Understanding consumer IoT risks

This entry was posted on Wednesday, February 28th, 2018.

Consumer IoT components increasingly targeted by attackers

Earlier this month, the National Institute of Standards and Technology (NIST) published a document titled “Draft Report on International IoT Cybersecurity Standardization (PDF).” The report – which examines various aspects of the rapidly evolving Internet of Things  – also takes a closer look at the potential risks of unsecured consumer IoT components.

As the report notes, consumer IoT components are challenged by many of the same cyber security risks as computers, smartphones and other categories of IoT components.

“For instance, to attack IoT components, cyber criminals often probe the components for security vulnerabilities and then install malicious software (“malware”) to surreptitiously control the device, damage the device, gain unauthorized access to the data on the device and/or otherwise affect the device’s operation without permission,” the report elaborates. “The risks posed by malware-infected IoT components, however, may be more pronounced because their low costs and energy constraints often constrain the resources that are invested in their cybersecurity. [This] makes them ripe targets for [attackers] intent on causing widespread harm.”

Given their growing volume, says the report, consumer IoT components are increasingly targeted as a means for penetrating other electronic components on the same network, or assembling an army of machines capable of transmitting Internet traffic without the device owners’ knowledge as part of a DDoS attack.

“Without adequate cybersecurity safeguards, even inexpensive, consumer IoT components with limited functionalities may be exploited to threaten confidentiality, integrity, availability of consumer data and services, consumer privacy and safety and other systems on the Internet,” the report adds. “Further, as connected IoT technologies progressively extend their reach to consumer components critical to basic home functions (e.g., the connected thermostat), cyber criminals may increasingly target them in ransomware attacks or other traditional cyber-attacks directed to collecting highly-sensitive personal information.”

Moreover, says the report, personal privacy and safety may be compromised by the interruption of certain consumer IoT components (e.g., the connected oven) or certain side-channel attacks, such as a prospective burglar monitoring communications between and operations of components to determine the whereabouts of a homeowner.

IoT: From silicon to services

As we discussed in our recent think piece with the Global Semiconductor Alliance “Monetizing Semiconductors: From Silicon to Services,” securing the IoT creates an opportunity for semiconductor companies to expand into adjacent business areas and develop new business models. For example, companies could help create end- to-end security offerings, which are essential to the IoT’s success. According to the McKinsey Global Institute (MGI), the industry should play a leading role when developing such offerings, to ensure they obtain their fair share of the value chain.

From our perspective, end-to-end IoT security solutions deployed as a Platform as a Service (PaaS) are critical in helping semiconductor companies generate renewable, downstream revenue for specific services. For customers, PaaS offers an easy way for customers to securely develop, run, and manage applications and devices without the complexity of building and maintaining elaborate infrastructure.

Such security solutions, which could also leverage a hardware-based root-of-trust, should support device identification and mutual authentication (verification), routine attestation checks, secure over-the-air (OTA) device updates, disaster recovery and key management, as well as the decommissioning and re-assignment of keys to better manage devices and mitigate various attacks, including distributed denial of service (DDoS).

It should be noted that building security in at the design stage could help reduce potential IoT service disruptions such as those caused by DDoS attacks. Moreover, integrated security features would allow manufacturers to avoid the difficult and expensive endeavor of adding security measures to IoT devices after they have already been deployed. Optimally, hardware incorporating advanced security capabilities to bolster the protection and integrity of a device should be used, with the U.S. Department of Homeland Security (DHS) specifically highlighting computer chips that integrate security at the transistor level (embedded in the processor).

Beyond security, KPMG recommends a “broader move” into alternative business models for the semiconductor industry, along with the organic development of value-added capabilities. Companies following this approach would then be able to position themselves as end-to-end solutions providers with potential for greater growth.

Interested in learning more about IoT security? You can download our eBook below.

Download Cyber Security in the Era of the Smart Home