Many manufacturers of connected products do a reasonable job designing secure connected products and testing their products for vulnerabilities before releasing them. However, the ongoing security state of a connected device is impacted by factors that go way beyond the initial design of the product. The following concerns make it crucial that manufacturers ensure that they have a way to minimize risk to the customer during the entire lifecycle of the product.
Vulnerabilities are often discovered in embedded software, operating systems, and open source code used by devices well after the device has shipped and been placed in service. A recent CPX Security study found in-field vulnerabilities increased by 30 to 60 flaws per year. Of these vulnerabilities, 54% were considered of critical or high severity (i.e. CVSS score >7). These flaws can be exploited to attack devices and cloud infrastructure well after the sale has been made. The publicity of a well-known vulnerability increases the likelihood of an exploit being created and devices being attacked and compromised. That’s no good for the customer relationship or the manufacturer’s brand.
Often manufacturers’ threat models and security controls are built upon an assumption that customers will maintain a certain level of security hygiene in the operating environment in which the device is deployed. When that level isn’t met, the whole deployment is put at risk. Many customers could use a hand from their connected product manufacturers to tell them when their on-site security protections are inadequate or even missing. For example, a CPX Security case study found that in 20% of situations where the manufacturer expected a customer firewall to protect a device, that control was missing or outdated.
Once systems get deployed, their security configuration–firewall, running processes, installed software, antivirus settings, and so on–can be changed by installers, users, or ultimately malicious attackers. These changes weaken the overall security posture of the system compared to its original intended design. Account permissions and controls also tend to slide toward entropy the longer a device remains in the field. A CPX study found that over a third of user accounts on IoT cloud infrastructure had not been deprovisioned after six months of inactivity. Poorly maintained user accounts like this create a larger attack surface for IoT infrastructure.
The majority of IoT security investments to date have focused on the design, development, and internal product test phases of a product’s lifecycle. Not enough time has been spent by manufacturers to provide assistance securely installing the connected device and monitoring and maintaining it once deployed at customer sites. Device security typically degrades over time and devices must be monitored for changes to their security state, and then properly updated, maintained, and serviced. This is often not done by either the customer or the manufacturer, leaving a large and growing risk exposure area unaddressed.