This weekend has seen many new headlines in the mainstream press regarding the recent botnet attack creating more fear and lack of consumer trust in IoT devices, headlines such as:
- “Do you want your shower to help Russian hackers? “
- “IoT-enabled botnet launches record 1.5Tbps DDoS attack!”
Just why are IoT devices so vulnerable and who is going to help fix the issues or is IoT really the new wild west.
Hijacking Internet Connected Devices
The botnet attack occurred as hackers were able to hijack a vast number of internet connected devices (such as IoT wifi routers / home cameras) which they then used to throw vast amounts of junk traffic at DNS services operated by US company Dyn. With the DNS service being down, hundreds of very popular websites were inaccessible including: Netflix, Twitter, GitHub, AirBnB etc.
Why were IoT devices used in such an attack?
The reason is simple, most of the devices have very limited security measures which meant the hackers could easily place their malware on to the devices. In a recent survey by HP it found that over 70 percent of the IoT devices and sensors examined were susceptible to one or more of the vulnerabilities in the OWASP Internet of Things Top 10. Over the last few years there has been many examples of security flaws in IoT devices such as the very public example of Osram Lightify smart bulbs that security experts found could enable hackers to breach home Wi-Fi networks. Nine flaws in the Home and Pro versions of Osram Lightify could let attackers gain access to home Wi-Fi network and activate the lights. Connected devices create an increased level of intrusion in our lives, generating new types and unprecedented quantities of data, raising further the importance of quality and security in such products.
Who is at Fault for IoT Security Vulnerabilities?
Consumer trust in IoT is already low but who is going to start to address the issues. Is it the responsibility of the consumer who owns the device to ensure it has the latest security patches? Is it the networks that allow the attacks to occur and could block the traffic? Is it the manufacturers who produce the products, should they be made to maintain updates for a period?
The problem with IoT is that consumers won’t fix it as they demand cheap products and manufactures are meeting this request with creating simple products, sometimes on a shoe-string. The only real answer has to be increased regulation but there is a current myriad of competing standards all fighting for top spot. Whilst the industry waits for the governments and IoT consortiums to start the regulation process it has to be up to the IoT providers to ensure the quality and security of their products.
They must ensure that products pass through a vigorous QA process and be verified against the latest security standards. There must also be consideration for ongoing maintenance of the products ensuring they are regularly updated depending on their criticality. Unless these issues are addressed the only winners in the IoT wild west will be the hackers.
The T&VS IoT lab and certification process helps companies to ensure their products conform to the latest industry standards and QA and security testing best practices.
For more information see: T&VS IoT lab and certification
Find out more at the 52nd Test Management Forum
Mike Bartley, CEO and Founder of T&VS will expand on this discussion at the 52nd Test Management Forum taking place in London on Wednesday 26 October 2016. Join us there.
Abstract of talk:
The Internet of Things (IoT aka M2M) refers to an expanding network of interconnected internet-enabled devices. In the future everything will be connected, the current thinking is that only 2% of items in the world are connected and there is still 98% to go! Estimates suggest that by 2020 there will be in the region of 50bn IoT devices – all talking with one another on a constant basis.
If you are a manufacturer, solution builder, or service provider, then how will you ensure that your solution works, will it stay connected to the different access points? IoT is going to drive the importance of interoperability between different markets/sectors and technologies. Customers today vote with their feet and are not loyal with poor performing products. How will you test your product with varying network conditions? How will your device work in the wild?
In this talk we will discuss what is required by a “IoT device testing lab” – e.g. conformance to all the standard protocols, connection with the standard network providers, some basic security testing?
We will also discuss whether we should consider an “IoT Kitemark” to provide some level of assurance?