As the explosive growth of IoT continues, businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences.
As the explosive growth of IoT tech continues; businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic consequences.
The central problem with IoT security is that there is no central problem – IoT is a more complicated stack than traditional IT infrastructure and is much more likely to be made up of hardware and software from different sources.
There are three main areas of IoT security – devices, network, and back-end. All of them are potential targets, and they all require attention, according to Forrester principal analyst Merritt Maxim. Right now, devices are getting the bulk of the attention – the huge number of different manufacturers, some of whom haven’t worked very hard to make their products secure, makes device-level IoT security problematic.
“You don’t have the Wintel monopoly you have in the desktop world, which makes a more homogeneous environment,” said Maxim. “Generally [IoT] devices are running embedded Linux or various flavors of that, which creates security blind spots,” since those operatings systems might not be what IT security pros are used to working with.
What’s more, most of the IoT players that are actively focusing on security are approaching it at the network or back-end level – not on the devices themselves, according to Stacy Crook, IDC’s research director for IoT.
“There’s a point to which these guys can get down deep in the device, but they have to figure out how much investment they want to make there because … there’s so many different device types and different architectures,” she said. “So they have to figure out how much of their time do they really want to spend.”
Addressing the threat
Specialist security firms are doing their best to keep pace with the changing nature of the IoT security threat. Companies like Pwnie Express – which got its start making penetration testing devices – have tried to adapt to the new threat landscape.
“In the early days, [test devices] were things like [fake] wall plugs, and they worked harder at making sure they were disguised, since the pen tester didn’t want to make it obvious that the environment was under test,” recounted Matt Williamson, CTO of Pwnie Express.
The latest and greatest, however, is a module that sits in a customer’s data center and monitors Wi-Fi, Bluetooth, and a host of other wireless network types for unusual traffic, since the network is a major potential target for malicious hackers.
Yet it can be difficult to focus security efforts, according to Williamson, with different customers worrying about different parts of the network.