Back to Basics: Why We Need to Encourage More Secure IoT Development

The Internet of Things (IoT) is radically reshaping the way we live and work. Before our very eyes, organizations are becoming more agile, efficient and cost effective to run, all while consumers marvel at the wonders of the smart home, fitness trackers and connected cars. There’s just one major problem: Much of this new infrastructure is wide open to attack and abuse. Securing it will take a major multi-layered effort involving all ecosystem stakeholders.

But it starts with manufacturing the products themselves.

That’s why we recently launched a new program designed to tap our industry-leading expertise in vulnerability research to help IoT manufacturers tackle security threats from step one.

Threats are everywhere

IoT security issues first broke into the users’ awareness with the Mirai botnet of 2016. Attackers easily took control of tens of thousands of devices by scanning for and logging-in with the factory default credentials. The resulting botnet was used to launch some of the biggest Distributed Denial of Service (DDoS) attacks ever seen, one of which temporarily took out some of the biggest names on the web. The threat of compromise still persists, with the FBI recently releasing an alert warning of threats to routers, wireless radios, Raspberry Pis, IP cameras, DVRs, NAS devices and even smart garage door openers.

The FBI findings show such devices could be recruited into botnets used to power credential stuffing attacks, click fraud, spam campaigns and more — as well as being used to help obfuscate the source of malicious traffic. But there are even more threats facing the corporate sphere: Insecure endpoints could be used to infiltrate enterprise networks in data stealing raids or sabotaged to disrupt business processes and factory output.

Normally, when we discover vulnerabilities in products, we advise organizations to patch. But with IoT devices this becomes more problematic. Your typical IoT manufacturer may not be a specialist in software development, so it may not even have a software update mechanism in place. Even if patches can be issued, they may be difficult for end users to apply. This is especially true of large organizations that may be running thousands of IoT endpoints, potentially in mission critical environments that can’t be switched off. Many more may be running without the knowledge of IT, if business owners have bought them for specific tasks.

The Trend Micro Research difference

In cybersecurity, there’s a well understood rule: It’s cheaper and more effective to fix a problem in the development phase than after it has left the factory. Nowhere is this truer than in IoT, where devices may never be secured once they leave the production line.

That’s why we invite IoT manufacturers to rely on the expertise and experience of Trend Micro Research and the Zero Day Initiative (ZDI). The ZDI has been improving security for 13 years, and today runs the world’s biggest vendor-agnostic bug bounty program, featuring more than 3,500 external researchers contributing to the program. The ZDI offers vendors guidance and best practices in terms of developing vulnerability disclosure processes and patching software flaws. After all, there’s no point in collecting bugs without a clear plan to fix them.

Beyond the ZDI, we invite IoT makers to send us their products for testing by other experts within Trend Micro Research, ramping up security even further. This way we can help evaluate an IoT vendors’ products to identify potential vulnerabilities before they go to market.

It’s just one small step in what needs to be a universal effort involving the security industry, manufacturers, telco operators, developers, standards bodies and even lawmakers. However, it’s vital to get the basics right first by encouraging the production of resilient, security-minded products.

So, if you’re a device manufacturer looking to differentiate on security in an increasingly competitive market, get in touch today to see how Trend Micro can help.