Many vulnerabilities among Internet of Things (IoT) devices to hacking originate from insecure web or web-based interfaces, according to Ilia Kolochenko, CEO of web security company High-Tech Bridge.
Kolochenko’s comments are in response to the publication of a study by Tripwire, a global provider of security and compliance solutions for enterprises and industrial organisations, which looked at the rise of industrial IoT (IIoT) deployment and to what extent this trend is expected to cause security problems in 2017.
IIoT include connected devices in critical infrastructure industries like energy, utilities, government, healthcare and finance.
Tripwire’s study found that over 90% of respondents expect to see an increase in security attacks on IIoT in 2017, while half do not feel prepared for security attacks that abuse, exploit or maliciously leverage insecure IoT devices.
In response to the study’s findings, Kolochenko said: “The problem of insecure IoT devices is becoming very serious, as they penetrate our daily lives very quickly.”
Because web or web-based interfaces are often vulnerable to hacking, he says it highlights the important of application security, which has already been identified as the weakest part of IT infrastructure both by Gartner and Verizon.
Rewards
Kolochenko also commends a new initiative by information assurance firm NCC Group, which will financially reward its consultants for fixing vulnerabilities in open source software.
The firm’s fix bounty scheme focuses on workable fixes to vulnerabilities in software rather than just rewarding individuals for identifying security vulnerabilities in software.
“That’s a great idea, as it opens the bounty door for developers and programmers not familiar with security testing, but capable of releasing a patch. The rewards are quite modest, but many talented developers may try their luck,” Kolochenko says.
“There is no need to spend large amounts on a zero day, or risk exposing an already purchased zero day, if a victim’s iPhone can be stolen on a street, and pin code captured via a $10 camera placed in fast food canteen just before.” Ilia Kolochenko, CEO, High-Tech Bridge
Kolochenko also thinks that so-called ‘zero-day exploits’ will always exist, even after assurances from software vendors to the contrary, following leaked documents from the Central Intelligence Agency (CIA) concerning hacking activity by the agency’s cyber division.
Methods, such as malware tools, are used the agency uses to hack into all the main desktop and mobile operating systems, as well as embedded devices like smart TVs. Zero day vulnerability refers to a flaw in software that is unknown to the vendor, which is exploited by hackers before the vendor becomes aware and fixes it.
After the CIA documents were leaked, software vendors reiterated their commitments to fix vulnerabilities quickly and assured users that many of the flaws described in the agency’s leaked documents, published on WikiLeaks, have been fixed.
But for companies and users that are the target of state-sponsored hackers, the software they use is not less safe, nor better protected, than it was before WikiLeaks published the CIA documents earlier in March.
According to Kolochenko: “We should keep in mind that all professional actors in the hacking market, regardless of the lawfulness of their activities, follow common sense in all their actions.
“There is no need to spend large amounts on a zero day, or risk exposing an already purchased zero day, if a victim’s iPhone can be stolen on a street, and pin code captured via a $10 camera placed in fast food canteen just before.”
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
