IoT Security Is Still A Big Issue But We Can Do Better

Image: iStock

Over the weekend, yet another list of potentially vulnerable IoT devices was made public. It was viewed by over 20,000 people before Pastebin removed the list of devices that responded to Telnet sessions that were secured either with default credentials such as admin/admin or not secured with any authentication at all. Which begs the question, why do some people continually shoot themselves in the foot when it comes to securing these devices?

I get that security can be hard. If it were easy, we wouldn't see the number of successful attacks that are reported each month. But leaving devices open on the Internet smacks of carelessness.

There are two sides to this. Manufacturers should not ship equipment with easily guessed default passwords. The consumer router business has figured this out with many devices now shipping with unique passwords. The same ought to be true for any device being connected to an enterprise network. And only connection protocols that are essential for initial set up should be enabled. Everything else should be off.

If you're a technology buyer, out-of-the-box security needs to be near the top of your mandatory requirements list. What that means will be vary from business to business but at the very least it should mean that a device can't be accessed by an unauthorised party before you have completed some basic setup and testing.

For those deploying technology, before connecting a device to the network connect it to a sandboxed environment and verify that all unnecessary protocols and features are disabled and that all default usernames and passwords are changed.


Comments

    Manufacturers should not ship equipment with easily guessed default passwords.

    But what's their incentive? It's easy to throw our arms up and say we need to do better, but unless there's a market benefit, we're just shouting into the wind. Using non-default passwords is undoubtedly places a greater burden on the manufacturer. Not only do you need to add an extra dynamic set in the manufacturing, but the support effort dealing with forgotten passwords would be much greater.

    For those deploying technology, before connecting a device to the network connect it to a sandboxed environment

    Again, I think this is an incentive issue. Ma and Pa are going to be the last ones to ensure they plug their new IoT baby monitor into a sandboxed environment, but even those that know what they're doing are going to be hard to motivate. It's almost like littering - sure it's not right, but what's a little cigarette butt going to do? Nothing to me, that's for sure.

    I think we're on the right track - raising awareness, educating on impacts, and moves to introduce regulation. If you introduce a bit of carrot and a bit of stick, you'll start to see manufacturers see profitable opportunities for differentiation, and the freight train of market forces can start to take effect.

    I have to say, a list of thousands of default password Telnet servers sounds like a relic - the technology has moved on, even if the world is still catching up ;-)

    For those in the Hunter Valley region keen to hear more, we have a free Security Q&A Panel event at Newcastle IoT Pioneers next week. Precisely these questions will be raised.

    https://www.meetup.com/Newcastle-IoT-Pioneers/events/241184961/

    Thanks for those comments. One way to get manufacturers to change what they ship is to incentivise better behaviour. Things like industry certification, international standards, etc. But that's a long way away.

    Thanks for those comments. One way to get manufacturers to change what they ship is to incentivise better behaviour. Things like industry certification, international standards, etc. But that's a long way away.

Join the discussion!

Trending Stories Right Now