IOT Security Disconnect: As Attacks Spike, Device Patching still Lags

[Solarquest]

As more businesses bring IoT devices onboard they are coming face to face with the security downsides of the IoT boom, researchers say.

According to a report by Trustwave released last week, 61 percent of companies surveyed who have deployed some level of connected technology have also had to deal with a security incident that they can trace back to an IoT device. On the flip side, only 49 percent of those same businesses surveyed said they have formal patching policies and procedures in place that would help prevent attacks.
Researchers have warned since 2008, when the high-profile Hydra malware first targeted routers, that IoT poses a growing security risk. And for the most part, over those past 10 years since, warnings have gone largely unheeded.

Despite calls for greater IoT security, 24 percent of respondents said they have dealt with malware infiltration through an IoT device. They added that attempted IoT attacks are up 9 percent, according to the study titled “IoT Cybersecurity Readiness Report”.

“Most organizations are 10 to 20 years behind in their security practices when it comes to IoT, and they’re repeating the same security mistakes as they have in the past, including storing their credentials in plain text,” Michael Chamberland, practice lead for Trustwave SpiderLabs, told Threatpost.
...
...
...

 

[ForgottenSeer 58943]

Most IoT will never be patched, especially the cheap Chinese junk people are buying.

Those $20 smart plugs at Amazon will ALWAYS be full of holes. D-Link won't even patch 2 year old cameras, so don't think the big name brands will be more responsive in all cases either! But guaranteed the cheap stuff won't. I know a guy with 85 IoT devices in his home. It's a mess. He can't patch 90% of them and is wide open to a major compromise.

 

[Solarquest]

UK.gov cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

 

[ForgottenSeer 58943]

That's why all of my IoT are on a separate Vlan behind my UTM and that VLAN has no access to WAN. The only way for me to communicate with my IoT and even see what my cameras are seeing is to VPN into my home network and address that specific VLAN. I find that to be a compromise of having an IoT at home that is cheap as hell while feeling more secure.

Having them tagged and behind your UTM is fine, but if those products require WAN access to reach their apps then you will be blocking functionality. A lot of cheap IoT tech uses their own customized apps which people use if they don't have a hub. Even with a hub, that hub itself could be subjected to a breach. So in your case, a VPN into the local network with local access to your controllers/hub/nvr or whatever would be the most secure way to do it - as you've clearly done.

A lot of stuff won't work under those conditions, like LEEO, which has to talk to the LEEO push servers on AWS to send the alerts to your phone. Or Sensei thermostats, which need WAN access to update the app on your phone. But yes, it's quite possible to secure this IoT with effort and knowledge depending on the devices. Sadly, most consumers will be wide open and the more devices they deploy the uglier it's going to get.