Sunday, April 2, 2023

Why IoT Vendors Don't Implement Security : 5 Expensive Cost Centers

 


The IoT (which also stands for the “Internet of Things”) is a term that is used to describe both the interconnection and the interaction of the daily objects that we interact with both in the virtual and physical worlds. 

Some of the best examples of this are virtual personal assistants of both Siri and Cortana, which can be found on both iOS and Android devices.  But of course, there are also more sophisticated IoT devices than that, such as a smart TV, smart car, smart coffee maker, etc.

While these products may have their set of advantages to an end user, they also come with their own share of Cybersecurity risks as well.  For example, with all of the interconnectivity that is occurring, the attack surface for the Cyberattacker grows by that much more. 

And unfortunately, many of these wireless communications that take place are often unencrypted.  Worst yet, the vendors that manufacture these IoT devices don’t even build in strong security functionalities.

At best, they may offer a set of minimal controls, which is nothing much really, in the end.  The concept of IoT has been around for quite some time, but as I mentioned in yesterday’s blog, the adoption of this did not proliferate until the COVID-19 pandemic occurred. 

But the biggest problem here was that of the meshing of both the home and corporate networks.  Even to this day, the growth of IoT devices is going up at an exponential clip.

For instance, at the present time, there are more than 1 billion devices that have found their way onto the Internet.  In other words, this what it is on a global basis, and there will be many more to come.  Much more statistics and details on this rate of adoption can be seen at the link below:

https://techjury.net/blog/how-many-iot-devices-are-there/

But now it comes back to this question:  Why can’t the IT Vendors offer more security into the IoT products that they manufacture??  One of the key reasons here is sheer cost.  IoT vendors are pushed to come out with products at a breakneck speed in order to fulfill the escalating demand for them. 

As a result, putting in more security controls simply becomes an added expense, which they unfortunately view as unneeded.

But this can only go so far.  There are other industries which make heavy use of IoT devices as well.  The healthcare industry is a prime example of this.  Gone are the days of having “analog” like equipment, now everything is all digitized and even IoT based. 

Because of this, a Cyberattacker can easily hack into a medical device, change the settings around of a pacemaker that exists in patient.  From here, either the heart will start to flutter out of control, and perhaps even causing death to the patient.

So as you can see, security devices for IoT devices really needs to be taken quite seriously.  It’s one thing if a Cyberattacker were to jack into your smart coffee maker, but a medical device?  That is a whole different ballgame altogether, with horrible consequences all together.

Now you might be asking, “What exactly are these costs that the vendors don’t want to think about”?  Well, here is a sampling of them:

1)     Trained personnel are needed:

If one expects an IoT vendor to add in the latest security controls, it all comes down to hiring the staff needed to design them, and to make sure that they are implemented properly, and that will be safe to the end user.  But hiring these kinds of people takes more money, something which no IoT vendor wants to do.

2)     More costs into the product:

If more security controls are going to be implemented, that is going to drive up the costs of the hardware and software of the IoT device.  But this can be transferred down to the customer, and it does happen in reality, they will simply go to a lower cost competitor.  Because of this, the IoT vendor could even be pushed out of business, which they don’t want to happen.

3)     Connecting the IoT devices:

Pretty much all IoT devices now connect with each other through wireless networks.  Now if you have just one or two devices, the costs of connection should not be that much.  But now if you something like a Smart Home, the costs can really go up per wireless connection.

4)     The User Interface/User Experience:

The acronyms for both of these respectively are “UI” and “UX”.  In order for an IoT to remain competitive, they need to have a fancy interface that is unlike what anybody else.  But once again, this involves hiring a team of developers that can accomplish this task.  But once again, this is going to cost more money.  Thus, in order to keep up, IoT vendors just have to have build a somewhat better mousetrap from their competitors, which is far cheaper than hiring a UI/UX developer.

My Thoughts On This:

Obviously, this is a catch 22.  The vendors and the customers don’t want to have higher costs, but unfortunately, it is going to have to go up if higher levels of security are going to be realized.  In fact, there have been some pieces of legislation to put pressure on the IoT vendors in this regard.  In fact, California passed an IoT law to this effect, and more information on it cab found at the link below:

https://www.security.org/blog/california-passes-first-cybersecurity-law-iot/

Also, the FDA is also now starting to crack down on Cybersecurity for medical devices that are IoT based.  Bu whatever maybe passed and/or enacted, security must be addressed soon into IoT products.  It would be easy to say that IoT devices should no longer exist, but this will never happen.

There have been some recommended best practices that IoT vendors should follow, such as:

*Using a Cloud based platform (such as Microsoft Azure) to push out software updates and patches at no extra cost to the consumer;

*Even having independent third party entities provide an honest, unbiased assessment of the IoT device in question from the standpoint of Cybersecurity.

Now these two items should not cost much money, and it is something that IoT vendors can adopt rather quickly.  But to somebody who wants to buy an IoT device or two right now, do your homework first. And when you buy a device, don’t ever rely upon the default security settings set forth by the IoT vendor.  Make sure that you configure it to your own security requirements!!!

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...