A new strain of the famous Mirai IoT malware surfaced recently, with the discovery by Chinese researchers of exploit code targeting networking equipment. Previously, Mirai was known for having infected thousands of webcams, security cameras, and DVRs, and then using those devices to launch DDoS attacks. The exact aims of the new variant are still unknown, but it’s another reminder of the very serious security issues presented by the IoT.
Last month, a Gemalto survey took a closer look at those issues and people’s perceptions of them. An overwhelming 90 percent of consumers reported that they lack confidence in the security of IoT devices. Their most common fear (65 percent of respondents) is that a hacker could gain control of their devices, while 60 percent worry about their data being stolen via connected devices. In spite of such concerns, over 50 percent of consumers now own an IoT device (on average two) but only 14 percent believe that they are extremely knowledgeable when it comes to the security of these devices.
The survey also set out to discover how IoT companies addressing these concerns. The survey found that IoT device manufacturers and service providers spend just 11 percent of their total IoT budget on securing their IoT devices. These companies do, however, appear to recognize the importance of protecting devices and the data they generate or transfer, with 50 percent of companies reportedly having adopted a “security-by-design” approach.
Two-thirds of organizations reported that encryption is their primary method of securing IoT assets, with 62 percent encrypting the data as soon as it reaches their IoT device, and 59 percent encrypting as it leaves the device. Encouragingly, 92 percent of companies said they see an increase in sales or product usage after IoT security measures have been implemented. Also encouraging; businesses are realizing that they need support in understanding IoT technology and are turning to partners to help, with cloud service providers (52 percent) and IoT service providers (50 percent) reported as the favored options.
While these partnerships may encourage adoption, most organizations (67 percent) admitted they don't have complete control over the data that IoT products or services collect as it moves from partner to partner, potentially leaving it unprotected.
Stakeholders on all sides are looking to the government for guidance. The survey found that almost every business organization (96 percent) and consumer (90 percent) is looking for government-enforced IoT security regulation.
As new malware continues to exploit gaps in the IoT ecosystem, both consumers and businesses are justified in their lack of confidence in service providers and device manufacturers. The EU is demonstrating with its GDPR law that it recognizes the importance of this issue and that effective legislation is possible. Here in the U.S., each of the groups involved in the IoT ecosystem – manufacturers and cloud service providers, not to mention the government – should adopt a 'security-by-design' philosophy.