IoT Security. PHOTO: Cybercrime Magazine.

Do CISOs Get Amnesia? We Hope So.

Vulnerabilities are impacting millions of smart and industrial IoT devices

Eli Kirtman

Northport, N.Y. – May 3, 2021

The multi-billion-dollar Internet of Things (IoT) market has manufacturers pining for a competitive edge and their risky shortcuts to lead the race have security leaders on high alert.

“Considering the time to market, costs of development, and the overwhelming number of suppliers, most IoT devices are developed with free and open-source software (FOSS),” says Morgan Hung, CEO at Onward Security.

One of those shortcuts is the widely-used OpenSSL, a software library containing open-source implementation of cryptographic protocols to protect data communications across computer networks and applications.

Among the protocols is Secure Sockets Layer (SSL) and it is a godsend for busy FOSS developers.

But is FOSS worth its weight in gold? Cybercriminals, nation-state adversaries and other sophisticated threat actors are betting on it.

In fact, the OpenSSL Management Committee has discovered numerous Common Vulnerabilities and Exposures (CVE) in SSL protocols and we see the consequences of them in the media every day.

The recent set of 33 vulnerabilities identified by security researchers — dubbed AMNESIA:33 — affected four open-source TCP/IP stacks, allowing attackers to execute malicious code in millions of smart and industrial devices worldwide.

Coordinated attacks on “probable zero-day vulnerabilities” in SonicWall’s remote access products are yet another example of the potential threats that FOSS poses to an organization’s internal systems.

If hijacked sensitive information and ransom demands aren’t enough to wreck our lives, then the current heart-wrenching state of security in healthcare IoT will do it. Here’s an inspiring story to drive the point home.

“The lack of security design during product development and the integration of vulnerable third-party components into IoT devices are global and potentially life-threatening concerns,” says Jacky Lee, director of product development at Onward Security.

Yet, the average FOSS developer spends under 3 percent of their time improving security code, according to a recent survey conducted by Linux Foundation’s Open Source Security Foundation and the Laboratory for Innovation Science at Harvard University.

It’s an “insufferably boring procedural hindrance” and a “soul-withering chore,” echoed the FOSS developers.

Their plight is no doubt a significant concern for CISOs considering more than 70 percent of the code in modern software applications originate from open source components.

While the gap between a security leader’s duty to protect the organization from cybersecurity threats and the developer’s reluctance to improve security code is too wide to cover here, there are solutions that may ease the pain on either side.

Security experts agree that a robust risk management architecture is key to securing devices on the IoT landscape.

“Implementing open source risk management tools early in the software design and development stages allow R&D teams to efficiently identify the attack-source and create post-production countermeasures,” says Lee.

He encourages cybersecurity leaders to up the ante on their security protocols by automating test environment configurations, security assessments and other functions for connected devices.

“Automating security practices will optimize the detection of CVEs and effectively reduce breaches before systems go live or products hit the market.”

Bottom line: Free and open-source software may expedite IoT products into the hands of buyers, but neglecting due diligence with security is certain to cripple even the most secure organizations and expose customers to potentially dangerous cyber threats.

The proof is in the code.

Onward Archives

Eli Kirtman is a freelance writer based in Cincinnati, Ohio.