As a research team publishes its findings regarding the use of Internet of Things (IoT) based devices domestically, what is the status of the technology in terms of security?
Published last week, a study by researchers at Stanford – in collaboration with colleagues at cybersecurity firm, Avast – provides an insight into the growing use of IoT based devices in the home, together with the increased security risk that accompanies them. The report, titled ‘All Things Considered: An Analysis of IoT Devices on Home Networks’, is the first of its kind to gather IoT device-related data via empirical analysis. Findings will also be presented at the Usenix Security Conference in Santa Clara, California, later this year.
The involvement of Avast was instrumental in achieving this given its access to consumer device data. Avast Software is a Prague-based multinational cybersecurity software company. It researches and develops computer security software alongside machine learning and artificial intelligence (AI) based technology.
The data was collected via the company’s network scanner, Wi-Fi Inspector. User-initiated network scans led to the collection of data from 83 million devices found in 16 million homes worldwide.
IoT Device Adoption
40% of households globally now contain at least one IoT device. North America has the highest density of devices in this respect, with 66% of homes having at least one such device. It’s expected that there will be 30 billion connected devices in active deployment within less than three years, and of those, 18 billion will be purely IoT devices. With such an anticipated proliferation, device security is likely to be in the spotlight.
“40% of households globally now contain at least one IoT device”
IoT Device Manufacturers
There are many IoT device manufacturers globally yet in reality, a minority are responsible for the vast majority of IoT consumer devices. The report cites 94% of devices as being manufactured by 100 companies. 50% of such devices are manufactured by just 10 companies. According to the researchers, this relative concentration in terms of the manufacturing of the bulk of IoT devices provides the opportunity to ensure more robust security so long as those leading companies choose to implement it.
One of the key differences in the consideration of security with IoT devices as opposed to full-scale computing is the fact that such devices are low on computing power given their much smaller form factor. That presents a much greater challenge for IoT security professionals.
The report found that the use of legacy and obsolete protocols such as telnet and FTP (file transfer protocol) is widespread. This represents a particularly acute vulnerability from a device security perspective.
The industry has already had experience of such an attack. In 2016, the Mirai botnet attack emerged. The malware was designed to find target devices by scanning for open telnet ports on the internet. Default login and password information were then used to access home networked devices such as televisions and refrigerators.
With the malware installed on over 600,000 devices, the bad actors behind it used this army of networked home devices to carry out distributed denial of service (DDOS) attacks. At one point, internet became inaccessible across the east coast of the United States as a consequence.
Whilst measures have since been taken to deal with such an attack, open telnet ports are still a vulnerability. For the same rationale, FTP is a weakness. Its use is no longer advised – with VPN (virtual private network) forming a more secure alternative means of remote device access.
Consumer IoT in Europe
Device security varies geographically with nearly half in Eastern Europe having guessable passwords on TP-Link home routers by comparison with North America where that figure is just 17%.
Within Europe itself there are differences in terms of IoT device uptake and the nature of that usage. Over 53% of Western European homes have at least one IoT device whereas that figure is 25% when it comes to Eastern European homes. The proliferation of home automation devices is much slower globally. There is a 1% adoption rate of this technology in North America, Western Europe and Oceania with other regions trailing.
Interestingly, when it comes to surveillance based devices, Eastern Europe is ahead of the curve comparatively. With every additional IoT device added in an Eastern European home, the likelihood of a surveillance-based device forming part of that increases considerably. Homes with 10 IoT devices in the region are likely to account for most of them as surveillance devices.
IoT Challenges at Work & at Home
Stanford has long been a center of excellence when it comes to technology research and development. Last year, Stanford researchers developed a new method for waking up IoT sensors only when they’re needed in a bid to minimize the energy requirement with such devices.
Xu Zou, CEO and co-founder of IoT security startup, Zingbox is a Stanford alumnus. His company is working specifically on software for routers which detects abnormal behaviour. Earlier this month, Zingbox launched a solution which encompasses the discovery and security of IoT devices using AI and deep learning technology.
In discussion with 150sec, Zou said that there are a number of challenges for the industry to overcome in terms of securing IoT devices in both the home and enterprise setting. He explained that in an enterprise setting, it’s far more difficult as IoT devices are introduced to the work site by different teams. Facilities teams may bring in connected HVAC, smart lights or smart waste management systems. Physical security teams bring in surveillance cameras and smart fire alarm systems. Employees bring in their personal IoT such as Fitbit, Apple watch or game consoles to the work. All of that adds to the complexity and is much different to working in an environment where traditional IT devices (laptops, servers) have to be secured.
Zou identifies another challenge pertinent to both the home and work setting – the fact that the vast majority of existing cyber security tools don’t work when it comes to IoT devices.
“Use the traditional anti-virus software as an example, it is very difficult if impossible to install anti-virus (or any 3rd party security app) on those IoT devices. Those IoT devices are essentially connected to the enterprise without any security protection.”
As the technology is developed and rolled out, clearly the same process will be required with the complementary development of satisfactory security protocols, software and hardware to deal with the potential security threats as they’re anticipated or arise.
Industry Standards & Regulation
The Zingbox CEO suggested that it is encouraging that certain authorities are pushing hard for better IoT security – citing the work of the U.S. National Institute of Standards & Technology (NIST). In terms of legislation, the U.S. state of California is leading efforts to pass an IoT Security Bill (SB-327) which requires a basic level of IoT device security. In Europe, GDPR privacy regulation means that the IoT industry has to be mindful of data privacy relative to IoT devices.
“Overall, I think the IoT security market is evolving much faster than regulations. Both enterprise and consumers are actively looking for IoT security products to protect their device, data, privacy and business. It is a great time for innovation and disruption. New technologies like machine learning can potentially help secure IoT”.
This article features a partner of an ESPACIO portfolio company.