The Current State of IoT Security (and why every security practitioner has nightmares about it)

‍

IoT (The Internet of Things) devices have revolutionized the technology industry dramatically over the last decade or so. From digital assistants who listen to voice commands, to video-enabled doorbells that record movement, to sophisticated security systems used to monitor public activities, these devices by-and-large have improved user experiences across the full technology ecosystem. New IoT devices are being deployed at scale in huge numbers; one source expects the number of IoT devices deployed globally to be ~16.7 billion devices by the end of 2023.

One item that is largely not considered, however, when developing a new IoT device or product is security. Industry-wide IoT security initiatives are usually either disregarded completely or bolted-on as an afterthought during production, which, by extension, puts both business and personal entities at risk. The attack surface created by IoT devices is enormous and well-documented. In all honesty, the current state of IoT security is poor at best - but is improving.

IoT security no longer refers to simply securing the devices (endpoints) themselves; a source states that "included in IoT security is the protection of the physical components, applications, data, and network connections to ensure the availability, integrity, and confidentiality of IoT ecosystem." In this context, IoT is seen as the "wild west" by security practitioners who often lack insight into how the devices are configured and deployed. This distrust isn't misplaced - variants of the Mirai IoT devices botnet are still alive and flourishing - but this is not an apocalyptic scenario, either. We just need to work together to meet the demands of an evolving, fluid landscape and address the shortcomings of the IoT systems with our own ingenuity.

What do we want? VISIBILITY! When do we want it? NOW!

• If a device can produce logs, it should do so. If the device can be hardened, it should be. If the device can't be hardened, perhaps consider if it is actually needed before joining it to the corporate wireless network.
• If custom traffic inspection rules are needed, create and apply them as needed throughout the network. Defense-in-depth is the only viable strategy for security - the same standards must apply to IoT as well.

What do we want? An up-to-date CMDB/asset inventory! When do we want it? Now!

• If a device touches the internal network, the device needs to be managed just as any other endpoint would be. Finding out that a device exists by looking at the results of a vulnerability scan or ping sweep is a bad spot to be in; that multiplies exponentially during IR and DR when access to relevant information in a timely manner (read as: NOW!) is required.
• Shadow IT is still real, no matter how hard we try to kill it off. The focus has shifted - rogue wireless AP's are less common, but now we have devices that are always on, always connected, and always listening. "Hey (digital assistant name), please help me violate compliance efforts by actively sharing business information with you!" No thanks.

What do we want? SEGMENTATION! When do we want it? NOW!

• Define a specific IoT network that can be segmented from the rest of the internal network. The requirements will vary by device, but common sense should prevail - the video doorbell doesn't need to be able to talk to the printers...or the domain controllers.
• Treat IoT devices as untrusted devices. Firewall them off; study traffic patterns; talk to vendors to define specific communication and access needs. If a device must be deployed with a default password and no inherent protections, it simply cannot be trusted to talk to anything of organizational value.

Developing security policy is hard. Developing IoT security policy is hard; implementing IoT policy is an arduous task. Just as with most things in security, it is better to address IoT (and the impact to your organization) early and often - you never know when the "smart" thermometer in your lobby aquarium will be used as a foothold for network access and data exfiltration. Be safe out there.