Hand installing chip into a socket on the circuit board showing device security

Why Product Testing Is the First Step in Device Security

Internet of Things (IoT) devices have always been hard to secure because they incorporate components from multiple vendors. Manufacturers now struggle to deploy products amid a supply chain crunch that could last into 2024. Expediency has come at the expense of security as businesses focus on other high-priority issues.

In a survey we recently conducted with the Ponemon Institute, only half of respondents said their company assesses the security of its own products before they are shipped to customers. The security of an IoT device is very important to 76% of respondents, but only 41% say their organization makes it a priority.

The risks of a manufacturer sending, or a retailer or consumer accepting, devices without proven security are very real. Attackers might access sensitive data through unprotected devices or recruit compromised devices to form a botnet as part of a distributed denial-of-service (DDoS) attack. According to Spamhaus, the third quarter of 2021 saw a meteoric 82% rise in the number of new botnet command and controllers (C&Cs) over the second quarter.

IoT devices can also be an attractive target for a hacker looking to sabotage something bigger. We have already seen hackers compromise pacemakers and implantable defibrillators, remotely drive a Jeep off the road, and accelerate the threat of ransomware for connected cars.

Meeting production deadlines doesn’t have to mean shipping devices that aren’t secure. Security testing represents an urgent need for device manufacturers, and in order to prioritize it, we need to make it faster and more automated.

Product security impacts sales

Product leaders no longer have to wait for urgent reasons to secure their products and supply chain: These issues are already impacting the bottom line. Nearly three in five—59%—of organizations report that they have lost sales due to product security concerns.

Testing products before they ship is more than just quality control; it’s an investment with a tangible impact. Many manufacturers use firmware mostly produced by third parties, which makes it tougher to know what exactly is in their devices. Testing against IoT standards set forth by organizations like the European Telecommunications Standards Institute (ETSI), European Union Agency for Cybersecurity (ENISA), and National Institute of Standards and Technology (NIST) can assure customers that security is a priority. The ability to prove those efforts to customers would likely help safeguard against the loss of sales.

Product security isn’t just a short-term problem, either. There will likely be more than 27 billion IoT connections by 2025 according to IoT Analytics, which opens a new world ripe with opportunity for attackers. We already see security impacting sales, and a larger potential attack field in the future makes it more imperative to bake security into devices so that the data they produce is accessed only by

Where the burden lies

A whopping 73% of our respondents report their organization doesn’t conduct software composition analysis (SCA) for all its connected products’ software and 70% say their company can’t easily generate a software bill of materials (SBOM) for each of its products. It should come as no surprise, then, that 60% report difficulty responding quickly to new vulnerability disclosures.

Why don’t manufacturers see product security as more urgent? Based on the results of our survey, it appears the product security hot potato is being passed on to others. Most manufacturers don’t believe the onus is on them to keep products secure.

Forty percent of our respondents point to third-party software vendors when asked who they believe should be most responsible for ensuring the security of IoT devices, while 15% say end-users should be most responsible, and 12% believe it should be most up to the government. Only 31% of manufacturers believe the primary responsibility for product security rests in their hands, which goes a long way toward explaining why these concerns aren’t top-of-mind for many device makers.

The main obstacles to developing secure IoT devices for respondents are a lack of resources (62%) and lack of in-house expertise (60%). That’s not surprising, considering only a quarter of respondents say their organizations allocate more than 5% of their IT budgets to embedded device product security.

For manufacturers using traditional security testing, like manual penetration testing, the problem comes down to scaling. Every additional pen tester is expensive (and difficult to find in a tight labor market). Manual testing is time-consuming. When testing processes don’t scale, the result is security triage. Some products—usually bestsellers—get testing attention, but the rest of the product line is neglected.

The product testing solution

Testing can help avoid pitfalls and security risks. According to Zscaler, 76% of IoT devices connected to corporate networks are still communicating on unencrypted plain text channels, making them a vector for threat actors. As the market continues to grow, so too will that risk unless new measures are taken.

The most efficient strategy is automating product security testing. New, automated testing tools can help stop the triage and get provable device security for each product in a product line.

Through automated testing, manufacturers can spend more time on day-to-day operations with a process that’s fast, cheap, and secure. With outside forces like the supply chain disruption making an already complicated situation more complex, automation can scale their security efforts with the growth of the market.

In a recent survey, only half of respondents said their company assesses the #security of its own products before they are shipped to customers. Testing can help avoid pitfalls and security risks. #respectdataClick to Tweet

The future of product security isn’t in dramatically expanding budgets and adding to product costs. Rather, it’s getting smarter about what to test, when to test it, and how to keep devices and customers safe.

 

Principal Product Manager at Finite State