We have said before that the main trouble with the IoT is that the manufacturers of IoT devices are not security conscious. And if you have seen some of the devices that companies are connecting to the internet you would a) not be surprised by how vulnerable they are and b) hold your head in your hands.
There is a series of vulnerabilities called Ripple20 and each is a zero-day vulnerability. They sit in the TCP/IP library of a company called Treck and has spread around the world, through various supply chains, and now they are in hundreds of millions of devices. It has been spreading for many years.
Security consultancy JSOF identified the extent of the vulnerability and Sternum worked on a solution. The companies involved grew because the number of companies, many Fortune 500 companies, that have a vulnerability is so big. The sectors that are at risk include industrial devices, power grids, medical devices, home devices, transportation, oil and gas, aviation and, well, the list goes on.
The CEO of JSOF demonstrates in the video below the ease with which the vulnerability can be exploited, turning the power off a printer, a lamp and – amongst the more worrying things – an infusion pump.
Now that the IoT has come of age and we are no longer obsessed about how many billions of devices are connected to the internet, it is right that our attention turns to protecting those devices. And, according to JSOF, it is not just that an attack can be launched via these devices or that they can be taken over but that, for instance, an attacker can lurk within a device for years until such time as an attack might cause maximum damage and mayhem.
The list of attack vectors is long and there is good advice on how to analyse risk here.
There is no doubt that the IoT is already ‘disappearing’ as it becomes built in to almost all the devices that we are now producing. These devices already run into the billions and with so much depending on them, we must invest as much in securing them as propagating them.