The Internet of Things security crisis has persisted for decades, producing a seemingly endless stream of under-secured consumer gadgets, corporate phones, printers, networking equipment, medical devices, and critical infrastructure sensors and controllers. By now, every industry has an IoT albatross around its neck. And though new devices are increasingly equipped with basic security protections, those minimum standards are just the beginning.
At the DerbyCon security conference in Louisville, Kentucky last weekend, researchers stressed the need for connected devices to step up security beyond the basics. That means more visibility and logging features, along with better techniques for manufacturers, companies, and consumers alike to spot malicious activity. Protecting a device better doesn't mean much if you can't see what's happening when something does go wrong.
“IoT devices have a pervasive impact on our lives, yet very little thought has been given to how to respond if those devices are misused,” says Lesley Carhart, principal threat hunter at the industrial control security firm Dragos. “Who will investigate devices that have been tampered with and will they be able to investigate?”
These questions are not theoretical. IoT devices have been conscripted into massive botnets, compromised for nation state reconnaissance, hacked to mine cryptocurrency, and manipulated in assaults on power grids. But frequently it's far too challenging to detect these incidents as they happen, or investigate them after.
Hardware hackers work to understand devices better and hunt for flaws by buying different IoT devices, physically connecting to them with different sensors ..