At least 100 million Internet of Things (IoT) devices are not properly secured and are vulnerable to attack, according to new research. A lack of transparency in IoT supply chains and the widespread use of open-source code have been pinpointed as key causes of these vulnerabilities, and regulators are poised to step in to protect critical infrastructure. But new legislation alone is unlikely to solve the IoT’s security issues.
The report from Forescourt identifies a set of nine vulnerabilities, referred to collectively as NAME:WRECK, affecting four popular TCP/IP stacks, the protocols that enable communication online, and covering at least 100 million IoT devices. The quartet includes the open-source FreeBSD stack, which the report says is used in millions of IT networks including those of Yahoo and Netflix.
IoT vulnerabilities and open-source code
Attacks on IoT devices spiked last year, according to research from cybersecurity company Sonic Wall, which shows there were 34.3 million IoT malware attacks in 2019, rising to 56.9 million in 2020, a 66% increase. Last October alone saw 10.8 million IoT malware attacks, more than the whole of 2017.
NAME:WRECK could make vulnerable TCP/IP stacks a tempting target for hackers. These stacks are “like the front door and path to your house”, says Bharat Mistry, technical director of the UK and Ireland at cybersecurity company Trend Micro. He explains: “You can have different types of doors, but for any kind of device connected to the net, they are your in and out point.”
Developers of IoT devices often use open-source code like FreeBSD to save time, Mistry says: “When people are writing software, they don’t want to start from scratch. If somebody has already written [code] once, it will be re-used again.”
Because of this, open-source has become a critical part of IoT device supply chains.
“Developers can just rope things in left, right and centre,” Mistry adds. And though many open-source libraries have large and active user communities who can identify problems as they crop up, other code libraries are not scrutinised or updated as much, which can lead to vulnerabilities going undetected. With IoT supply chains currently completely unregulated, purchasers often have no idea what kind of software is running their connected device.
IoT regulation is only part of the solution
With the number of IoT device deployments growing exponentially, governments are poised to step in to make supply chains more transparent. The introduction of a Software Bill of Materials (SBOM) has been recommended by the US Department of Commerce. This would require developers list all the software components of a device and their relationships to one another. The EU has proposed a set of standards designed to ensure a common level of security across the IoT. Mistry says legislators want to ensure critical infrastructure that relies on connected devices, such as the power grid, is kept safe, but will be less keen to intervene in other industries for fear of slowing progress with too much regulation. “I think that at that top level there is some of that [strict regulation], but it’s in the mid-tier where you want to drive innovation that it becomes difficult,” he says.
But increasing transparency is only part of the solution to making IoT devices more secure. Elisa Constante, vice-president of Research at Forescourt, says that when vulnerabilities such as NAME:WRECK are discovered, fixing them can be a laborious task: “If a patch is released and you as an organisation have 100 devices affected by NAME:WRECK, those devices could come from 12 vendors. This means for 12 different vendors you need to download the firmware, be sure it applies, identify your devices, and then most of the time go and log in to each and every device to apply the patch because there is no easy way to do that automatically from a single panel of control.”
Because of this, it seems likely tech leaders deploying IoT devices will have to continue to accept a certain level of exposure to vulnerabilities. Charles Ragland, senior security engineer at cyber defence company Digital Shadows, believes a more secure IoT can only be built if there is rigid cross-industry regulation, and that it may take a major security incident to drive this.
“There’s an old joke in the security community that the S in IoT stands for security,” says Ragland. “I think the winds are starting to change, but it’s going to be a slow, long process. It’s going to probably take something pretty drastic to happen [before anything changes].”