufficient security measures implemented by IoT manufacturers (70 percent), default passwords (68 percent), and lack of IoT standards (66 percent).”
Despite the concerns, the professionals surveyed admitted that their organizations are slow to react when it comes to security. 39% are allowing the devices of concern to be connected to their corporate networks while few are investing in security tools or systems, citing a lack of budget, staff or time to implement measures.
If 31% of the developers recognize the security issues with IoT software, that means the majority are still not realizing the threat.
In a recent interview with SearchCIO, Stuart Madnick, the John Norris Maguire Professor of Information Technologies at the MIT Sloan School and director of the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, (IC)3 explains the challenges IoT developers face and why they are not focusing on security.
He points to the fact that IoT devices are still new in the marketplace and developers have a huge challenge to make the devices work and be relevant to the consumer. They are not in the position of even recognizing potential security issues. As a result, security becomes an afterthought in the development process. Even if an issue is discovered before a device is released, the months of rework required means companies have to choose between impossibly costly delays or releasing a product and hoping to find a solution after the fact.
Maybe a certification program can solve some problems. Underwriters Laboratories, which is better known for testing consumer devices, wants to play a role in testing the security of internet-connected devices. The organization will use the Cybersecurity National Action Plan that was launched by the White House in February.
Cyber security experts are skeptical that they'll be able to adequately test devices. “There's so much in the software it's impossible to certify every little component of it,” said Errata Security president Robert Graham. “It's like you're trying to certify an aircraft carrier by only looking at the outside shell of the boat.”
More Work Needed
When it comes to IoT security, many components need improving. Consumers need to be educated about the role they play in demanding better security. More developers need to recognize that security threats will also delay the spread of IoT devices. Organizations must invest in systems to protect their infrastructure.
Contact us today to learn how TrustPoint Innovation can help you build in trust from the beginning of your product development cycle.