Patching Vulnerabilities in IoT Devices is a Losing Game

By 2025, there will be an estimated 38.6 billion IoT connected devices worldwide, each with a wide range of vulnerabilities. Today’s cybersecurity solutions are aimed largely at patching vulnerabilities, which include scanning firmware and generating alerts to potential vulnerabilities or updating software after a vulnerability is published.

This approach is vital to mitigating vulnerable entry points – but as with any device, the truth is that it’s impossible to identify and patch every weak point in IoT devices. Any CISO whose sole measure of protection was patching vulnerabilities would rightly be called out for a deeply flawed security strategy. Why, when it comes to IoT security, is this approach considered reasonable?

After all, with every line of code or functionality that’s added to an IoT device, new attack vectors appear. All it takes is one vulnerability, and it doesn’t even need to be an OEM’s vulnerability – indeed, the vulnerability could originate from third-party sources.

Take “SweynTooth,” for example, which allows a hacker to take control of an IoT device or stop it from working by exploiting vulnerabilities in third-party code. For IoT devices, the risk also extends to the networks to which the devices are connected as these devices can easily serve as the gateway of choice for hackers to penetrate a network.

A cybersecurity strategy that relies exclusively on patching every flaw within a device will mean playing endless games of catch-up – a feat that’s not only impossible, but dangerous, given that hackers are often one step ahead.

Why has IoT cybersecurity traditionally relied on vulnerability patching? The approach is an important part of any cybersecurity toolkit and helps reduce the number of vulnerable entry points hackers could potentially exploit.

Just as it’s better to secure a house with a quality alarm system – rather than constantly searching the premises for unlocked doors or cracked windows that could invite burglars – IoT devices need their own proverbial “alarm system.”

Leveraging Offensive Knowledge to Secure IoT Devices

Getting IoT device cybersecurity right is paramount. These connected devices provide ongoing monitoring for the sick and elderly, keep patients’ hearts beating, power our homes and businesses, manage modern transportation, and so much more. Failing to protect these devices jeopardizes lives, health, and the economy.

Instead of protecting IoT devices and networks by relying on a vulnerability patching-first approach, OEMs and enterprises must think bigger. When developing their IoT security strategies, CISOs must ask themselves the following: how do hackers actually exploit vulnerabilities, what are their methods, and how can we thwart their attacks?

Think back to the metaphor of securing a house. A vulnerability may be leaving the door open, thus making it a lot easier for a thief to intrude. While cybersecurity solutions for IoT devices generally consist of finding those open doors and making sure they are closed to avoid hacks, it’s clear to see that such an approach is not enough when dealing with countless doors.

This is why focusing on the exploitation stage, or how the hacker takes advantage of the open door to execute an attack, is so important. While hackers can adapt their techniques, there will always be a series of essential steps they must execute in order to infiltrate a device and run malicious code on it.

 For instance, an attacker will have to make sure that the door is in fact open at the time of exploitation, that the residents are not home to stop him, or that he has the knowledge to bypass an alarm system if one exists. This is the “exploitation magic” that hackers must embrace, and which requires deep knowledge in operating systems and low-level computing in order to be successful.

While traditional cybersecurity solutions focus on mitigating these exploitation methods in real-time, when it comes to the protection of IoT devices, this, for the most part, is not being done. Focusing on maintaining the device’s integrity in real-time by preventing exploitation - regardless of the vulnerability - will enable OEMs and enterprises to protect devices against unknown and evolving threats.

The importance of on-device protection

With this approach, OEMs and enterprises can put less emphasis on the endless game of cat and mouse on patching devices ex post facto and start building IoT devices with true cybersecurity protection.

The future of IoT cybersecurity is robust, embedded protection, no matter how a hacker may try to penetrate it – the same way a good alarm system protects a property no matter where an intruder may try to breach it.

The takeaway: Continuing to patch vulnerabilities is an important tool in the cybersecurity toolbox, but enterprises can’t put all their eggs in one basket. Obsessively focusing on patching at the expense of building real-time security controls to effectively tackle new threats is a recipe for more vulnerabilities – and an endless, taxing frenzy of attempting to outsprint cyber-criminals.

OEMs must prioritize solutions that take into account the essential steps that hackers cannot avoid when attacking an IoT device. These solutions will wait for hackers in those inevitable nodes and paths and stop them before they can penetrate a device or network.

What’s Hot on Infosecurity Magazine?