Security Vulnerabilities Pose a Challenge to IoT/IIoT Mass Adoption

By Tae-Jin (TJ) Kang

As the Internet of Things continues to grow, current discovery and tracking tools and methods need to evolve.

Statista, a leading market and consumer data research firm, estimates that by 2020, the utilities, transportation and logistics, and discrete manufacturing industries are each projected to spend $40 billion on Internet of Things (IoT) platforms, systems and services. The next largest spending category will be business-to-consumer vendors, at $25 billion, while the health-care, energy and retail industries are each projected to spend north of $10 billion. These numbers add up to a significant investment in the IoT. In fact, the Boston Consulting Group predicts that the IoT market will reach $267 billion by 2020.

IoT Security Lowers Trust and Will Hinder Implementation Growth
The IoT land rush is coming at a cost. As IoT and Industrial Internet of Things (IIoT) manufacturers sprint to be the first to offer the newest connected devices, they fail to prioritize cybersecurity. This tendency is a huge misjudgment, as it has often led to the release of IoT devices and platforms that are later discovered to be completely insecure.

IoT-powered devices, such as routers, modems, network attached storage (NAS) devices, closed-circuit television (CCTV) systems and industrial control systems, can all be recruited into botnets for the purpose of carrying out distributed denial-of-service (DDoS) attacks. It happened in 2016 with the Mirai IoT Botnet attack. Consumer IoT devices in the home are not immune—seemingly innocent gadgets like connected toys can be exploited to spy on children.

While growth in IoT spending may increase significantly, privacy, data theft and DDoS attacks will hamper implementations. If deployments become bogged down with security issues, organizations will not see the benefits of their IoT investment, and the industry's growth will stagnate.

Poor Open-Source Software Management Compromises IoT Security
We stand at interesting crossroads for two of the fastest-growing technologies: the IoT and open-source software (OSS). The two have become somewhat interdependent, with IoT companies heavily relying on embedded Linux and adjacent OSS to power their devices. While open-source code is incredibly powerful, like proprietary software, it contains security vulnerabilities.

This means the code that is driving IoT innovation, if not properly managed, has the potential to expose consumer, commercial and industrial customers to privacy violations and data theft. Compounding the issue is the prevalence of open-source code. A popular OSS component is often reused across various industries to execute a spectrum of different purposes. As a result, a single vulnerability within an OSS component may result in permeating consequences.

There are three noteworthy issues for IoT manufacturers looking to address OSS vulnerabilities:
• Key software components are not proactively screened for security vulnerabilities.
• The databases listing known open-source vulnerabilities are slow to publish them, narrow in focus or incomplete in coverage.
• There are limited resources that provide practical information on ways to mitigate or work around known vulnerabilities.

Current Bug Bounty Programs Fall Short for OSS Components
The financial liability and public safety risks associated with fragile IT security have prompted organizations to enlist outsiders to bolster their internal security teams. These external services include commercial bug bounty programs whose business model revolves around connecting companies with a global white hat hacker community to detect security flaws.

Open-source is not completely exempt from these bug bounty programs, as some OSS projects are supported through corporate sponsorships. However, the commercial nature of these programs directs the majority of bug bounty efforts to finding security vulnerabilities in proprietary code. Private enterprises would be reluctant to single-handedly bear the burden of funding bug bounty programs for OSS, a common, publicly available asset. As a result, most open-source projects, including those that are heavily leveraged across a spectrum of different applications and industries, remain vulnerable without corporate support.

The Shortcomings of Current Vulnerability Databases
Most known open-source security vulnerabilities are housed in state-sponsored databases, like the National Vulnerability Database, that are freely accessible to all visitors. However, these free, state-sponsored databases are often operated by a limited group of conservative authorities, which delays the posting of approved vulnerability information to the database. As a result, new or updated vulnerability information may appear on security bulletin boards or mailing lists first. With access to these various resources, malicious actors can acquire blueprints on how to hack devices or even entire systems before the information is publicly revealed through centralized vulnerability databases.

Public databases are also entangled with concerns about trust due to their susceptibility to data-tampering and omissions. The National Security Agency has been known to deliberately keep vulnerabilities secret for surveillance purposes. This prevents the relevant system and device manufacturers from addressing security problems to protect the greater public.

Alternatively, large IT companies such as Microsoft and Apple pay large fees to access commercialized vulnerability databases. These private commercial databases are superior to public databases in information coverage as they employ more people to scan various channels of vulnerability reporting in a timelier manner. However, the high access fee to these private databases is often beyond the reach of smaller companies. Additionally, the reporting model used by these private commercial databases is insufficient to secure the next generation of IoT devices, as it limits the time and attention devoted to security issues affiliated with a select set of firms.

Vulnerability Remediation Is Not Well Documented
Even if an organization knows what vulnerabilities lie in the open-source component used in their software, they are often challenged in terms of mitigating security issues. Fixing a vulnerable code is not as simple as a copy-and-paste activity, as updating or modifying OSS component versions may prompt cascading effects on other parts of the software. Unfortunately, there are very few resources that publish vulnerability remediation information to guide developers who want to take proper caution when managing their OSS security.

New Paradigm for OSS Vulnerability Hunting and Reporting
There is a non-profit foundation that aims to make open-source software more secure for IoT companies by addressing the current shortcomings of vulnerability information reporting and tracking. It is in the midst of building the first and most accurate crowdsourced security vulnerability knowledge platform.

The foundation's platform will leverage a combination of the first independent blockchain-based security vulnerability tracking and reporting database, the first bug bounty management program for highly critical open-source software components, and a knowledge resource for businesses and developers to fix or patch vulnerabilities in their software systems or applications.

The foundation's bug bounty program will be unique. For the first time, developers and researchers in the open-source community will be incentivized to proactively examine OSS components for vulnerabilities. This will significantly improve the quality of the most highly used components before they reach the software vendors and enterprises to use in their IoT products and platforms.

The foundation's decentralized security vulnerability reporting and tracking database will be more comprehensive than its state-sponsored counterparts. Not only will it record bugs discovered by newly incentivized contributors, but it will also catalog all known vulnerabilities contained in alternative resources, such as the NVD and security bulletin boards.

The foundation's database will harness the power of blockchain not only to crowdsource information, but also to eliminate the need for centralized management and ensure the immutability of its stored information. As a result, users of the new database can reap the benefits of a tamper-proof, transparent platform that provides superior vulnerability coverage.

Additionally, the foundation will incentivize contributors to publish instructions to repair vulnerable code catalogued in the vulnerability database. Remediation instructions can range from temporary workarounds to fixing a bug in the source code. This will give IoT device manufacturers and software developers a knowledge base that they can leverage to more easily address the known security vulnerabilities in their software.

In order to sustainably and independently operate the bug bounty program and security vulnerability database, the foundation will offer access to its database through per-use and subscription-based pricing models. The costs to access the database are expected to be much lower than those of commercial vulnerability database providers.

While IoT industry growth is presumed to be prodigious, security vulnerabilities pose a hindrance to its successful mass deployment. The current security vulnerability discovery and tracking tools and methods need to evolve. The creation of an independent, non-profit entity that will leverage a crowdscource model for finding, tracking and providing remediation information about open-source security vulnerabilities should address the IoT industry's needs.

Tae-Jin (TJ) Kang, a technology industry executive and entrepreneur, is the CEO of Secure Planet. In addition to founding a number of successful technology startups, TJ has held senior management positions with global technology leaders that include Korea Telecom and Samsung Electronics, among others.