Close Menu
Uncategorized

Five Years of Evolution: The Journey of IoT Security

Staff WriterBy No Comments6 Mins Read0 Views

Quick Takeaways

  1. IoT Security Lagging: Despite increasing IoT adoption for efficiency, security measures have not kept pace, leaving devices vulnerable with insufficient patching capabilities and default settings like simple passwords.

  2. Awareness Deficits: Awareness of IoT security risks is critically low, complicating efforts to improve the safety of connected devices, as noted by industry experts.

  3. Legislative Efforts: Initiatives like California’s 2018 legislation and upcoming UK and EU regulations aim to enhance IoT security by banning default passwords and mandating vulnerability disclosure, but progress has been slow.

  4. Evolving Threat Landscape: The shift from basic botnet threats to more serious risks such as ransomware and espionage highlights the escalating dangers IoT devices face, requiring urgent and systemic security improvements.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘How Has IoT Security Changed Over the Past 5 Years?’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

Internet of Things (IoT) usage has expanded across industries over the past five years and will only continue to do so, but has security grown with it? Experts say progress is not fast enough. 

While organizations increasingly use IoT devices and applications to improve operational efficiency or save money, the technology is inherently insecure. It makes everything more connected, leaving a treasure trove of internet-exposed data. On top of that, many IoT devices are not equipped to receive easy vulnerability patching updates, or even alerting users that any update is needed.

Manufacturers ship devices with simple default passwords such as “admin admin” and many users don’t know they need to be reset to strengthen security. This is especially critical, as attackers have become more competent in the IoT space.

“The awareness of security for [IoT] devices is deplorably low,” Tod Beardsley, VP of security research at runZero, tells Dark Reading.

Offense VS Defense

In 2018, California filed legislation to improve security for connected devices, including a push for manufacturers to use more unique default passwords. Beardsley says the move marked progress for IoT security, but advancements have been limited since.

One roadblock, which is a common technology industry challenge, is balancing enhanced security with user experience. Manufacturers and suppliers fear tighter security will make the device less usable, says Beardsley.

Related:CISO Conversations: How IT and OT Security Worlds Are Converging

The good news is that visibility is improving in IT.

“All of the changes that I’ve noticed [over the past five years] are on the offensive and research side,” Beardsley explains. “The defensive side has been pretty static.”

While attending recent DEF CON events, Beardsley noticed how massive the IoT village had grown. It’s one of the main headline villages these days, showing how people care about the issue.

“It’s becoming more common to have IoT in scope for penetration tests, and to have it be in research topics,” he says. “People are learning more.”

A Call To Manufacturers

Knowledge of the problems may be rising, but there are more steps manufacturers can take.

State-of-the art of IoT security is improving with more effective practices, but that improvement may be hindered by emerging companies in the market, warns Beau Woods, cyber safety advocate with I Am the Cavalry. Startup companies all the way to large, well-funded organizations are entering the IoT phase and one concern is that newer companies aren’t learning from previous problems.

“It’s tough to say we’re getting better [at IoT security], but it’s also tough to say we’re getting worse,” Woods explains. “There’s an increasing number of companies for each IoT device. The code base is increasing. There’s increasing connectivity which means increased exposure to accidents and adversaries. [With] all of these trends it would be hard to say we’re keeping pace or getting better.”

Related:Emerging Risks Require IT/OT Collaboration to Secure Physical Systems

Yet, Woods remains hopeful as IoT security improvements have mounted over the past five years. For example, some manufacturers applied more effective practices, but there is a flood of others that are not. Until “an outside forcing function” requires better security or the problems will persist, he explains.

“Policy-type solutions could help the whole ecosystem improve,” he says.

Manufacturers could also use system segregation so that if one fails as a security issue, it won’t affect operating areas with critical or sensitive data. M any manufacturers are willing to do that, but they see competitors who aren’t, observes Woods.

“[They’re] afraid they’ll lose out to those competitors because they’re unsure if security is going to be a buying decision for companies,” Woods says. 

IoT Risk Shifts

One of the major wake-up calls for IoT security was the Mirai botnet that disrupted internet services for major companies like Netflix and X in 2016. Over the past five years, the market has responded to Mirai-style botnets with new legislation, says Chris Wysopal, co-founder and chief security evangelist at Veracode. He highlighted examples like the UK’s Product Security and Telecoms Infrastructure Act that took effect in 2024 to ban default passwords and require vulnerability disclosure around update support periods. In combination with the EU’s Cyber Resilience Act of Dec. 2024, new devices released in 2024 and upward should see noticeable security improvements, adds Wysopal.

Related:Water Systems Under Attack: Norway, Poland Blame Russia Actors

However, attackers are now using vulnerable IoT devices for more than just botnets. They now serve as edge entry points for ransomware, and as pivots for espionage, warns Wysopal, pointing to how Chinese nation-state attackers exploited outdated SOHO routers. End-of-life problems will only worsen, as more legacy devices remain in circulation.

“IoT risk has clearly shifted from ‘default passwords and botnets’ to systemic, higher-impact failures,” he says. ” IoT vulnerabilities are beginning to resemble those of general-purpose computers, but with higher risk, since IoT devices are often ‘set and forget’ and far harder to patch.”

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Discover More Technology Insights

Stay informed on the revolutionary breakthroughs in Quantum Computing research.

Explore past and present digital transformations on the Internet Archive.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.