1. Factory Set or Hardcoded Passwords

•  OWASP (The Open Web Application Security Project), named factory set or hardcoded passwords the biggest problem for IoT device security in their 2018 list.
• OWASP defined this problem as the "use of easily bruteforced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems."
• Factory set, weak, or hardcoded passwords consistently appeared as the most commonly mentioned problem for IoT devices across sources and industry opinions.
• Despite the problem seeming obvious, it still remains a common problem among IoT manufacturers.
• Because consumers often expect a smart device to run like an appliance, there is not the same consumer understanding of the need for cybersecurity or password maintenance, as there is with more traditional IT devices, like computers.
• Many of the most destructive and well-known DDoS (distributed denial of service) attacks on IoT devices are carried out by the Mirai botnet, which primarily exploits the widespread usage of default passwords.
• Just as obvious as the problem is the solution. Most importantly, manufacturers must stop sending out devices with hardcoded passwords or simple default passwords. Consumers should be educated about the need to change passwords when they buy an IoT device.

2. Lack of Security Update Mechanisms

• Another commonly cited security risk is the lack of security update mechanisms present on IoT devices.
• OWASP defines this as: "[The] lack of ability to securely update the device. This includes lack of firmware validation on device, lack of secure delivery (unencrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates."
• Because IoT devices are a new and rapidly expanding market, many companies race to create IoT devices that are then quickly abandoned in service of a newer IoT device. Thus, many manufacturers only provide firmware improvements for a short time period designed specifically to end at the very moment that they start working on the next exciting and new gadget.
• Stated simply, IoT devices, which were secure upon release to consumers, run the risk of rapidly and increasingly becoming insecure or vulnerable to attacks as time passes.
• As well, consumers typically do not expect that IoT devices will be regularly unavailable due to maintenance. As the NIST (The National Institute of Standards and Technology) states: "Operational requirements for performance, reliability, resilience and safety [of IoT devices] may be at odds with common cybersecurity and privacy practices for conventional IT devices."
• There are many ways in which the update mechanisms of an IoT device are potentially vulnerable. According to the OWASP's IoT Vulnerabilities Project, common update mechanism problems include updates sent with no encryption, updates to writable locations, few manual update mechanisms and missing update mechanisms.
• To combat this, manufacturers must commit to providing continued updates and ways in which consumers may manually update (and check for updates) on devices. Forbes states: "Address this [updates and maintenance] with redundant backup devices, planned maintenance windows or a concerted education campaign that aligns user expectations with security necessities."

METHODOLOGY

INSUFFICIENT PRIVACY PROTECTIONS FOR PERSONAL DATA

• OWASP (The Open Web Application Security Project) named insufficient privacy protections as one of the top 10 IoT vulnerabilities, particularly when the user's information has been stored "insecurely, improperly, or without permission."
• An article from Peerbits on IoT security challenges explains that IoT companies use, transfer, store, process, and share user data collected through IoT devices. This leaves the data open to security breaches. IoT For All's article on IoT security threats notes that hackers can access a user's private information simply by identifying an unsecured IoT device.
• A recent survey of risk professionals found that 97% feared that an attack on unsecured IoT devices would lead to a catastrophic data breach.
• To address this risk, IoT companies should first ensure they have the user's permission before doing anything with the user's data, according to OWASP. Next, they should ensure that data is secure while being transferred or stored.
• On the regulatory level, governments can also help mitigate this risk by committing to legal and regulatory guidelines regarding how companies use and store consumer data, and strictly enforcing compliance with those guidelines. Specifically, sensitive data should be redacted and anonymized, and data that is no longer needed should be securely destroyed.
•  Virtual private networking (VPN) technology is also recommended by security experts to secure IoT connections, encrypt all traffic, and keep the user's IP private.

DEVICE HIJACKING

• One of the greatest risks with IoT devices is a hacker "hijacking" a device, or gaining remote access and control of the device. Once a hacker gains control of a device, they can turn it into an email server, force it to join a malicious botnet, or cause dangerous malfunctions. One of the most talked about potential risks from hijacking comes from smart vehicles; a hacker taking control of an IoT car could have potentially lethal consequences.
• In one case, there are multiple reported incidents of Nest smart thermostats and cameras being hijacked and manipulated in users' homes, as reported by CSO. To mitigate this risk, users can ensure they are using strong passwords, update those passwords frequently, and activate two-factor authentication.
•  According to OWASP, one cause of device hijacking can be insecure network services, which can compromise the device and allow a remote user to take control. Peerbits calls this problem one of the "biggest IoT security" challenges, and recommends that companies mitigate the risk by ensuring that cloud devices and services are encrypted at the highest level, or that different devices use isolated networks.
• OWASP identifies a lack of physical hardening of IoT devices as a vulnerability to hijacking. Forbes also notes that unpatched or abandoned IoT devices can be highly vulnerable to this type of attack, and points out that many IoT devices are designed to be unseen and unheard and are therefore easily forgotten. To mitigate this risk, Forbes recommends that manufacturers enforce strict "replacement and refresh cycles" to ensure that devices are not abandoned and that they receive the latest security updates.

RESEARCH STRATEGY

PRAETORIAN

• This Texas-based company is a leading provider of cybersecurity solutions to organizations in the dynamic digital environment that is characterized by lots of cybersecurity threats.
• Their IoT solutions to cybersecurity risks "provides end-to-end Internet of Things (IoT) product security evaluations and certifications that help organizations successfully balance risk with time-to-market pressures."
• The company uses innovative technology to help organizations strengthen the security of their IoT products from chip to cloud. 
• Praetorian's IoT cybersecurity solutions help their clients to position their IoT products as the most secure in the market, with Samsung IoT and Microsoft being among the company's happy clients.
• The company's IoT cybersecurity solutions also have innovative "multiple analysis methods and machine learning techniques to identify new vulnerabilities introduced by incremental code movement."

BITDEFENDER

• This award-winning Romanian cybersecurity software company provides innovative solutions to cybersecurity risks related to IoT.
• Bitdefender IoT security platform has a self-improving design that enables the adoption on connected devices on either new or existing infrastructures.
• The Bitdefender IoT cybersecurity platform uses the intelligence of over 500 million endpoints, with every single detection automatically improving the platform for all global users.
• The software company keeps all IoT devices in the home safe by using innovative "enterprise-grade filtering and inspection technologies tailored for the home network environment."
• The company's Security-as-a-Service (SECaaS) also contains various other features to embed with other infrastructures easily.

ARMIS

• Armis is an agentless IoT device security solution that automatically identifies and disconnects devices that are not managed while discovering all the devices in the connected environment before they enter the connected network.
• The IoT security solution monitors all the connected devices to detect the slightest vulnerability that can act as a point of entry for cyber attacks.
• They also use their Risk Analysis Engine to assign a risk score to every device in the connected environment based on factors like detected vulnerabilities, network behavior, and known attack patterns.
• Since Armis' solution is agentless, deployment is fast and it can quickly integrate with new and existing infrastructure.

CLAROTY

• Claroty detects vulnerabilities in the connected network, continuously protects the network and responds to the cyber attacks in the connected infrastructure.
• According to the company, they offer " the only integrated and comprehensive IoT and OT security monitoring and remote access control platform."
• Claroty's award-winning and innovative IoT cybersecurity solution employs machine learning and is used across fifteen industries in over 25 countries globally.

CISCO

• Cisco's IoT security solutions help to protect and defend against IoT threats, improve control and visibility, and simplify compliance.
• The company has innovative solutions to help users to "deploy extensible, scalable security policy and gain protection against attacks and compromised IoT devices."

MCAFEE

• McCafee's innovative Embedded Control technology "provides whitelisting and file integrity monitoring technology to combat targeted malware, unauthorized software changes, and configuration alterations across commercial and industrial IoT devices."
• The company's solutions help their clients to prevent software changes that are not authorized and also design security into new IoT devices.
• The company's innovative IoT security solutions won them the 2018 Gartner Peer Insights Customers’ Choice award for Endpoint Protection Platforms.
• According to the company, many companies are using their security solutions to protect against malware without necessarily updating definition files or running scans.

SYMANTEC

• Symantec has a plug & play USB scanning that uses artificial intelligence to "prevent known, unknown and future forms of attacks, such as adversarial machine learning."
• The company employs cutting-edge technology like neural networks, enforcement driver, advanced Machine Learning, signatures, emulation, and file reputation to secure IoT devices.
• Regardless of the age of the industrial control system, Symantec's IoT security solutions offer advanced protection without needing to replace the equipment.
• With security solutions such as application whitelisting and sandboxing capabilities, Symantec offers innovative solutions to secure medical IoT devices.
• Among the company's IoT security solutions is "lightweight behavioral hardening engine is purpose-built to protect legacy and EOL systems, by adding layers of defense at the kernel level to prevent unhygienic operations to your endpoints" and "Critical System Protection isolates IOT devices from network intrusion, zero-day exploits, and other future forms of attacks."
• Symantec's IoT security solutions have received industry recognition with awards Frost & Sullivan Industrial IoT Best Practices award.

RESEARCH STRATEGY: