IoT security concerns
The 2010s has seen a proliferation of the Internet of Things (IoT) on a tremendous scale. According to Gartner, there are 8.4 billion smart devices in use in 2017, a number projected to increase to 20.4 billion by 2020. Automation and smart technology are not only finding their way into phones and tablet computers, but also cars, refrigerators, and even toys.
With more devices and tools adopting IoT technology, the possibilities are endless. However, with more possibilities comes more potential problems. As one might have already guessed, if something can access the internet, someone on the internet can, in turn, access it and sometimes with malicious intent.
Everything can be hacked…
In other words, any unprotected IoT endpoint is vulnerable, even smart baby monitors. In one particularly disturbing incident, an unknown cyber intruder hijacked a smart baby monitor to speak to a three-year-old-boy and his mother. Moreover, children’s toys, particularly those from Genesis and Nuance, have come under scrutiny, with some products found to have recorded children’s voices without notice nor permission.
Information was also found to have been sent to a database with few safeguards. In addition to the ethical implications of children’s information being shared with third parties, the lack of privacy protection and security means the collected data could be stolen and used ultimately against them.
In addition to IoT devices being hacked on a personal level, such as a hacked smart refrigerator spamming pornographic content while making ice cubes, organizations, private and national are affected as well. For example, security cameras were hacked for Distributed Denial of Service (DDoS) attacks against Dyn, a Domain Name Service (DNS) provider for companies like Twitter and AirBnB. The attack was performed via a botnet called Mirai.
A botnet is a network of automated scripted applications, controlled remotely by a hacker, which is nested in a group of internet-connected devices. What might be alarming to businesses dealing with IoT is that building a botnet is easy and can be done in 15 minutes. If a potential attacker does not want to bother with building a botnet themselves, they can always rent one for as cheap as two dollars an hour, or buy one for $700 on the dark web.
Cyber and physical warfare
The March 2017 WikiLeaks Vault7 data dump revealed vulnerabilities in many devices, from computers to smartphones to routers. The data dump also illustrated that cyber weaponry is difficult to secure. Moreover, the incentives for cyber weaponry developers and consultants to obtain copies is substantial, as there is a “vulnerability market” that pays as much as millions of dollars for such copies.
Warfare may be entering a semi-autonomous age with the use of Unmanned Air Vehicles (UAV), but the infamous capture of an American RQ-170 Sentinel by Iran (accomplished by spoofing GPS signals), brings up the notion of connected US military equipment being hacked and repurposed. It certainly does not help that instructions on how to spoof GPS signals to UAVs are publicly available. Oliver North, in a video promoting Call of Duty: Black Ops 2 in 2012 said “I’m not worried about a man trying to hijack a plane. I’m worried about a man trying hijack all the planes.”
Lock Your Doors
In July, Irdeto polled consumers from Brazil, China, India, Germany, the UK, and the US and found that around 69% of them were concerned about their devices being susceptible to hacking. The poll also showed that 90% of respondents wanted their devices to include robust, built-in security features to stave off digital intruders.
There are precautions consumers can take to reduce the risk of a security breach. Just as it is simple to attack an IoT device, it might be as simple to secure it, or at least take precautions.
For example, BrickerBot specifically targets IP-operated cameras, DVRs, and other devices with default credentials. In other words, devices with default passwords that remain are unchanged are particularly vulnerable. In fact, Radware’s number one tip regarding BrickerBot is simply to change the default password.
Speaking to MIT’s MBA students about cybersecurity, Stuart Madnick, an MIT Sloan professor, made light of how ineffective both consumers and businesses are at security, saying that the average cyber-attack goes on for as much as 270 days before discovery. He went on to say that there are three stages for dealing with a cyber-attack: penetration, detection, and recovery. According to Madnick, “we do a poor job at prevention, a terrible job at detection, and a godawful job at recovery.”
Madnick believes that cybersecurity is a management issue, stating that between 50-80% of attacks are aided and abetted by insiders.
The evolution of IoT Security
Fortunately, companies are finally beginning to take IoT security more seriously. This is because the widespread deployment of unprotected connected devices has created an attractive target for cyber criminals and other unscrupulous operators. IoT security should therefore be viewed as a primary design goal, rather than a tertiary afterthought. To be sure, consumers increasingly expect their devices to be protected out of the box, with seamless over-the air-updates (OTA) implemented securely.
However, OEMs need to be assured that securing IoT devices is not an insurmountable goal that negatively impacts profitability or time to market. As such, IoT devices should be protected by a turnkey security solution that can be easily implemented, maintained and upgraded to meet the evolving challenges of a dynamic threat landscape.
IoT has allowed for near-infinite possibilities and change in the way people live their lives, but it has also created challenges for cybersecurity. What becomes of those challenges will ultimately be up to the IoT companies who create the devices and the consumers who use them.