The need to protect internet of things (IoT) devices is an ongoing concern as the volume of connected devices continues to proliferate.
In a session at the RSA 2022 Conference, Scott Register, VP at Keysight, outlined the challenges and some solutions to help to improve the current state of IoT security. During the session, Register highlighted several high-profile IoT security incidents, including the Mirai botnet that first appeared in 2019 and continues to be a risk in 2022.
A big challenge that Register sees is the complexity and lack of understanding of how to keep IoT devices patched and up to date. He noted that with a Windows system, users are used to seeing update notices. When it comes to a smart TV or a thermostat, how to patch it is less clear, even if a user knows there is a need to update.
"You want to assess these things that you're putting on your network so that you can understand what they're doing to your attack surface," Register said.
Aspects of IoT Cybersecurity Validation
There are several steps that can be taken to help validate the security of a given IoT device.
These assessments include an analysis of potential risk and look at weak passwords and encryption, unpatched operating systems and publicly exposed services that lack authentication.
For vendors and security researchers, protocol fuzzing is a more advanced technique that can identify potential vulnerabilities in a software stack. In the session, Register detailed an approach to protocol fuzzing using what is known as a digital twin, which is a virtual copy of a running service.
"With digital twins, you can accelerate anomaly detection in protocol stacks by comparing the results from the twin to the physical device," he said.
The basic idea of the digital twin approach is that the virtual copy runs the expected implementation while the physical device runs the actual protocol implementation. If there is a flaw detecting in fuzzing with the physical device and not the digital twin, it's clear there is a flaw in implementing a given protocol and not the protocol itself.
In terms of what organizations can do to limit the risks of potentially vulnerable IoT devices, Register suggests that in addition to patching, users segment their network to keep IoT devices isolated from important corporate assets.