IoT Security- According to a 2020 report by Palo Alto Networks, 98% of IoT data traffic is unencrypted. This statistic is mind boggling given what we know about the risks. To appreciate the scope of this problem, it is vital to understand encryption is only a single link in a long chain needed to secure IoT, data, and our world.
Comprehensive IoT security requires an integrated group of device management services, including secure device commissioning, certificate management, a mechanism for providing firmware updates over the air, and strong authentication and authorization capabilities. Guess what? If 98% of the data isn’t encrypted, most people don’t have access to these services either.
The bad news
Where to start? IoT fundamentally changes the cost of collecting and acting upon data in an increasingly data-centric world. However, most everybody is focused on the opportunity, conveniently ignoring security. Security is secondary, a cost-center with a difficult-to-measure ROI, but IoT presents real, growing, systemic, and terrifying dangers.
The 2016 Mirai botnet attack targeting CCTV cameras almost brought down the internet, and was the work of teens. The code behind the attack is freely available on the internet.
Things are not improving. Avast recently described IoT threats using terms like “surging” and “dropping kids in a candy store,” saying it will get worse.
Vulnerabilities exist from the devices to the networks to the cloud. The devices contain flawed code and libraries like the Ripple 20 IP vulnerability.
Current encryption approaches are limited. A device’s data is only encrypted until the next stop in the network, so if a network is compromised, so is the data potentially.
Even legislative hard requirements like firmware updates over-the-air can be problematic. Firmware updates can patch devices correcting flaws like the previously mentioned Ripple 20. Still, the firmware mechanism must be secure. Too often, this is not the case.