IoT Vendors Resist Vulnerability Reporting

Article By : Ann R. Thryft

Disclosures by connected device manufacturers remain low despite a record number of hacks.

Internet of Things (IoT) devices are proliferating in record numbers, exceeded only by the growth in attacks aimed at stealing data and hijacking their operations. Meanwhile, consumer device vendors continue to resist reporting vulnerabilities in their devices: Reporting numbers haven’t improved much since we covered this subject a year and half ago.

Estimates of how many IoT devices are, and will be, deployed vary widely. For example, while some analysts’ counts are twice as high or greater, IoT Analytics predicted in September that the number of connected IoT devices will reach 12.3 billion active endpoints worldwide by the end of 2021. By 2025, the firm expects that tally to be more than 27 billion. Device growth was slowed only slightly last year, due to the Covid-19 pandemic and the chip shortage.

In the first half of 2021, attacks on those devices doubled, reaching 1.5 billion, according to September data from Kaspersky.

Vulnerabilities continue to be revealed, such as the NAME:WRECK DNS bug discovered by Forescout and JSOF, which potentially affects 100 million IoT devices, and the security camera vulnerability reported by Nozomi Networks, affecting several million connected devices.

In July, a Zscaler ThreatLabz study reported a 700-percent increase in malware attacks on IoT devices during 500 million device transactions between Dec. 15-31, 2020, compared to similar attacks made during 2019 pre-lockdown period.

According to Ordr’s 2021 “Rise of the Machines” report, released in August, more than 40 percent of networked devices are now “agentless,” meaning they can’t be protected by traditional endpoint security agents. These include common devices found in industrial contexts such as IP phones, printers, security cameras and badge readers. Nearly half of all connected devices are vulnerable to medium and high severity attacks.

Meanwhile, 99 percent of security professionals surveyed by Tripwire last March said they were challenged to secure their organization’s IoT and industrial IoT devices. About two-thirds said they had problems in trying to discover and remediate vulnerabilities.

Unreported vulnerabilities

Vulnerability reporting programs are now widely considered to be a basic requirement of IoT device security. Yet, according to the IoT Security Foundation’s fourth report on device vulnerability disclosure, the increase in reporting from 18.9 percent in 2020 to 21.26 percent in 2021 was minimal.

Source: IoT Security Foundation

“Almost four out of five companies are still failing to provide the very basic security hygiene mechanism to allow security vulnerabilities to be reported to vendors so they can be fixed,” the study noted. “This is unacceptably low.”

While there’s been some improvement, the jump in reporting from 13.3 percent to 18.9 percent between 2019 to 2020, is due mostly to more consumer device categories being added “in anticipation of regulatory requirements,” John Moor, IoTSF managing director, told EE Times. Pending or imminent IoT security regulations discussed in the report include those from the U.K. and US governments. The U.K., for example, is seeking mandatory IoT security standards, backed by fines for non-compliance.

John Moor

For 2021, the IoTSF report added a B2B category to assess differences between consumer and enterprise practices; the B2B numbers look much better than their B2C counterparts, said Moor. That’s partly due to the fact that companies with effective Coordinated Vulnerability Disclosure programs tend to be large, traditional IT vendors, in contrast to the smaller, relatively new consumer companies.

As for consumer vendor reporting, progress continues to be “glacial,” Moor said. “While some companies may still be ignorant of what help is available, there’s not a lot of room for that excuse anymore as there’s been a significant amount of publicity about regulations and free materials,” he said.

“Also, vulnerability disclosure can be outsourced to third parties, meaning companies can also get outside expertise or additional capacity, so that’s not a valid excuse either. Yet the consumer IoT industry is still not stepping up to the clear market need of fixing vulnerabilities post-sale.”

Although several strong standards exist for IoT security, they’re not mandatory, said Moor. Unlike business buyers, consumers tend to assume if they can purchase a product it must be secure. Also, consumer profit margins are known to be very thin. “So, if your market isn’t specifically asking for security, and there is no regulation demanding it, a vendor might legitimately ask ‘Why add the cost?’”

Device security is hard

Larry O’Connell

One reason connected devices aren’t better protected is because IoT security is difficult. “The microprocessor is hard to secure,” said Larry O’Connell, Sequitur Labs’ vice president of marketing.  Sequitur Labs specialized in chip-to-cloud security for smart devices at the network edge, with mostly industrial customers and some chip vendors.

Security gets de-prioritized, and the entire disclosure process isn’t managed properly because IoT vendors are not in the business of security, said O’Connell. They’re priority is building devices and shipping them quickly. “Security is not their world, and it’s a problem that’s difficult to solve,” he said. “Disclosure is an extension of the same thing: Security in general, and disclosure, need to be top of mind throughout the design, development and deployment stages of a product’s life.”

Security is also a moving target, added Sequitur Labs CEO Philip Attfield. “You have to have included it, and thought about the mechanisms for dealing with it,” Attfield said. “Processes must be in place so whoever is operating systems in the field can maintain them.”

Processor class frequently determines system attacks, which are also affected by system architecture. “If it’s a high-volume microprocessor, its suppliers will cost-reduce as much as possible,” said Attfield. System lifespan is a factor, too. “For consumer systems, it’s two to five years; for industrial it’s five to ten years, or more. So, it comes down to risk versus the expense of putting all those systems in place to be managed.”

Philip Attfield

In 2022, a huge increase in the AI deployments within smart devices at the network edge will only increase the urgency of securing IoT and industrial IoT devices due to the raw amount of data being processed. “IP is now at the edge,” said O’Connell.

Given changes in the software stack and storage architectures, another trend is “the corruptible footprint of electronic systems is actually very small and is decreasing rapidly in size,” said Attfield. “Smartphones, for example, are getting harder and harder to crack, and the same thing has happened in payment terminals.

“So next to be attacked will be other systems that haven’t caught up yet, such as industrial control systems and medical devices,” he predicted.

This article was originally published on EE Times.

Ann R. Thryft has written about manufacturing- and electronics-related technologies for Design News, Test & Measurement World, EDN, RTC Magazine, COTS Journal, Nikkei Electronics Asia, Computer Design, and Electronic Buyers’ News. She’s introduced readers to several emerging trends: industrial cybersecurity for operational technology, industrial-strength metals 3D printing, RFID, software-defined radio, early mobile phone architectures, open network server and switch/router architectures, and set-top box system design. At EBN Ann won two independently judged Editorial Excellence awards for Best Technology Feature. Currently, she is the industrial control & automation designline editor at EE Times. She holds a BA in Cultural Anthropology from Stanford University and a Certified Business Communicator certificate from the Business Marketing Association (formerly B/PAA).


Subscribe to Newsletter

Leave a comment