Greetings, and welcome. This week, yet another new survey highlighting the lack of cybersecurity in business IoT deployments, and yet another IoT device vulnerability – 20, actually. As always, your thoughts, reactions, and suggestions welcome. Just send a quick email to email@example.com. And for more on the IoT and IIoT, check out “DortchOnIT’s Industrial Internet of Things (IIoT) Weekly.” Thanks.
Survey: Full Speed Ahead with IoT – but Without Cybersecurity
What Happened: A new survey of IT and security decision makers indicates that many are proceeding apace with IoT deployments, largely ignoring cybersecurity in the process.
- As InfoSecurity Magazinereported, enterprise cybersecurity solutions vendor Trend Micro recently “polled 1150 IT and security decision-makers in the UK, Germany, the US, Japan and France.” Respondents’ companies are “spending an average of over $2.5m each year on IoT projects.”
- “Responding organizations suffered an average of three attacks on connected devices over the past year.” Apparently, these were not enough to convince respondents that insecure IoT devices are serious vulnerabilities. “Even though 63% of respondents agreed that IoT-linked attacks have increased over the past year, just half (53%) think they’re a threat to their organization.”
- This delusional thinking “might explain why over two-fifths (43%) regard IoT security as an afterthought, and just 38% get security teams involved in the implementation process for new projects. This drops even further for smart factory (32%), smart utility (31%) and wearable (30%) projects.”
What It Means: Knowing that IoT devices create significant cybersecurity risks is apparently not enough to convince IT and security decision makers to invest in defending against those risks.
What You Should Do: Like many if not most of the respondents to this survey, you already know what you should do. However, another reminder can’t hurt, even though it may not help everyone who needs it. So here’s a quote from last week’s edition of this very series. “Don’t connect any device without, at minimum, a password you can change to any network to which you have access. Don’t let anyone else do so, either. Know what’s connected to your network at all times, and deny or disconnect links sought by devices or users without adequate security.” (See “TWiTIoT: This Week in The Internet of Things – IoT Cybersecurity? What IoT Cybersecurity?” and “TWiTIoT: This Week in The Internet of Things – Every IoT Device A Security Risk?”)
Samsung SmartThings Hub Users: 20 Reasons to Update Your Software, NOW
What Happened: Researchers discovered 20 vulnerabilities in Samsung’s SmartThings Hub, a controller of multiple IoT devices.
- As Threatpost reported, Cisco Talos researchers found 20 flaws in the Samsung controller. The device “supports a broad spectrum of third-party products- from Philips Hue smart lightbulbs, to Ring video doorbells, as well dozens more smart home products sold under the brands GE, Bose and Lutron.”
- The vulnerabilities “’could be leveraged to give an attacker the ability to obtain access to [sensitive] information, monitor and control devices within the home, or otherwise perform unauthorized activities,’ researchers said in a report.”
- Vulnerabilities such as those discovered in the Samsung controller can be exploited in a variety of ways. Multiple recent media reports have documented growth in the use of IT devices to harass coworkers and perpetrate domestic abuse. (See “TWiTIoT: This Week in The Internet of Things – IoT-Enabled Domestic Violence and Personal Security” and “New Threats from Technology – and How IT People Can Help.”)
- Samsung has already released patches and a firmware advisory intended to address the vulnerabilities. “[R]esearchers recommended that users verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable.”
What It Means: Even devices designed to help users consolidate and manage connections to multiple IoT devices are vulnerable to hackers and attackers. Unlike many IoT devices, hubs, routers, and controllers can be patched and have their software and firmware updated. But that does not guarantee that every patch and update will be created, released, tested, and implemented in time to defend against every attack.
What You Should Do: Prevent IoT devices that can’t be patched or updated easily or at all from connecting to your home or business network, directly or via intermediary devices that can be patched and updated. And make sure those intermediary devices are included in your comprehensive, timely, and consistent patch and update management strategy. (See “Patch Management: Why It Matters, Why It’s Likely Broken at Your Business, and What to Do Now.”)
Latest posts by Michael Dortch (see all)
- TWiTIoT: This Week in The Internet of Things – Arm-ing the IoT: Rule, Britannia? - September 28, 2018
- TWiTIoT: This Week in The Internet of Things –Infrastructure Options Expand - September 7, 2018
- TWiTIoT: This Week in The Internet of Things – Better Security for IoT Devices. For Users? Not So Much - August 30, 2018