Wow-factor. It’s one of the best parts of new technology.

Childhood dreams and impossible ideas not only come to exist but are highly integrated into our daily lives. The Internet of Things (IoT) phenomenon has the wow-factor that so many seek and try to harness in their ideas and products.
But those who are security-minded test the waters before they cannonball in. With rewards come risks, and not all risks are equal in the world of IoT and malware.

IoT Categories

The relative size or danger of a risk can be measured by the number of people it can affect or the damage it can do. First, the IoT must be differentiated between two categories:

  1. Commercial IoT includes devices regularly sold to individuals, such as computer mice, televisions, cameras, and drones weighing up to 8 lbs.
  2. Industrial IoT includes home automation technology, HVAC systems, and sensor systems used for locating and detecting radio frequencies.

From a ManuIoTfacturer’s Perspective

The likelihood that a company will secure an IoT device from the intrusion of a malicious actor, who might look through the device’s camera or use the microphone to listen to the device’s owners, depends on whether or not there is a dollar value associated with it.

Imagine you are a large, well-established technology vendor with millions of customers. One day a woman approaches you saying she can hack into a single television with a very simple attack. As frightening as this may be, there is little to no economic value or incentive to find a patch for this one television when such a patch could be very expensive.

However, if she comes in and says she can perform the same hack on 200,000 televisions, there may now be the necessary economic incentive to fund a patch’s research and development. The backlash a brand could face from knowing about a potential hack, and then opting out of developing a patch for it, would surely be very damaging to the business.

This is typical of commercially deployed IoT devices.

From a Consumer’s Perspective

Most people look at an IoT device such as a computer mouse, a wireless speaker, a lightbulb, or a television, and anticipate it will function like a utility. The device is expected to work and, when it stops working, it is thrown out and a new one is purchased in its place.

It is rare to find a consumer saying, “Oh, I need to update the firmware on my wireless mouse.” But it is exactly this type of thinking and lack of action that creates an attack vector. Manufacturers tend to use full-blown versions of embedded Linux or other embedded operating systems, with future potential already enabled. When a device’s firmware isn’t updated, the malware delivery agent can use it as a vector to deploy malware directly into a network.
This same vector can be used to attack another portion of the network – the HVAC system. HVAC is tied into the building automation system, which is tied into the building Ethernet system. Jump through a few networking hoops and the same vector leads to the bank operating downstairs, enabling the extraction of millions of credit card numbers.

Individual Incentive

The only thing that can inhibit manufacturers from deploying IoT devices with outdated firmware and no ability to update is being held to a higher regulatory standard. These manufacturers must abide by legislation in order to operate without facing fines and consequences. They are required to provide marketplace devices with the expectation these devices will self-update.

The best example is one that is near and dear to most of us: the mobile phone. It’s unrealistic to expect users to understand what components are inside their phones and how they work, but it’s not too much to ask for users to be able to push a button reading, “Update my software.” However, it is all too common for users to be operating without the latest firmware, which makes their devices potential attack vectors for those trying to get into the network. Until manufacturers are held to a higher standard, the best thing you can do is to update your software.

Luckily, hope exists within the negotiated contracts between manufacturers and their customers. As buyers become more aware of the dangers inherent in allowing little black boxes – which is exactly what an IoT device consists of – onto their networks, they’ll ask more questions. At the minimum, IoT manufacturers should be willing to say, “Here’s what’s inside your device, but you’re not allowed to touch it, and if you tamper with it, we reserve the right to void your warranty and brick the system.”

The Tipping Point

In industrial IoT, we’re seeing customers asking for clauses to be put into contracts that declare the manufacturer responsible for any malware introduced via the IoT device. This is entirely appropriate and could be considered the tipping point where industrial manufacturing and customer relations change the IoT space and create new, more secure models.

When the manufacturer suddenly has contractual obligations and financial liability associated with introducing malware, there is an immediate incentive for the manufacturer to patch and fix their devices, whether already in the field or not yet shipped. The commercial IoT space has not yet reached this tipping point – there is no financial responsibility or penalty for delivering poorly constructed or poorly maintained systems. Consumers simply see these deficiencies as the cost of doing business, throw the device away, and get a new one.

Incentivizing Yes

The industrial IoT space has reached a tipping point that commercial IoT will follow when the answer to these questions is YES:

  • Are we creating financial repercussions for the manufacturer?
  • Are those financial repercussions codified in the contract?

When we can say YES, manufacturers will build greater security into their devices, and close an important attack vector for those who seek to use the Internet of Things to infiltrate networks and distribute malware.

Originally printed in the United States Cybersecurity Magazine, Fall 2016.