Trend Micro Inc. debuted Wednesday a new information security protection software development kit at Microsoft IoT Expo in Taipei. The kit was created in partnership with Microsoft to address the need for enhanced security amidst rapid expansion of integration in the global Internet of Things (IoT), and specifically the Internet of Vehicles (IoV).
The comprehensive solution, which was designed with the unique characteristics of IoT in mind, will help enterprises safeguard connected devices and services against cloud, network and endpoint threats.
The IoV is one of the most prominent areas of emerging connected technology, and in an effort to protect this growing industry, Trend Micro’s new security software development kit will provide two key features — the ability to proactively detect threats and conduct risk assessment, as well as endpoint level protection that activates system security when devices are under attack.
Upon deployment, the kit automatically connects to the Trend Micro Smart Protection Network, using machine learning technology to monitor abnormal conditions. The kit’s highly efficient core and multi-layered solution is capable of extensive support for various IoT platforms, providing real-time protection.
“Despite growing excitement about the possibilities of IoT, information security in the industry is still lagging, particularly for connected device endpoints — making them especially vulnerable to attacks,” said Jerry Liao, chief architect of IoT security for Trend Micro. “There is a huge need for improved IoV security, and this new kit demonstrates Trend Micro’s dedication to protecting its customers, as well as our proactive — not reactive — approach to security.”
According to a recent Trend Micro report, 50 percent of surveyed corporations, government agencies and related organizations said the frequency at which their connected devices are under attack is on the rise, with 10 percent confident in their ability to confront those attacks, and nearly 80 percent agreed that cyber threats are becoming increasingly accurate and sophisticated.
“It is evident that information security vulnerabilities associated with IoT have become a looming concern,” said Liao. “As IoT is applied in more sectors, including the automotive industry, the significance of information security cannot be overlooked. It is imperative that security measures be implemented during development to safeguard IoT environments from malicious threat actors and ensure real-world safety and security.”
Gartner has estimated that more than 20.8 billion IoT devices will be in use by 2020; IoT will be leveraged by over half of major business processes and systems, with enterprises projected to lead in driving IoT revenue.
Remotely controlled lightbulbs and WiFi-enabled In-Vehicle Infotainment (IVI) systems, for instance, are mostly run in Linux and developed in C language without safe compiler options. They also use dated connection protocols such as TCP/IP (1989, RFC 1122), ZigBee (2004 specification) and CAN 2.0 (1991), which when exploited can open up the device to remote access. For instance, exploiting a TCP/IP protocol can lead to a man-in-the-middle attack where malicious third parties can tap into an IoT device’s network, intercept its traffic and ultimately gain access to the device.
The security of IoT devices has been largely overlooked as most vendors focused mainly on their performance and functionality. This is exacerbated with the existence of search engines such as Shodan and ZoomEye, which readily provide repositories of potentially vulnerable connected devices and computer systems.
But as IoT adoption among consumers and businesses continue to grow, security in IoT devices is also gaining traction. In fact, global spending on IoT security has been projected to reach $547 million in 2018.
Gartner also predicts that 25 percent of identified cyber-attacks on enterprises will involve IoT by 2020. Tesla and Fiat Chrysler are among those that took the initiative by launching bug bounty programs to improve the security of their connected cars. In the U.S., the Automotive Information Sharing and Analysis Center (Auto-ISAC) has collaborated with 15 automobile makers in setting up a list of best practices for their vehicles’ cybersecurity.
And while cyber extortion or even ransomware in IoT is technically feasible, it is unlikely to be done in the foreseeable future. Hacking IoT devices involve earmarking time and resources. It also entails personalizing the attack and targeting specific victims, enterprises or industries from which they can monetize their operations through extortion. It can also be unviable especially for malefactors such as ransomware operators whose hit-and-run business models work by trying to gain quick ROI from as many victims as possible.
Nevertheless, the growing adoption of IoT devices, the relative ease of exploiting their security flaws and the seeming profitability of extorting their owners, are a daunting combination. And while there is no silver bullet for completely securing the vast network of connected devices, countermeasures such as implementing a security audit when designing IoT software/hardware, setting up security gateways, adding endpoint monitoring and utilizing real-time log inspection can help mitigate the risks.