IoT security: Where do we go from here?

IoT security fears continue to grow. Tackling the problem will be the challenge across the tech industry.

When discussing the problem of Internet of Things security, some are quick to place the blame on the users.

Consumers, they say, don't know enough about the connected devices they're installing in their homes and workplaces; they don't understand that these need updating like computers and smartphones, and forget that the kettle or fridge is online and needs to receive patches and updates just like any other gadget.

And it is true, governments around the world are attempting to tackle this challenge of consumer awareness when it comes to IoT security, increasingly directing campaigns and advice towards end users.

But the buck certainly doesn't stop with everyday IoT device users: device manufacturers, retailers and industry all have significant roles to play in securing the IoT -- and if they don't take responsibility, it could result in the internet becoming much more dangerous as attackers look to take advantage of insecure devices to commit cyber crimes ranging from DDoS attacks to cyber espionage.

Part of the IoT problem is that companies with little experience of producing connected devices are now keen to jump on the bandwagon. In many cases they're probably not thinking about cyber security as something they need to consider as part of the design process.

SEE: IoT security: Why it will get worse before it gets better

"For the people that create the machinery -- for example, a toothbrush -- they've been creating a toothbrush and have been presumably been subject to safety and security measures for a toothbrush. But they've generally never thought about the IoT device as being connected to a global network and therefore having a global attack surface," says Olaf Kolkman, chief internet technology officer at the Internet Society, a non-profit striving for a more secure and trustworthy internet.

"Companies that were in traditional production of lightbulbs, toothbrushes, toasters, you name it have suddenly become software companies -- but they don't have the years of expertise, that say Apple or Google has."

Companies that produce these devices need to employ people with the relevant security skills to help build the products, but in a competitive cyber security industry in which established organisations can struggle to fill vacancies, this might not be a simple task.

It's not just organisations that produce connected devices that need to consider the security implications of using the IoT -- traditional manufacturers are increasingly using internet-connected products to help automate and monitor production lines.

But they also run the risk of creating security holes by not properly implementing security when they add these devices to the network. IoT devices might bolster the efficiency of the production line, but if improperly configured, they run the risk of allowing remote attackers easy access to the network. And for an industrial environment, this could have grave consequences.

"Industry 4.0, connected factories, connected supply lines -- Willy Wonka's Chocolate Factory now has candy bar production on IoT, connected to the internet," says Kolkman, who fears that many organisations don't realise they're now ultimately part of the internet.

"The traditional chocolate producer that has been in business for years is now suddenly a network company and that comes with challenges. Even though we all know this, know that there are risks, we still get this wrong on a daily basis," he adds, citing shipping firm Maersk being taken offline, losing hundreds of millions and requiring an infrastructure overhaul as a result of the NotPetya ransomware attack.

SEE: IoT security and Linux: Why IncludeOS thinks it has the edge

Some have suggested that there should be a set of requirements that device manufacturers should have to follow before their products are allowed on the market.

"You need to have automatic updates. You need to have unique default passwords -- passwords need to be different," says Tony Gee, associate partner at Pen Test Partners, a penetration testing firm which regularly finds vulnerabilities in connected devices.

"Stored credentials need to be stored securely. But these devices don't have a lot of power, it's hard to put cryptography on them -- but you need to store those credentials securely."

Encouraging manufacturers to ship devices with strong, unique usernames and passwords is viewed by many in the security industry as key to solving the issue of IoT security. By ensuring that attackers can't simply guess their way into devices by using passwords such as 'password' or 'admin', it could do a lot to prevent devices being hijacked by attackers.

"There are certain bad practices we want to eliminate and things we know are wrong. I have many complicated conversations with people about things like post-quantum cryptography, but staring us in the face is the obvious issue of default passwords," says David Rogers, CEO of IoT security consultancy Copper Horse and cyber security standards advisor to the UK government's Department for Culture, Media and Sport (DCMS).

"Why are people still shipping products with remote access available on completely insecure protocols? Why in 2018, is that still a problem, when we recognised it as a problem in the 90s?"

It's why DCMS recently issued a serious of guidelines that places the removal of universal usernames and passwords at the top of its recommendations for securing the IoT.

"While it might be stating the obvious, we have to say it's unacceptable and we want to eliminate this issue," says Rogers.

But only a small percentage of IoT devices out there in the market are already following this model -- what happens with regards to all the devices out there that haven't just been found to be vulnerable, but in some cases can't be updated or patched?

Pen Test Partners' Gee suggests what IoT products need is a right of return -- the logic being that if you buy a household item which is faulty, you can return it. He argues that the same should apply to connected devices that are found to have damaging security vulnerabilities.

"You need a right to return. Because if a device becomes vulnerable, why should you not be able to return that? In the same way that if you bought a sofa that turned out not to be fireproof, you'd want to return it," he says.

"It should be the same with modern tech -- that's going to force manufacturers and retailers to be able to buy better products to sell to their customers."

But with so many of these devices entering the market, IoT security can't be treated as something that can be put off and dealt with in future, so there's increasingly a push to ensure that some sort of fix is available now.

If organisations can't be stopped from shipping insecure products, then there needs to be incentives for producing devices with built-in security. That could be retailers refusing to stock products that are seen as insecure.

"Most people still buy with well-known retailers; with a shop that they know. If you can get those retailers to take care of what products they ship, that could make a difference. That could help contribute to a better environment," says Kolkman.

SEE: ZDNet Special Feature: Internet of Things: The Security Challenge

Getting industry and retailers on board could help improve the state of IoT security, but ultimately the buck stops with the product manufacturers themselves.

The lack of processing power and memory on some devices does make it difficult to download and install updates and some manufacturers are still choosing to not patch products, rather than performing the difficult task of fixing them.

But at one point, mobile phones lacked the means of receiving updates and now updating your Android or iPhone is as common as updating your PC. These patches are sent out to users because manufacturers realise how important security is -- a secure device is much better for business than an insecure one that nobody wants.

"The mobile industry has already been through this and they're coming out the other side. It's largely accepted that if you do maintain software, if you do keep on top of potential vulnerabilities, then you benefit in the long term," says Rogers.

The challenge of securing the IoT is a challenging prospect, but Rogers thinks it can be done. "It is difficult, but it is doable," he says.

READ MORE ON CYBER SECURITY