IoT end point device security will always be a game of leapfrog between attackers and vendors. The advantage will go to whoever gets the next jump. The reality is that both vendors and attackers are constantly on the lookout for vulnerabilities. When a manufacturer finds an IoT vulnerability and reports on it, the odds are high that attackers will look to immediately exploit this same vulnerability. And let’s face it, since attackers are motivated, and in many cases better equipped, vendors and manufacturers face an uphill battle. So what is a vendor to do? The following article details steps that the vendor, manufacturer, and the end user community can take to mitigate business interuption.
The internet of things (IoT) is being increasingly adopted by the world. According to this Forbes article, “29% of organizations globally and across all industries adopted IoT” in 2017. This made IoT security more important for organizations. When a vulnerability is discovered in an IoT system, how do you mitigate the problem without interrupting the business?
How IoT Vulnerabilities Are Handled Today
Let’s look at how IoT vulnerabilities are mitigated today by using connected medical devices as an example. On April 17, ICS-CERT issued an advisory on a defibrillator, exposing a vulnerability on this device. While no details were released on when this vulnerability was reported and how long it took to patch the faulty devices, in the advisory we found CVE-2017-12712 was assigned to this issue. From the method by which Common Vulnerability Exposure numbers are assigned, we can infer this issue was reported back in 2017, most likely around fall time. At least six months have passed since the vulnerability was discovered.