Question

I recently gain interest in both IoT and cybersecurity. I was amazed that the designers of these devices, which can vary in function and prices, almost always poorly implement security. here is an article related to these subject :

An alarm with no mecanism against bruteforce : https://www.pentestpartners.com/security-blog/hack-demo-video/disabling-wireless-alarms-issue-3-pin-brute-force/

There is several exemples of bad practices regarding the security of this kind of devices. So my question is the following :

Why is the security so often neglected in this field ? Is because of a lack a skill in the domain ? Is it because of laziness ?

Answer 1

This is pretty off-topic, but I'll supply an answer to the more general question of It really boils down to two things;

1. Security is hard. What seems like an obvious security flaw to you could be entirely glossed over by someone else, and someone else could probably find a flaw you wouldn't imagine. We all have our blind spots, and for any value of "you", there is someone out there who is cleverer than you, or can very least see through your personal blind spots. Large software dev companies (Google, Apple, Microsoft, ect.) have entire appsec departments dedicated to attacking their software before its released, and these gigantic teams still all-too-often miss things that an attacker can easily find. And because security is hard, 2
2. Security is expensive. Many IoT devices are mass-produced and intended for mass consumption. The game of the IoT market (or really, the market for the vast bulk of physical products) is figuring out how to provide an equivalent, or better, product than your competitors' at a lower price point. Companies in this market have a strong incentive to eliminate, or at least skimp out on, anything that slows production or increases the cost-to-produce per unit. Security is barely regulated, not a priority for consumers, and doing it right is extremely time-consuming and expensive. Add in the fact that many manufacturers sell to non-local markets, and so are harder for customers to sue if a security breach occurs, and you have strong incentives for IoT device producers to not give security much thought, if any.

To know more join our Ethical Hacking Certification Course today.