Why IoT security needs more focus on the back end

There’s no shortage of warnings about the dangers that lacklustre security can have with regards to the internet of things. We here have been writing about IoT time bombs and wake-up calls for a while now. And last year the world saw its first IoT security bomb go off in the form of the Mirai botnet.

And while there’s no shortage of research into connected device security and people tearing apart devices, there’s a whole aspect of IoT security that’s being forgotten about.

“A lot of the research focuses on the endpoint devices because that’s the legal way to research; you can buy one, you can take it apart without permission or being requested to do so,” says Rik Ferguson, VP of Security Research at Trend Micro.

“You can’t go and scan someone’s back end and find out what the vulnerabilities are at the data centre side of things.”

Because of that legal block, he argues, it’s unclear what kind of authentication, security protocols, encryption, whether the data is being exposed, and general security practices these companies are putting into place. Which means it’s hard to tell how secure these increasingly large ecosystems really are.iframe>

Mirai, Ferguson says, took down a large portion of the internet with just 380,000 compromised IoT cameras and other devices. Analyst predictions suggest there could be tens of billions of connected devices in a short space of time, many of which could be compromised and used offensively if the back end can be hacked. And then there’s the value of the information being sent from the devices to the back end, plus user information which may well be linked-up to those devices.

“It’s a very, very neglected area, and we don’t have a lot of visibility into how those devices actually communicate with that back end. That’s where the gold is, that’s where the attackers are really going to go.”

While companies working in the IoT space should start offering bug bounties and encouraging researchers to help make their systems better, many do not. Ferguson, in lieu of that, suggests his company’s Zero-Day Initiative.

Part of Trend Micro through its acquisition of TippingPoint in 2015, ZDI is an open, global community of researchers who, once they find a vulnerability, will have ZDI then buy it from them and then work with the affected company to solve the issue.

“So even if they’re aren’t bug bounties from those device manufacturers, there are still ways for researchers to get rewarded for their work, and vulnerabilities be identified and remediated.”

However, one wonders if a hacker did find a Mirai-level vulnerability in some major IoT venders’ system, the temptation would be there to eschew disclosure and instead sell it for profit. When it’s put to Ferguson that many hackers can and do make more money selling exploits on the black market than they could through legitimate bug bounties, he disagrees.

“That might be the case in some geographies but not all geographies. The salaries you’re talking about for entry level with good cyber skills are streets ahead of where I started in this game.”

“There’s plenty of money to be made legitimately, and it’s an industry that not only has a good starting level, but offers massive scope for personal development and financial development alongside that. There are so many areas you can focus on, and you can end up being significantly rewarded for it.”

As well as financial reward, he says, there’s the question of moral fibre to consider as well.

“Someone asked me: ‘Why have you never been a bad guy?’ It’s not a question I’d ever considered before, and the only answer I could come up with was ‘because I’m not a wanker’.”

“I think you have to be a certain kind of person to be willing to commit crimes, particularly crimes that disadvantage other people, whether its personal or financial or in terms of the ability to do business. I couldn’t live with myself, and I don’t think I’m anything approaching unique in that respect.”

Ferguson goes even further along that line of thinking, arguing security types would be great at serving the people. “I also think a lot of security [pros] would make fantastic politicians.”

“They seem to be very engaged with security as a wider concept than just digital security or information security, it’s about personal freedom and liberty. There seems to be a lot of passion in that area among security professionals.”

So, will we be seeing Rik Ferguson for Prime Minister posters come 2020? “Oh God, could you imagine? Everybody would have to listen to Mötley Crüe every day would be my first law, and Adam and the Ants at tea time.”