Securing the IoT tsunami

The Internet of Things (IoT) is a reality. Gartner forecasts 25 billion IoT devices in 2021, and other industry sources and analysts predict even larger numbers. Although projections of unprecedented growth are ubiquitous among industry pundits, the efforts to secure this tsunami of connected devices are in their infancy.  

The IoT is still relatively new, so it lacks regulations that mandate security. The potential for misuse, however, is massive—and could lead to major embarrassment (and worse) for businesses and consumers. Connected devices have already been utilized to launch massive DDoS attacks on websites, in-home security cameras have been hacked and used to spy on people, and sensitive consumer data has been compromised. Timely testing and securing of IoT is the need of the hour. 

Facets of an IoT deployment

Consider IoT systems within the context of medical devices, automotive equipment, and consumer electronics. From a security testing perspective, these mixed-technology deployments have a multitude of potential attack surfaces and technologies that must be protected.

• The cloud. The IoT and cloud computing are a match made in heaven. The capacity needed to handle the sheer volume of data as well as the processing required for large-scale IoT adoption can only be driven by cloud computing. Smart devices will be connected by default to either edge data centers or centrally located data centers, which will process and store the data they generate. The cloud could also be utilized for IoT device security controls.
• Embedded devices. Each “thing” within IoT is essentially an embedded computing device that sends and receives information over a network. Embedded devices run software and have a smaller memory footprint, along with an operating system and a processor. Just like the network they are connected to, these things are all susceptible to attack—especially as they might run old, general purpose, open source software that isn’t often updated for patches.
• Web applications. Often, IoT devices connect to a web app, and some IoT devices even have an embedded web server. That’s why web app security testing principles apply to IoT security.
• Custom applications. The IoT is vast and spans apps that power smart cities, automobiles, agriculture, healthcare, and more. Given the wide variety of devices, standards, and technologies applied to IoT, there’s a lot of incompatibility in the ecosystem. Custom apps are therefore widespread in IoT.
• The network. Most smart devices are always connected by default. They’re connected to the gateways and the back end via a variety of network protocols. And just like the cloud, embedded devices, and web/customized IoT apps, the network itself is highly prone to attack. 
• Mobile devices. With the increasing adoption of 5G, the IoT will have the mobile network speed, device density support, and data transfer speeds to support the billions of mobile IoT devices, as well as the mobile apps to control these devices. The network, mobile, and the cloud are the three pillars of IoT.
• Thick client testing. IoT data processing is increasingly moving to the edge to facilitate faster decisioning. Decentralized thick client computing at the edge is common, particularly in devices that may need to operate without connectivity from time to time.  
• Fuzz testing. If an IoT device becomes unresponsive or acts abnormally due to inconsistent input, it may affect real-world operation. Fuzz testing simulates what a hacker would do by creating a wide range of corrupt input that will cause the app to fail.