Users mess up security on browser-equipped IoT devices
Go ahead, blame the user. You can’t expect end users to protect their Internet of Things devices from hacks or breaches. They can’t. They won’t. Security must be baked in. Security must be totally automatic. And security shouldn’t allow end users to mess anything up, especially if the device has some sort of Web browser.
Case in point: Medical devices with some sort of network connection, and thus qualify as IoT. In some cases, those connections might be very busy, connecting to a cloud service to report back telemetry and diagnostics, with the ability for a doctor to adjust functionality. In other cases, the connections might be quiet, used only for firmware updates. In either case, though, any connection might lead to a vulnerability.
According to the Annual Threat Report: Connected Medical Devices, from Zingbox, the most common IoT devices are infusion pumps, followed by imaging systems. Despite their #2 status, the study says that those imaging systems have the most security issues:
They account for 51% of all security issues across tens of thousands devices included in this study. Several characteristics of imaging systems attribute to it being the most risky device in an organization’s inventory. Imaging systems are often designed on commercial-off-the-shelf (COTS) OS, they are expected to have long lifespan (15-20 years), very expensive to replace, and often outlive the service agreement from the vendors as well as the COTS provider.
This is not good. For all devices, the study says that, “Most notably, user practice issues make up 41% of all security issues. The user practice issues consist of rogue applications and browser usage including risky internet sites.” In addition, Zingbox says, “Unfortunately, outdated OS/SW (representing 33% of security issues) is the reality of connected medical devices. Legacy OS, obsolete applications, and unpatched firmware makes up one-third of all security issues.”
Need to Restrict IoT Device Access to Websites
Many devices contain embedded web browsers. Not infusion pumps, of course, but other devices, such those imaging sensors. Network access for such devices should be severely restricted – the embedded browser on a medical device shouldn’t be able to access eBay or Amazon or the New York Times – or anything else other than the device’s approved services. As the study explains, “Context-aware policy enforcement should be put in place to restrict download of rogue applications and enable URL access specific to the operation of the device.”
Even if the device operator’s intentions are good, you don’t want the device used to access, say, Gmail. And then get a virus. Remember, many of the larger IoT medical devices run Windows, and may not have up-to-date malware protection. Or any malware protection whatsoever.
When planning out IoT security, the device must be protected from the user, as well as from hackers. “IoT Security: How To Make The World Safe When Everything’s Connected,” published in Forbes, quoted Gerry Kane, Cyber Security Segment Director for Risk Engineering at The Zurich Services Corporation:
Information security must evolve with the times, Kane believes. “It’s not just about data anymore,” he said. “It’s an accumulation of the bad things that could happen when there’s a security breach. And consider the number of threat vectors that are brought into play by the Internet of Things.”
Human error poses another risk. Although these devices are supposed to operate on their own, they still need to receive instructions from people. The wrong commands could result in mistakes.
“Human error is always a big part of security breaches, even if it’s not always done with malicious intent,” Kane said.
Indeed, the IoT world is pretty dangerous… thanks to those darned end users.