Small, unsophisticated developers perpetuating IoT security lapses: IBM

The traditional software market hasn't done a great job

Despite years of education about security threats, software developers in Australia and elsewhere are still writing code that is too insecure and will open up massive holes as the Internet of Things (IoT) develops, IBM's X-Force security arm has warned as a prologue to recent research that found most malware threats continue to come from outside of Australia but can nonetheless affect all countries.

Lithuania, Belarus, the United States and the Russian Federation topped the ratings of botnet command-and-control servers, malware penetration and other metrics compiled by X-Force in its latest X-Force Threat Intelligence Quarterly report.

“The traditional software market hasn't done a great job in creating secure code,” the report's authors warn. “The fact that SQL injection is still a huge problem is a sad indicator that we haven't made enough progress toward training developers – and the industry as a whole – on secure coding and testing applications in development and in production.”

This has left IoT environments vulnerable to the creativity of hackers: in one test, for example, security researchers were able to disable a car's brakes while its wheels were spinning at 65kmh by inserting a CD filled with MP3 songs that would play normally – but exploited a buffer overflow in the player's software that allowed them to load malware onto the vehicle's control systems.

Compounding the problem, the report says, is the fact that hardware manufacturers – whose expertise is necessary to deliver IoT devices – are “not generally good at software development” and, like software companies, “aren't great at writing secure code”.

In many cases, this results in unnecessary security vulnerabilities, such as when a maker of smart street lighting systems improperly implemented encryption management by having mesh-connected lights talk to each other using a pre-shared key that never changes.

With many IoT manufacturers being small startup companies with few employees and small or no security budgets, IBM notes, the chances of the situation being resolved soon are relatively low.

Compounding the problem is a proliferation of IoT-related communications protocols – including MQTT, XMPP, DDS, AMQP, Zigbee, Z-Wave and proprietary alternatives – that each have their own security implications and are complemented by industry-specific extensions or alternatives.

To address these challenge, IBM's X-Force researchers recommend that software developers follow the Open Web Application Security Project (OWASP) IoT Top 10 practices; build a secure design and development practice; perform regular penetration testing on their products; and follow industry guidance.

'This is the beginning of the 'things' revolution, and, as with mobile devices, the makers and developers of 'things' can help drive an imperative to build security in from the start,” the report's authors advise.

“Technologists can help improve security by embracing the IoT, but with a critical eye. You can be an early adopter without being a victim.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Enex TestLabsoftware developersbotnetxmppZigBeeDDSsecure codeOWASPCSO Australiamalware threatsIoT securityAMQPmalware penetrationMQTTMP3 songsIoT manufacturerZ-Wave

Show Comments