On October 21st, 2016, DNS provider DYN suffered from the largest DDoS attack in history, leaving much of the Internet inaccessible to Europe and North America. The unprecedented event saw cyber attackers orchestrating swathes of Mirai malware-infected IoT and connected devices to perform DNS lookup requests from tens of millions of IP addresses—impressive automated hacking, but hardly sophisticated: the malware gained privileged access by using public, default passwords. Are IoT companies doing enough to secure their "things" against nefarious actors?
The DYN incident may be the largest DDoS attack in history, but it's hardly the first security incident involving IoT devices. Back in 2015, public health-conscious cyber attackers—concerned with the rising obesity levels in the UK—forced unsuspecting consumers to adopt healthy eating habits by exploiting vulnerabilities in connected household appliances. Hilariously, smart refrigerators and microwaves would power off in the presence of ice cream and other junk food.
Of course, weaponized IoT devices in the hands of politically-motivated cyber attackers is a more serious matter. Are IoT vendors doing enough to bolster enterprise resilience, in light of these recent security fiascos? When used as components of larger consumer devices, IoT manufacturers just might constitute one of the largest and most overlooked sources of third-party vendor risk around today. Let's find out how they perform when it comes to measures of cyber resilience and security fitness.
The following companies play a significant role in defining how IoT products are designed/manufactured and marketed to businesses and end-users. The IoT ecosystem is an eclectic assemblage of companies—a few, like Siemens and Honeywell, are globally-recognized brands (some well over a century old), while most others are high-flying startups with innovative consumer offerings in the wearables and home automation categories.
The rise of IoT has been labeled by many pundits as the next Industrial Revolution, so it's not surprising that Thomas Edison's GE—founded at the height of the last Industrial Revolution—is a major IoT innovator today. Its so-called Predix Industrial Internet "operating system" connects industrial equipment on a centralized, app-based platform. Let's hope the web interfaces GE provides with its IoT solutions are more secure than its public website: its poor 437 CSTAR score is a result of numerous flaws such as lack of sitewide SSL, missing HTTP strict transport security, and disabled SPF/DMARC/DNSSEC.
Alarm.com is the leading smart home security provider with deployments across millions of homes. Its offering allows users to control and monitor their security systems from mobile devices: smartphones, tablets, even Apple Watches. The company's lackluster 607 CSTAR rating is a result of multiple security gaps in its website perimeter security: server information leakage, lack of HTTP strict transport security, missing HttpOnly/secure cookies, and disabled DMARC/DNSSEC.
Hacked smart refrigerators, compromised smart TVs, exploding smartphone batteries—Samsung has seen better decades. Unfortunately, its low CSTAR score translates to a higher data breach likelihood: lack of sitewide SSL, missing HTTP strict transport security, lack of HttpOnly/secure cookies, disabled SPF/DMARC/DNSSEC, and server information leakage plague its website perimeter security.
Europe's largest electronics manufacturer is a central player in all things IoT-related these days: industrial platforms, security services, connected industrial machines, and more. Its MindSphere open cloud platform—like GE's Predix—is an IoT operating system and platform for data analytics and developer applications/services.
Siemens' 639 CSTAR score is a result of several security flaws: lack of HTTP strict transport security, missing HttpOnly/secure cookies, and disabled SPF/DMARC/DNSSEC.
Ring was the first to bring a video-connected smart doorbell to market; recently, the company raised $109 million in Series D funding to further strengthen its market dominance. The company made a bit of security press last year when independent pen testers found a serious, exploitable flaw in Ring's product.
Despite its good resilience posture, several gaps exist in its website perimeter security including lack of HTTP transport security, missing HttpOnly/secure cookies, and disabled DMARC/DNSSEC.
Hitachi, another century-old enterprise behemoth, is currently focused on what it calls the "Enterprises of Things"—or solutions to help companies become IoT innovators in their own right.
Last year, the company's Hitachi Payment Services network was compromised in India, resulting in the country's largest data breach to date: 3.2 million cards exposed for a period of 6 weeks. And while its average 561 CSTAR score is certainly better than others on this list, security flaws like missing sitewide SSL, disabled HTTP strict transport security, and lack of DMARC/DNSSEC could lead to security compromise.
One of the most celebrated IoT successes in recent history, the Google-acquired startup offers the Nest Learning Thermostat, Nest Protect smoke/carbon monoxide alarm, and Nest Cam security camera. The company scores a good CSTAR score of 867, but flaws such as server information leakage and lack of DNSSEC could lead to a compromise. Additionally, a CEO approval rating 50% means that insider attacks are more likely to occur.
Bosch isn't just an automotive parts manufacturer—its products range from home appliances to enterprise software solutions. The company's IoT Suite provides developers with tools for building, implementing, and operating cloud-based IoT applications that are scalable and easy-to-manage. Unfortunately, the company scores a dismal 518 CSTAR score due to a myriad of flaws including lack of sitewide SSL, server information leakage, disabled HTTP transport security, missing DNSSEC.
FitBit markets the world's leading wearable solutions for tracking daily activities, workouts, sleeping patterns, and more. Perhaps you're wearing one of its products on your wrist right now. The company scores an average 679 CSTAR score due to several security flaws in its website perimeter security: lack of HTTP strict transport security, missing HttpOnly/secure cookies, and disabled DNSSEC. And though SSL encryption is in place, a non-encrypted (HTTP) version of its website is still readily accessible.
Fortune 100 Honeywell is focused on the Industrial Internet of Things (IIoT), or the digitization of manufacturing. Specifically, the company aims to becomes a central IoT technology provider for industrial applications, smart buildings, and wearables. Its average 606 CSTAR score reflects various flaws in its website perimeter security, including server information leakage, lack of HTTP strict transport security, missing HttpOnly/secure cookies, and disabled DNSSEC. Additionally, the company's low CEO approval rating of 51% and employee company rating of 3.0 make it more prone to insider attacks.
Control4 is a leading global provider of home/business automation and networking systems. The company has developed an IoT operating system for the home of sorts, enabling electronic components and systems already in use to work together. Unfortunately, its low CSTAR score of 437 is a result of various security flaws like lack of sitewide SSL, server information leakage, missing HttpOnly/secure cookies, and disabled DMARC/DNSSEC.
Prominent chip designer ARM Holdings designs low-power components found in various mobile/smart devices and computing hardware solutions, including an increasing number of IoT devices. Though it is not a chip manufacturer, per se, the company's designs have been used by likes of Apple, Samsung, and Qualcomm, to name a few. Its average 538 CSTAR score is a result of security flaws such as lack of sitewide SSL, missing HTTP strict transport security, and disabled DMARC/DNSSEC.
Only two vendors from this list of IoT solution providers have an above average CSTAR rating; four have warning-level scores that signify a high data breach likelihood. Additionally, two IoT vendors scored low in the employee happiness department—a tell-tale sign of a weakened resilience posture, since disgruntled workers are more likely to instigate insider attacks as well as disregard corporate guidelines and policies for strong security hygiene.
Want to learn more about CSTAR? You can start by finding out how resilient your favorite IoT companies are by using UpGuard's risk grader web application and chrome extension to instantly validate a website's security posture.