Security is the main challenge of IoT projects

The lack of processors on the market and the lingering impact of the COVID-19 pandemic on supply chains globally have not been enough to halt the growth of the Internet of Things (IoT). The number of connected IoT devices is expected to have reached 12.3 billion active endpoints by 2021 and reach more than 27 billion connections by 2025, according to data from IoT Analytics.

However, the dramatic rise of IoT has not been accompanied by due concern for security. “The pace of innovation has demanded more attention to protecting millions of devices, most of them connected to (mostly wireless) networks. Unfortunately, many of these devices have little or no security at the software and infrastructure levels,” said Earl Perkins, research vice president at Gartner. According to the consulting firm, more than 25% of cyberattacks on businesses will involve IoT, while IoT will account for less than 10% of IT budgets.

It’s not hard to conclude that a lack of ability to address security issues is ultimately affecting IoT initiatives. For 57% of organizations surveyed in a Kaspersky study, cybersecurity risks are the top barrier to project implementation. This difficulty likely comes from the fact that IoT adds a host of new security risks and challenges for devices, platforms, operating systems, and connection types.

“IoT projects are very fragmented, loosely coupled, have typical industry specificities, and require a lot of integration efforts by nature. In comparison, conventional IT projects have around 80% common requirements. IoT implementations require addressing legacy systems, physical constraints, protocols, multivendor solutions, and maintaining a reasonable balance between availability, scalability, and security. In pursuit of the first two requirements, security ends up becoming a huge challenge,’ explains Eric Kao, director at Advantech, a global provider of industrial IoT solutions.

Serious vulnerabilities in Microsoft Defender for IoT

Several vulnerabilities found in Microsoft Defender for IoT allow attackers to gain remote access without authentication to networked devices. According to SentinelLabs researchers at SentinelOne who identified the flaws, these vulnerabilities have a severity score of up to 10 points, the highest in the CVSS rating.

Microsoft Defender for IoT is a product formerly known as CyberX and was acquired by Microsoft in 2020. It is a security solution that monitors IoT/OT assets and detects threats that can be deployed locally or in Microsoft Azure-connected environments. The most attractive attack surface is its web interface, which allows you to control the IoT environment with ease. Another sensitive element is the DPI (Deep Packet Inspection) service that analyses network traffic.

According to the findings, unauthenticated attackers can remotely compromise devices protected by Microsoft Azure Defender for IoT by exploiting vulnerabilities in Azure’s password recovery engine. SentinelLabs informed Microsoft of the flaws in June 2021, and they were assigned the identifiers CVE-2021-42310, CVE-2021-42312, CVE-2021-37222, CVE-2021-42313, and CVE-2021-42311 marked as critical, some with CVSS score 10.

Microsoft has released security updates to address critical vulnerabilities. To date, SentinelLabs has found no evidence that attackers in the field have exploited these flaws in unpatched versions of Microsoft Defender for IoT.

In a statement given to the VentureBeat website, Microsoft said that “security vulnerabilities are serious issues we all face, which is why it maintains partnerships with the industry and follows the process of coordinated vulnerability disclosure to protect customers before vulnerabilities become public.” Microsoft also said it has addressed the issues mentioned and appreciates working together to ensure the security of customers.