IoT security sucks and guess what? It's really the "thing" makers who are to blame and not necessarily because they're awful at it when it comes to developing secure technologies (although that's a reason too). In many cases, they just don't really give a hoot or they're in such a rush that security gets "afterthought-status."
As you may or may not know by now, behind every good mobile or IoT implementation is a mobile backend (often one as a service as in "mBaaS") and according to a recent security trends report published by Hi-Tech Bridge, 83% of mobile apps within banking, financial and retail sectors have a mobile backend (web services and APIs) that is vulnerable to at least one high-risk security vulnerability.
As for the mobile apps themselves. Hi-Tech Bridge's third most observed flaw after cleartext storage of sensitive data on the mobile device and over-reliance on insecure third-party software components was insecure communication with the mobile backend (again, APIs and web Services), allowing hackers to intercept sensitive data or to conduct MITM attacks. But the whopper from this report report was that 98% of web interfaces and administrative panels of various IoT devices had fundamental security problems. Among them: hardcoded and unmodifiable admin credentials, outdated software (e.g. web server) without any means to update it “from the box”, lack of HTTP traffic encryption, various critical vulnerabilities in the interface, including RCE (Remote Command Execution) in the login interface directly. You know? The problems that were mainly solved like a decade ago!
The report went on to say what we’ve kind of suspected all along: "manufacturers who build IoT objects still do not understand that cybersecurity of their products becomes even more vital than manufacturing quality standards, and puts their customers at enormous risk.” In fact, a recent ZDNet Special Report on Mobile and IoT security noted where insecure software componentry and naive IoT device makers intersect one another.
According to the report, "the biggest IoT-related cybersecurity story of 2016 was the havoc created by the Mirai malware, which recruits vulnerable Linux-based IoT devices -- including broadband routers, printers, webcams, CCTV cameras and digital video recorders -- into 'botnets' that deliver DDoS attacks…. Mirai specifically targets systems running BusyBox, a set of software tools commonly used on Linux-based consumer IoT equipment. Infected devices scan for open Telnet ports and attempt to login using a list of factory-default credentials (including the notorious 'admin/admin' username/password combo). These credentials are sent to a report server that controls the loading of the malware on the new victim device, which can then participate in DDoS attacks under the control of the C2 (command and control) server.”
It's pretty much child's play for the hacker. And for the inexperienced IoT manufacturer (or the consumer goods CxO who says "Security! We don't need no steenkin' security"), it's like leaving the keys to the kingdom hanging from a door lock in a bad neighborhood.
Furthermore, according to a Ponemon Institute research study on Mobile and IoT application security cited by ZDNet, only an alarming "32 percent and 42 percent of organizations considered it urgent to secure their mobile and IoT apps respectively” with the upshot being "that mobile and IoT apps contain vulnerabilities, and the main reason, according to this survey's respondents, is the pressure on development teams to release apps quickly." In other words, 68% and 58% of organization, respectively do not view security as an urgent issue and even worse, they view time to market as such a priority that they'll gloss over security in order to get their products out the door.