Why IoT security needs more focus on the backend

Why IoT security needs more focus on the backend

There’s no shortage of warnings about the dangers that lacklustre security can have with regards to the Internet of Things. We here have been writing about IoT ‘time bombs’ and ‘wake up calls’ for a while now. And last year the world saw its first IoT security bomb go off in the form of the Mirai botnet.

And while there’s no shortage of research into connected device security and people tearing apart devices, there’s a whole aspect of IoT security that’s being forgotten about.

“A lot of the research focuses on the endpoint devices because that's the legal way to research; you can buy one, you can take it apart without permission or being requested to do so,” says Rik Ferguson, VP of Security Research at Trend Micro.

We consult a panel of IoT security experts to provide some insight on what businesses need to know. Check out: The IoT “time bomb” report: 49 security experts share their views

“You can't go and scan someone's backend and find out what the vulnerabilities are at the data centre side of things.”

Because of that legal block, he argues, it’s unclear what kind of authentication, security protocols, encryption, whether the data is being exposed, and general security practices these companies are putting into place. Which means it’s hard to tell how secure these increasingly large ecosystems really are.

Mirai, Ferguson says, took down a large portion of the internet with just 380,000 compromised IoT cameras and other devices. Analyst predictions suggest there could be tens of billions of connected devices in a short space of time, many of which could be compromised and used offensively if the backend can be hacked. And then there’s the value of the information being sent from the devices to the backend, plus user information which may well be linked-up to those devices.

“It's a very, very neglected area, and we don't have a lot of visibility into how those devices actually communicate with that backend. That's where the gold is, that's where the attackers are really going to go.”

Hacking for good

While companies working in the IoT space should start offering bug bounties and encouraging researchers to help make their systems better, many do not. Ferguson, in lieu of that, suggests his company’s Zero-Day Initiative.

Three security experts talk WannaCry, the future of ransomware, and what to expect from the Shadow Brokers’ next leak. Will the next WannaCry go up for sale this summer?

Part of Trend Micro through its acquisition of TippingPoint in 2015, ZDI is an open, global community of researchers who, once they find a vulnerability, will have ZDI then buy it from them and then work with the affected company to solve the issue.

“So even if they're aren't bug bounties from those device manufacturers, there are still ways for researchers to get rewarded for their work, and vulnerabilities be identified and remediated.”

However, one wonders if a hacker did find a Mirai-level vulnerability in some major IoT venders’ system, the temptation would be there to eschew disclosure and instead sell it for profit. When it’s put to Ferguson that many hackers can and do make more money selling exploits on the black market than they could through legitimate bug bounties, he disagrees.

“That might be the case in some geographies but not all geographies. The salaries you're talking about for entry level with good cyber skills are streets ahead of where I started in this game.”

“There's plenty of money to be made legitimately, and it's an industry that not only has a good starting level, but offers massive scope for personal development and financial development alongside that. There are so many areas you can focus on, and you can end up being significantly rewarded for it.”

As well as financial reward, he says, there’s the question of moral fibre to consider as well.

“Someone asked me: 'Why have you never been a bad guy?', it's not a question I'd ever considered before, and the only answer I could come up with was “Because I'm not a wanker”.”

“I think you have to be a certain kind of person to be willing to commit crimes, particularly crimes that disadvantage other people, whether its personal or financial or in terms of the ability to do business. I couldn't live with myself, and I don't think I'm anything approaching unique in that respect.”

Ferguson goes even further along that line of thinking, arguing security types would be great at serving the people.

“I also think a lot of security would make fantastic politicians.”

“They seem to be very engaged with security as a wider concept than just digital security or information security, it's about personal freedom and liberty. There seems to be a lot of passion in that area among security professionals.”

So, will we be seeing ‘Rik Ferguson for Prime Minister’ posters come 2020?

“Oh God, could you imagine? Everybody would have to listen to Mötley Crüe every day would be my first law, and Adam and the Ants at tea time.”


Also read:
InfoSecurity Europe 2017: Computer security has become everything security
Trend Micro: 6 most popular homebrewed terrorist tools
The InfoSec issues more dangerous than Heartbleed or Shellshock
How IoT companies can learn from the Mirai malware exploitation


«Typical 24: David Manning, MIGSOLV


C-suite career advice: David Kaganovsky, Maxus»
Dan Swinhoe

Dan is Senior Staff Writer at IDG Connect. Writes about all manner of tech from driverless cars, AI, and Green IT to Cloudy stuff, security, and IoT. Dislikes autoplay ads/videos and garbage written about 'milliennials'.  

  • twt
  • twt
  • Mail

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?