How Unregulated Third-Party Code Threatens the Internet-of-Things (IoT)
We live in an increasingly connected world, and while technological developments like the Internet-of-Things (IoT) create new resources for convenience, automation, and efficiency, they also create new security and privacy risks for both people and organizations. Combined with unregulated third-party code (3PC), IoT throughout businesses and homes is an all-too-easy target for malware and attackers.
Today, everything is getting connected to the Internet, including vehicles, appliances, thermostats, lighting systems, factory equipment and other corporate assets. According to statistics, the number of these devices will continue to rise for a long time. A 2019 report by Strategy Analytics said the number of live IoT devices reached 22 billion worldwide at the end of 2018 and predicted that 38.6 billion will come online by 2025, then 50 billion by 2030.
So, what is the effect of connecting so many devices to the Internet, and how does it threaten individuals, businesses, and government institutions? Let’s explore.
The Dangers of IoT
The biggest danger inherent to IoT devices is obvious: each one is an attack surface open to the Internet, and they can be targeted the same way a computer or mobile device can. The second danger is that IoT devices are crammed with sensors and connected to networks that may expose sensitive financial data, trade secrets and much more.
The third danger is that IoT is everywhere, and its ubiquity rises with every passing day. Hackers and other attackers are taking full advantage of this situation via attacks like distributed denial of service (DDos), ransomware, and botnets. In one highly-publicized case, the infamous Mirai botnet took down much of the Internet across the U.S. east coast. Making matters worse, many product manufacturers have done little to make their offerings more secure in this connected environment.
How 3PC Makes IoT More Dangerous
One danger of IoT that is not widely discussed comes from the outside: third-party libraries used by app developers, and third-party code that is used to build and monetize websites and mobile apps. Today approximately 90% of the code across major websites is not owned and operated by the brand; that means someone else controls it, and for IoT, that’s bad news.
IoT manufacturers continue to rely on cloud services to host web-based user interfaces (UIs) that allow consumers to interact with their electronics from anywhere in the world. Mobile apps available on major app-stores do the same thing, and both are susceptible to attacks by third parties that are not visible to the developer.
Even without a web-based user interface, research has shown that JavaScript-based attacks can be launched from any website that will target IoT devices on a user’s network while they innocently browse the web. Given the connected nature of IoT, this leads to a whole host of dangers.
What Can IoT Attackers Do?
By now, most people have heard the stories about parents waking up to find an invisible stalker talking to their child through a baby monitor. Fewer have heard about the casino that was robbed through a fish tank – but both these stories are true, and both represent the power that attackers can wield through IoT.
While not every case of an IoT attack is as serious as the previous examples, even a benign IoT attack can lead to further trouble down the road. By exploiting vulnerabilities in networks, in the devices themselves or compromising unmanaged third-party code, skilled hackers can penetrate and propagate through organizations laterally while taking over the computation power of any connected device.
The ability to move laterally across networks represents a threat to consumer privacy, the economy and our national security. It enables malicious agents not only to enter organizations through a backdoor, but even to attack a national government thousands of miles away. As the government invests in IoT, it must also work to protect itself from malicious 3PC.
A Priority for IoT Security: Deal With 3PC
As the field of IoT security remains in its infancy, many network administrators do not know to secure their devices or segregate them from more sensitive assets. Still fewer are aware of 3PC, or the way it intersects with security across multiple fields including IT, WebSec, AppSec and others – but ignoring the problem is not an option.
A report by Trend Micro Research on cyber security predictions for 2020 said that cloud platforms will continue to suffer from code injection attacks via third-party libraries. “More compromises in cloud platforms will happen in 2020 by way of code injection attacks, either directly to the code or through a third-party library,” it stated. Evidence of this claim abounds: in the first half of 2019 alone, 100 million attacks were launched against IoT devices.
The threat that 3PC represents to IoT devices is very real and combatting it will require cooperation at multiple levels. While the average consumer can do little, companies, app designers, and manufacturers can address the issue by vetting their business partners; policy makers who are currently discussing IoT security at a national level must acknowledge the risk and account for it in legislation. Until that happens, the use of IoT as a portal into homes, businesses, and government agencies will continue to grow unchecked.