- The main driver of the IoT market is not innovation and the final product suffers
- The IoT gold rush brings more and more unsecure devices because standards and regulations don’t really exit
- Security for IoT devices can still be achieved, even in these conditions, and the solution is in the ISPs’ hands
The IoT ecosystem is built on a sand foundation, with its devices always in the spotlight for their lack of security, vulnerabilities and other potential problems looming on the horizon. With no solution in sight, even in the long run, the devices' security now falls into the users' or ISPs' responsibility.
The world will see an estimated 41.6 billion IoT devices by 2025, which only means one thing. In the current ecosystem, the number of unsecure, vulnerable or simply unpatched devices will skyrocket, leaving users to fend for themselves.
Users could cover the security of a household full of IoT devices if they get their hands on the right tools. Unfortunately, such solutions often require advanced computer skills, and they usually only cover a limited number of scenarios. Ideally, IoT security would be best provided at the ISP level, covering the entire network, allowing for much better visibility.
With such poor security, IoT devices are always potentially exposed. People should, with good reason, wonder why so much hardware is prone to security problems. While there are many smaller reasons for this situation, one reigns above all: greed.
Embedded security flaws are common in IoT, but why?
There's no other branch in the IT world that has so many security issues. The same filters that are used for other hardware should work for IoT, but that seldom happens. The race to bring more devices to the market, by any means necessary, pushes companies to skirt all other considerations for speed. The result is a market flooded by devices that might be the first in their niche, but feature terrible security.
The world is in the middle of an IoT “gold rush”, and just like in the days of old, there are no rules, no authorities, and everyone does pretty much whatever they want. The lack of regulations is one reason for poor IoT security, and it's mainly a function of the bureaucratic slowness of governments. By the time anything is done, the technology already moved far ahead.
Companies building IoT hardware take this lack of standards and focus on building a product, with little or no emphasis on security or support. While not all companies do this, the majority willfully ignore such concerns. Of course, this means few or no updates after the release of a product. The router market is a prime negative example, with companies taking years to release fixes through firmware images.
As if all of these issues were not enough, some manufacturers intentionally leave backdoors into their products, which threat actors regularly use in their attacks. Making matters worse, companies sometimes leave backdoors into products unintentionally by forgetting about open ports and services, showing complete disregard for common-sense security policies.
ISPs, potential gatekeepers to IoT security
Bitdefender's IoT Security Platform is designed for ISPs that want to protect their customers and themselves. Why leave sensitive issues such as home security in the users' hand, when it can be done much better from a centralized position?
Problems such as device vulnerabilities, DDoS attacks stemming from inside the infrastructure, brute force attacks, and many others are covered with the IoT security platform without modifying the existing hardware and with a minimum impact on performance.
It might sound counter-intuitive, but IoT security issues in a single home that happens to be part of a larger network under one ISP are not limited to that house. The entire infrastructure is exposed, with attackers using compromised IoT devices to launch DDoS attacks, for example. The ISP should immediately curb such security problems before they can grow into something more dangerous.
IoT security is a problem that is not going away by itself. If anything, it's only going to grow bigger, with the potential to get out of hand. Some of the most significant DDoS attacks in history used IoT botnets built from compromised devices. If only some of the ISPs had the right protections in place, such incidents could stop before they happen.