November 21, 2023
IoT (The Internet of Things) devices have revolutionized the technology industry dramatically over the last decade or so. From digital assistants who listen to voice commands, to video-enabled doorbells that record movement, to sophisticated security systems used to monitor public activities, these devices by-and-large have improved user experiences across the full technology ecosystem. New IoT devices are being deployed at scale in huge numbers; one source expects the number of IoT devices deployed globally to be ~16.7 billion devices by the end of 2023.
One item that is largely not considered, however, when developing a new IoT device or product is security. Industry-wide IoT security initiatives are usually either disregarded completely or bolted-on as an afterthought during production, which, by extension, puts both business and personal entities at risk. The attack surface created by IoT devices is enormous and well-documented. In all honesty, the current state of IoT security is poor at best - but is improving.
IoT security no longer refers to simply securing the devices (endpoints) themselves; a source states that "included in IoT security is the protection of the physical components, applications, data, and network connections to ensure the availability, integrity, and confidentiality of IoT ecosystem." In this context, IoT is seen as the "wild west" by security practitioners who often lack insight into how the devices are configured and deployed. This distrust isn't misplaced - variants of the Mirai IoT devices botnet are still alive and flourishing - but this is not an apocalyptic scenario, either. We just need to work together to meet the demands of an evolving, fluid landscape and address the shortcomings of the IoT systems with our own ingenuity.
What do we want? VISIBILITY! When do we want it? NOW!
What do we want? An up-to-date CMDB/asset inventory! When do we want it? Now!
What do we want? SEGMENTATION! When do we want it? NOW!
Developing security policy is hard. Developing IoT security policy is hard; implementing IoT policy is an arduous task. Just as with most things in security, it is better to address IoT (and the impact to your organization) early and often - you never know when the "smart" thermometer in your lobby aquarium will be used as a foothold for network access and data exfiltration. Be safe out there.