Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Thibaut Rouffineau
on 20 March 2017

Three flaws at the heart of IoT security


This blog has been syndicated from SCMagazine UK, contributed by Thibaut Rouffineau – head of devices marketing.

According to the latest estimates by Gartner, the total number of connected devices will reach 6.4 billion by the end of this year. From connected homes, to autonomous vehicles, to futuristic smartdust, the Internet of Things has finally moved beyond the realm of theoretical concept and into our day-to-day lives.

As the presence of IoT devices has become more apparent however, so too has its Achilles heel – security. In the last six months alone, we’ve seen some of the largest DDoS attacks in history, all of which have been achieved through a vast network of infiltrated IoT devices. Given the scale of these attacks, it’s important to understand exactly how the Internet of Things is being infiltrated, what the existing issues are within the IoT, and ultimately, how best to fix them.

With this in mind, here are three of the biggest flaws that currently sit at the very heart of IoT security, along with a few tips for how developers, retailers and even governments can come together to make the internet of things safer for everyone:

1. The IoT product lifespan is too short
Through the combination of low barriers to entry and the huge potential for future products and applications, the Internet of Things represents a very attractive market for the business community. The result has been an IoT gold rush, with many independent developers and existing device manufacturers jumping on the bandwagon in an attempt to get their share of this exciting new sector.
Unfortunately, every gold rush has its losers. With so many companies rushing into a relatively new space – where many of the business models remain untested – it seems only natural to expect a reasonable number of false-starts along the way.

According to estimates from Canonical, over two-thirds of new IoT ventures are doomed to fail, with many projects surviving no longer than 18 months. When these businesses ultimately fail, their various IoT devices are left without ongoing support and vital security updates. The result has been an entire ecosystem of outdated an ultimately unsecured IoT devices just waiting to be hacked.

2. Nobody has taken ownership of the IoT
Across the various production stages of the average IoT device, it’s not always clear who should be responsible for ensuring that an end product is kept secure. Disconnects between different companies involved in the production process mean that, in many cases, security is treated as “someone else’s problem”. This is not helped by the fact that security during the development and maintenance cycles is almost always seen as a cost centre, with different departments passing the buck further down the line rather than taking on responsibility and absorbing the additional costs.

The result of this mentality is potential security holes being left open at all stages of the design process, with physical vulnerabilities being built into hardware, undocumented backdoors being incorporated within the operating system, and a lack of updates opening further vulnerabilities at the application level. To address this, rather than pushing responsibility further down the chain, all stages of the design process must start to incorporate some consideration for the end security of a device.

3. Lack of standardisation in IoT updates
According to research from Canonical, 40 percent of consumers have never performed an update on their connected devices. Given this fact, and that most users simply don’t know how to update IoT devices themselves, security patches must be delivered automatically in a consistent and reliable way.

This is especially true for those devices that do not provide users with an external user interface – something that is becoming increasingly true across the Internet of Things. In addition to providing automatic, centrally-managed updates, IoT device manufacturers must also find ways to roll those updates back as and when required. In several instances, faulty software updates have led to IoT devices being made less secure. In these instances, centralised rollback mechanisms are vital to ensure the long-term security of an IoT device.

While all of these flaws sit at the very heart of IoT security, they are just the tip of a much larger iceberg.

As recent events have shown, the Internet of Things is suffering from numerous vulnerabilities and potential security threats, from botnets and hackers, to spyware and cyber-attacks. To solve this issue, such concerns must be addressed from the ground up at all stages of the IoT. Governments need to provide a sensible level of regulation to limit the ‘gold rush’ mentality of new IoT firms. IoT device manufacturers must also consider the role of security throughout all stages of their designs. Developers themselves need to start incorporating more intelligent and automated update systems, relying on standardised operating systems and centralised software updates rather than numerous bespoke OSs. Even consumers must play their part, thinking carefully about the products they buy and the approaches they take to ensuring maximum security for their own home networks.

IoT security is not an issue that will be fixed overnight, but by incorporating security concerns from IoT infrastructure right through to post-purchase support we can help to make the Internet of Things safer, more reliable and ultimately more secure in 2017.

Original source from SCMagazine here

Related posts


Gabriel Aguiar Noury
21 November 2024

EdgeIQ and Ubuntu Core; bringing security and scalability to device management 

Internet of Things Article

Today, EdgeIQ and Canonical announced the release of the EdgeIQ Coda snap and official support of Ubuntu Core on the EdgeIQ Symphony platform. EdgeIQ Symphony helps you simplify and scale workflows for device fleet operations, data consumption and delivery, and application orchestration. Distributing EdgeIQ Coda as a snap brings the power ...


Canonical
19 November 2024

Canonical provides the ideal platform for Microsoft Azure IoT Operations

IoT Article

London, 19 November 2024. Canonical has collaborated with Microsoft as an early adopter partner and tested Microsoft Azure IoT Operations on Ubuntu Core and Kubernetes, which is notable as Microsoft today released Azure IoT Operations, a unified data plane providing significant improvements in node data capture, edge-based telemetry proce ...


eslerm
19 November 2024

Needrestart local privilege escalation vulnerability fixes available

Ubuntu Article

Qualys discovered vulnerabilities which allow a local attacker to gain root privileges in the needrestart package (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, and CVE-2024-11003) and a related issue in libmodule-scandeps-perl (CVE-2024-10224). The vulnerabilities affect Debian, Ubuntu and other Linux distributions. Canonical’s securit ...