Security Firms See Dollars In Taming IoT Insecurity

Supply Channel Coordination

In-brief: Security firms Trustwave and IOActive both announced services promising to help aspiring IoT product firms secure their products, more evidence that the Internet of Things is producing secondary markets.

To date, the security problems that attend Internet of Things products have mostly been a subject of debate and discussion. But the problem of insecure IoT devices is apparently real enough – and big enough – to have prompted new services from two, well-known security firms in the last week.

Trustwave and IOActive are both rolling out new security services designed to appeal to companies that have developed or are developing products for the Internet of Things. The services are intended to help firms identify and mitigate common security vulnerabilities in IoT products and to reverse what one executive characterized as haphazard design and deployment of connected devices.

[Read more Security Ledger coverage of The Internet of Things.]

Seattle-based consulting firm IOActive said last week it was offering Internet of Things Assurance Services that it says are intended to help “innovators protect the billions of IoT devices coming online.” Trustwave will announce a Managed IoT Security service later this month to help manufacturers as well as business users of IoT technologies “remediate IoT threats and vulnerabilities.”

Matt Rahman, IOActive’s Chief Strategy Officer said that the new IoT focused service at his company is just an extension of the company’s ongoing consulting and research into IoT devices, including traffic control systems, connected vehicles, smart city technology and satellite communications. That research has exposed widespread security and privacy issues in connected devices, he said.

“You have devices leaving manufacturers without any due diligence or testing,” he said. “We found in our research that we had command and control access to millions of deployed devices and could take them over.”

Rahman said the IoT market is bifurcated. On the one hand are small, crowd funded IoT pure play firms that come up through platforms like Kickstarter. On the other are large manufacturing and industrial concerns with long histories in areas like industrial automation.

IOActive will endeavor to serve both: offering a simple package of auditing services for small firms such as analyzing the security of device firmware or the protections around device communications.

“We’ll do some basic, low-level inspections in those areas for organizations that are limited in budget. From our perspective, this is more about helping the community than making money.”

For larger manufacturing and industrial concerns, however, IOActive has a more flushed out offering comprising everything from assistance building security into the development lifecycle to code review and end-to-end testing of IoT hardware and software from a “hacker’s” point of view.

Chicago-based Trustwave said its new IoT managed services will be announced on July 22 and are about preventing  IoT-related security incidents and data breaches within their customer base.  The company’s approach is two-fold: helping technology manufacturers incorporate security in their IoT products and infrastructure, and helping businesses that use IoT technologies monitor them for signs of trouble.

Companies that are developing IoT products and services will be able to use Trustwave Managed IoT Security to find weaknesses in embedded devices, back-end services and weaknesses in communications between deployed devices and their management systems. As with IOActive, Trustwave will tap internal security experts in its SpiderLabs to find weaknesses in devices by exploiting vulnerabilities in the hardware, software and the manufacturers’ servers.

On the enterprise side, Trustwave Managed IoT Security will provide what the company terms “actionable findings to real-time monitoring and advanced security services” via a web-based portal – providing IT staff with a heads up about vulnerabilities in IoT platforms.

The security problems facing the Internet of Things are well documented. And these aren’t the first such efforts to throw a security life-preserver to IoT firms. BuildItSecure.ly is a volunteer effort that launched in 2014 with the goal of helping small, commercial and bootstrapped vendors to build products securely. Vendors including Dropcam, Belkin and smart home firm Wink are all participants. 

Rahan said that competitive pressure drives companies to focus on delivering features rather than doing security. “Engineers have a timeline. They’re doing sprints to develop a product and get it out on a timeline,” he acknowledged. “The result is that basic elements of security that need to be developed are, instead, circumvented.”

That dynamic isn’t new, but the sheer scale and complexity of the Internet of Things, and the ways in which IoT devices will occupy our physical surroundings pose new and as-yet little understood challenges.

Rahan warned that companies need to engage with the problem now, before they are forced by market pressures embrace insecure devices – a process that Rahan likened to the fiat by which iPhone upset the more secure Blackberry as the go-to enterprise mobile device.

One Comment

  1. The beginning (or “genesis”, if you will)? How so?

    Secondary markets? Marketing to whom? Why?

    Isn’t it possible that maybe, just maybe, this is the result of irresponsibility on the part of the vendors who should have some respect for securing their own devices but who are instead now being given a “free pass” by encouraging companies who have a lot of involvement in post-breach investigation and containment and continual monitoring? Do you need continual monitoring with big rooms full of low-level analysts for something that has security as a consideration at the outset? Maybe you should be encouraging companies to make more secure decisions to begin with?

    I don’t think that creating secondary markets is really how the ‘security market’ is supposed to work (well, it did in the early AV’s-make-virus antivirus days — and it’s sure rampant now — but is that really the sort of history we want to encourage and repeat, yet again? Is that an industry we want to be a part of? While it sure seems to be all about the C.R.E.A.M., why are we encouraging that? Because everyone else is?).