Skip to Main Content

Strategic Business Insights (SBI) logo

Internet of Things February 2021 Viewpoints

Technology Analyst: David Strachan-Olson

TCP/IP Vulnerabilities Affect Millions of IoT Devices

Why is this topic significant?

The recent disclosure of 33 vulnerabilities in open-source TCP/IP software stacks highlights the challenges of IoT-device cybersecurity arising from sprawling supply chains.

Description

Cybersecurity researchers from Forescout recently discovered 33 vulnerabilities that affect millions of Internet of Things (IoT) devices. The set of 33 vulnerabilities—Amnesia:33—affects multiple open-source TCP/IP (transmission-control protocol/internet protocol) software stacks. Several of these vulnerabilities stem from poor software engineering practices, such as absent input validation checks, whereas others stem from issues in how the stacks handle IP addressing. Potentially, hackers could develop exploits to these vulnerabilities, which would allow them to compromise devices to execute malicious code, perform denial-of-service attacks, steal sensitive information, and leverage IoT devices as an attack point to move laterally across networks.

Forescout estimates that more than 150 vendors and millions of devices are vulnerable to Amnesia:33, including IoT devices, networking devices, and embedded systems on a chip. Genetec, Microchip, Nanotec, and Siemens are a few notable companies that have already issued security advisories for some products following Forescout's disclosure of the vulnerabilities. Some companies have already developed and issued patched versions of software or have instructed customers to use specific mitigation strategies.

Implications

Although the vulnerabilities are easy to patch from a technical standpoint, the sprawling nature of open-source software means determining whether a given device is vulnerable is difficult. Companies can adopt and alter open-source code bases to suit their purposes. End users are reliant on device suppliers to know whether their devices are affected. In some cases, IoT-device manufacturers might be unaware that a third-party hardware or software component in their IoT device uses variations of these open-source code bases and is thus vulnerable. Even if device suppliers do discover that a third-party component uses a variant of these open-source standards, the third party might not have a reliable way to implement a patch. The Amnesia:33 white paper from Forescout highlights the complex nature of electronics and software supply chains and how that complicates device security.

Impacts/Disruptions

Cybersecurity will remain a complex issue and will affect IoT devices and all connected systems for the foreseeable future. Just days after the disclosure of Amnesia:33 vulnerabilities, the cybersecurity industry was rocked by the hacking of SolarWinds Orion—a popular IT-administration tool in use at more than 300,000 organizations. These events exemplify the never-ending battle that comes with cybersecurity. The growing size and complexity of enterprise networks is driving the adoption of cybersecurity tools that focus on network detection and response using machine-learning algorithms to analyze network traffic for changes. Adoption of such services represents a shift in cybersecurity mindset to one that acknowledges that networks will be compromised but that cybersecurity teams need to focus on minimizing the scope of these breaches.

Scale of Impact

  • Low
  • Medium
  • High
The scale of impact for this topic is: Medium

Time of Impact

  • Now
  • 5 Years
  • 10 Years
  • 15 Years
The time of impact for this topic is: Now

Opportunities in the following industry areas:

IoT device supply, cybersecurity, network security, IT, enterprise IoT, compliance and verification

Relevant to the following Explorer Technology Areas:

Cellular and Cloud Computing: Areas to Monitor

Why is this topic significant?

Stakeholders should monitor key issues and uncertainties that could have an outsize impact on how companies commercialize IoT technology.

5G Cellular Networks

Cellular networks offer an expansive system for wireless communication that already exists throughout many countries and that could support Internet of Things (IoT) applications. Devices that stay in proximity to users can access cellular networks through smartphones' personal-area networks to send and receive data from the cloud. Companies selling expensive devices, such as vehicles and robots, may integrate cellular radios and cellular service. Stakeholders responsible for the continuing development of cellular standards are placing more focus on supporting connectivity for small low-power IoT devices. Such programs are "LTE IoT" and include enhanced machine-type and narrowband communications for low-cost, low-power, and low-throughput devices. Cellular-industry stakeholders are also encouraging the adoption of private 5G networks in enterprise and industrial applications to support Industrial IoT and Industry 4.0 trends. In addition, many 5G plans include calls for increased intelligence and processing power on the edge of networks, enabling devices to off-load data storage and processing.

What to watch for:

  • Standards set by 3GPP (3rd Generation Partnership Project) that determine bands and operating parameters for IoT devices
  • Successful deployments of private 5G networks in factories, warehouses, and corporate campuses
  • Cellular providers' offering edge computing and intelligence for high-value services, including services for robotics or autonomous vehicles

Cloud Computing

Cloud computing and cloud platforms will provide the backbone of many IoT systems and are thus vital components of IoT technology. Cloud services communicate with large deployments of devices, collect and process data, and provide an interface for engineers and automation tools. Cloud companies will continue to develop unique features and capabilities to distinguish their platforms from those of competitors.

Although cloud computing will have a large impact on the development of the IoT, uncertainty remains about how most companies will choose to implement cloud systems. Infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) companies offer a variety of cloud services for low up-front costs but do not offer the flexibility and control of private cloud operations. If the importance of edge computing continues to grow, private clouds may struggle to match the low-latency performance of services and applications deployed on the edge infrastructure and platforms of the public cloud.

What to watch for:

  • IaaS and PaaS companies offering innovative solutions and services for IoT applications, such as AI, big-data analysis, and cybersecurity, as the market for IoT devices expands
  • IoT hardware with prebaked integration and compatibility with IaaS and PaaS services to make adoption of new hardware easier
  • A potential reemergence of private cloud operations as the leading IaaS and PaaS companies consolidate control of the public cloud

Scale of Impact

  • Low
  • Medium
  • High
The scale of impact for this topic is: Medium to High

Time of Impact

  • Now
  • 5 Years
  • 10 Years
  • 15 Years
The time of impact for this topic is: Now to 15 Years

Opportunities in the following industry areas:

Mobile communications services, network-equipment manufacturing, managed services, corporate IT, cloud computing, edge computing, cognitive services

Relevant to the following Explorer Technology Areas: