The Internet of Things (IoT) has not yet reached maturity, but with all its possibilities, users and manufacturers have enthusiastically acquired and invested in it without properly considering security. We're still figuring out a lot about the IoT: what we want from it, what level of privacy we are comfortable with, where the legal limits should lie and how to secure it. Getting the answers to all of those questions is a race against time.

The issue goes beyond mere data theft. Attackers can now leverage the functionality of the IoT to further their crimes. Issues have been raised with robotic vacuum cleaners that scan the architecture of a house in order to determine the area they have to clean. This would be a great feature if it weren't for the fact that it uses a default username/password combination, allowing an adversary to turn that device into a remote spying device. And this is just one example of many.

How many IoT devices are there?

In recent research conducted by Kumar et. al., "All Things Considered: An Analysis of IoT Devices on Home Networks," researchers identified that in 11 different geographical locations and 15.5 million homes, there exist 83 million IoT devices. The figure below depicts IoT device type distributions between different geographic regions.

Source: "Kumar, Deepak, et al. "All Things Considered: An Analysis of IoT Devices on Home Networks." 28th {USENIX} Security Symposium ({USENIX} Security 19). 2019

Government IoT device regulation

As these threats continue to grow, governments are introducing regulation all over the world at both regional and national levels. For example, the U.K. government recently introduced a certification scheme which will allow compliant devices to be labeled with the Secure by Design standard. The Finnish government has recently announced that they will be adopting similar measures. It seems that market forces will now help police the security of the IoT too.

In the U.S. the Cyberspace Solarium Commission recently studied the impacts of the COVID-19 crisis on cybersecurity and recommended that the U.S. government pass an IoT security law, among other recommendations, like monitoring social media data and threats.recommended that the U.S. government pass an IoT security law, among other recommendations, like monitoring social media data and threats.

It might take a while for the full force of regulations to be felt. Hopefully, the industry will take responsible action and continue to build good security into IoT devices. Maybe we should be asking how to remove those inevitable vulnerabilities from our concern.

AI can help

We're still figuring out what we want from the IoT, what data we're going to let it collect and with what level of autonomy they're going to use that collected data. It is from that perspective that it makes sense to adopt security practices that can learn and grow with it.

Artificial Intelligence (AI) could help here. With AI we can start to not only stop threats but also predict them. In the case of the IoT, we can construct technologies that will be able to spot malicious, infected IoT devices within a given network and also accurately predict which devices will be malicious in the future or in danger of getting comprised.

By collecting data from a variety of devices over time we can identify patterns. We can evaluate outdated operating systems, default passwords, vulnerable libraries, and a lack of authentication, encryption and signing - all factors which contribute to the device's vulnerability. Those factors on their own cannot guarantee that a device is going to be compromised, but with enough data collected over time, we can predict the likelihood of that device becoming the target of an attack.

Such devices are easy prey for a cybercriminal. A study by the SANS institute in 2017 showed that it only took two minutes for a device to be attacked once it was connected to the internet. For a functional AI engine derived from a variety of different algorithms masses of data will have to be acquired over time in order to develop predictions with high confidence. The AI will have to learn along with the development and life-cycle of the IoT. As we fix old problems and develop new ones, utilizing AI-driven approaches could be of significant help in securing IoT devices.

DigiCert Labs actively contributes to the development of AI-based security approaches, pattern recognition and network data consumption categorization that analyze the behavior of different IoT devices in a variety of environments. When it comes to the IoT, like with all technology, we have to continue to evolve our thinking around security. AI is one to watch.