Workers bringing Internet of Things (IoT) devices to work could add to future enterprise vulnerabilities, a new report says.
RAND Corporation’s latest study on cybersecurity, which was sponsored by Juniper Networks, delves into how a growing number of connected devices will add to an enterprise’s “attack surface.”
The researchers say that device protocols, of the kind used by IoT, probably won’t have gone through the same vulnerability testing as traditional software does.
And that coupled with lean start-up mentalities by developers of IoT will create devices where security is an afterthought. Devices will be functional, but “riddled with security vulnerabilities,” the report reckons.
Patching vulnerabilities as they are found is less expensive than building a secure product from the outset, and patch-on-patch will be a route many IoT device makers will go, the experts compiling the report indicate.
It’s not as good a methodology as security from the get-go.
The patching mind-set could exacerbate issues in itself: Consumers may very well not understand that they need to patch their IoT devices on a regular basis.
“Will consumers understand that a refrigerator with a 20-year lifetime also needs 20 years’ worth of software patches?” is one question that the analysts pose.
Adding “Internet functionality to items that previously had no connectivity features, or that are not considered “traditional” Internet devices, creates risks,” they say.
This is in part because the vendors making and selling the IoT gear might not be aware that the equipment could compromise the network that it’s attached to. If they are, it may only be a vague awareness and not something that they think is actionable.
Poor implementation of cryptographic features is one of the main ways that the analysts think IoT is going to cause problems. Attackers might reset keys, for example.
Likewise, leaky Wi-Fi passwords from devices such as network enabled lightbulbs might be an issue. Security researchers have hacked lightbulbs in the past, RAND explains.
IoT security problems might become compounded by the lack of processing power in IoT devices.
In the case of a desktop computer, say, there’s enough spare processing power to run encryption and authentication applications. IoT may not have that luxury. Hijacking them then might be easier.
“While not true for all classes of attack techniques, some that work on computers also work on IoT devices,” they note.
It doesn’t end there. IT isn’t going to be able to inventory all of the machines on its network by polling all of its Internet devices, or even tracing Ethernet cables.
The reason: Piggy-backing is going to become prevalent. That’s where any device within a radio frequency range will just jump on a “directly addressable device.”
It means that assessment of the security state of each device becomes hard—they’re not registering on the network with an IP address, like a smartphone, or PC does.
So, where’s your secure perimeter if you don’t know what devices are accessing the network?
And what to do?
RAND says secure coding not being part of “the standard curriculum for computer science majors” is adding to the odds of future systems getting penetrated.
“These students are the next generation of people developing and creating the devices,” it says.
And, a business’s “first priority” being “functionality, not security” also increases the odds.
“Cybersecurity efforts must be based on the assumption that the bad guys are already in the network,” the new report says.
This article is published as part of the IDG Contributor Network. Want to Join?