IoT: the cyber attacker's favourite new toy

With new research claiming 92 per cent of attacks are targeting IoT devices, securing the code within these devices has never been more important.

Cinema-goers may have thought the scene in the latest Fast and Furious movie, where all the connected cars in New York city get hacked, was a bit far-fetched, but was it? The Internet of Things (IoT) comes with inherent security risks; we've talked about some examples of IoT hacks before. Now, there's new research to suggest that these IoT devices are a firm favourite with hackers. And of course there's much research depicting just how many IoT devices will be in our lives in just a few years. For organisations to protect against these hacks, they need to understand why these devices are so attractive to hackers and what can be done to prevent them from being so attractive, and such a risk.

How many hacks every day?

The latest research from Beaming looked at UK business in the first quarter of this year and claimed that on average, UK businesses suffered 43,000 cyber attacks, each, in that time. Although this is reported to be 7 per cent lower than the same time period last year, this figure equates to 474 attacks, on each business, every day. The research then claimed that 92 per cent of those attacks targeted IoT devices such as networked security cameras or building control systems.

IoT, there's no turning back now

There is also research from many organisations including analyst firms as well as technology companies themselves around the volume of IoT devices that will exist by 2020. Initially, this was reported to be as high as 50 billion devices but more recently, analysts seem to have lowered their original estimates and now agree on an estimated 30 billion IoT devices by 2020. At the moment, with the lack of security built in to these devices, 30 billion IoT devices must be music to every hackers' ears.   

IoT in the workplace

IoT devices are now becoming more and more commonplace not only in our everyday personal lives but also our everyday working lives. For example, in the office, organisations have printers, scanners, security cameras, microphones in meeting rooms, Smart TV screens, laptops, and webcams, all connecting to the network. Additionally, there are risks from personal IoT devices sometimes due to BYOD policies but sometimes purely personal devices because employees know the Wi Fi password.  

Reported fears from organisations

Such has been the prevalence of IoT in recent years that the Ponemon Institute now produce an annual study looking at Mobile and IoT Application Security. In the latest study, they reported that organisations were finding it increasingly difficult to secure IoT apps. The study found that 58 per cent of organisations were fearful of hacks through IoT applications and that 75 per cent of respondents said that the use of IoT applications in the workplace increased the organisation's security risk drastically. Unfortunately, despite the high level of concern, 44 per cent of participants in the Ponemon Institute study said they hadn't taken any steps to prevent these potential attacks.

Too much, too fast

Ten, or even five years ago, IoT didn't exist, or at least it didn't exist to the extent it does now and certainly didn't represent the risk it does now. There has been a sea change and because IoT devices are so new, there is very little protocol or policy around developing these devices or installing them securely on the network meaning that with each one of these devices, comes an opportunity for a hacker to penetrate the network. The sheer pace with which IoT has come to market has created a field day for hackers; it's no surprise that they're taking advantage of the huge opportunity this presents.  

The root problem  

IoT devices are, in essence, applications that are developed, driven and operated by code and unfortunately, it's this code that's the underlying problem. Because of the sheer volume of applications required and the pace of the market, there is huge pressure on coders, or developers, to code as quickly as possible so that the application can get to market as quickly as possible.  How securely developers code plays second fiddle to how fast. Indeed 75 per cent of participants in the Ponemon study blamed  pressure on development teams for vulnerable code in IoT devices.

This need for speed usually means that developers write code as quickly as possible, that code is then sent to be checked by another department who then reports any bugs or vulnerabilities back to the developers. In the Ponemon study, 58 per cent of participants said that their organisations waited until the IoT application was 'in production' before conducting any application security testing.

Decision time

This process means that it can be some time after the developer has written the original code so it will take them longer to correct it as they will not be as familiar with it. As a result, in some cases, organisations will only have time to fix either a bug, that will impact the user experience, or a vulnerability, that could result in a security breach, in order to meet the release date. Unfortunately, many organisations choose to fix the bug rather than the vulnerability as they want the application to be as popular as possible. They release with the vulnerability intact, and with the intention to patch the vulnerability in the next release, but of course, consumers may not necessarily update.  

The reality

So even when IoT applications are tested, they are often released with vulnerabilities. Even more worrying however is that according to the Ponemon study, 29 per cent of IoT and mobile applications weren't tested for vulnerabilities at all meaning there is no opportunity to find and patch those vulnerabilities. Furthermore, the study found that 38 per cent of IoT applications contained 'significantly threatening vulnerabilities'. This is the state of the nation when it comes to IoT devices. This is why there is an inherent security risk present with IoT. And this is why hackers love IoT.

IoT represents a huge problem for businesses as more and more devices hit offices and it's a problem that, if we believe the estimated volume of devices suggested to exist by 2020, is only going to get worse. Organisations that develop these devices need to ensure that security is built in to the application at source if there is to be any hope of fighting, and beating, the hackers. But, unlike many years ago, there is help in the way of OWASP who annually publish the top ten application security risks and also BSIMM that allows organisations to learn from real-world software security initiatives and organisations who change to a Secure-Software Development Life Cycle can also start spotting and fixing vulnerabilities much earlier.  

There's no longer any excuse for IoT devices to be presenting such opportunities for hackers. Organisations producing these devices need to take responsibility for building in security and the businesses who are buying these devices need to be more savvy about who they buy from and what they allow to connect to their network. Otherwise, the hacks will continue and we will only have ourselves to blame.

Amit Ashbel, cyber security evangelist, Checkmarx
Image Credit: Chesky / Shutterstock