With the ‘Internet of Things’ (IoT) getting more and more pervasive, an increasing number of connected things around us collect, handle and control sensitive data. The hacking of IoT devices can affect privacy, cause a loss of physical and information security, and impact availability of services. Connected devices significantly increase the attack surface of systems and networks as they potentially provide hackers a local springboard into those systems. Mass-deployed connected devices have been used to mount distributed Denial of Service attacks. IoT devices face a hard security challenge as they face high attack exposure while having limited resources to protect themselves. This session will cover the tools and solutions provided by Rambus to help protect and harden resource constrained devices from network-based attacks.
Search Results for: IoT security
AIと5Gにより高まるIoT機器の脅威 (5G and AI Raise Security Risks for IoT Devices)
5G represents a revolution in mobile technology with performance that will rival that of wireline networks. 5G’s Ultra-reliable Low Latency Communication (uRLLC) links will enable a profusion of artificial intelligence (AI)-powered IoT devices from delivery drones to smart cities. The rapid rise in the number of smart IoT devices, coupled with expanded connectivity, will greatly escalate the growth of data and network traffic.
5G and AI Raise Security Risks for IoT Devices
5G represents a revolution in mobile technology with performance that will rival that of wireline networks. 5G’s Ultra-reliable Low Latency Communication (uRLLC) links will enable a profusion of artificial intelligence (AI)-powered IoT devices from delivery drones to smart cities. The rapid rise in the number of smart IoT devices, coupled with expanded connectivity, will greatly escalate the growth of data and network traffic.
Securing the Connected Ecosystem: Leading Security Solutions and Approaches for IoT
In this Frost & Sullivan analysis, the report describes key requirements in the Internet of Things (IoT) security market and presents details of how Rambus addresses these needs through effective, economical and easy-to-deploy IoT security solutions.
Mind the gap (in security): The UK’s IoT guidelines
As part of its ongoing, five-year 1.9 billion pound security initiative, the United Kingdom (UK) government is planning to
introduce new cybersecurity measures to better address Internet of Things (IoT) products that are online around the country.
This development follows similar efforts across both the channel and the pond, with the European Union Agency for Network and Information Security (ENISA) introducing baseline guidelines for IoT security and the United States Government Accountability Office (GAO) published recommendations regarding IoT security guidelines for the Department of Defense, respectively.
Secure by Design
The UK’s Secure by Design review has been developed with support from device manufacturers, retailers, and the National Cyber Security Centre (NCSC) to address a major number of glaring vulnerabilities in many smart IoT devices, such as smart TVs, toys, and speakers. This comes as multiple IoT-borne attacks and breaches have made headlines, such as the exposure of the data of over 800,000 owners because of an IoT teddy bear’s poorly secured MongoDB database.
According to the report, every household in the UK owns at least ten internet-connected devices, and that number will rise to fifteen per household by 2020. The objective of the review is to ensure that security measures are implemented during the design stage rather than tacked on later. The report notes that protecting consumers from IoT exploits requires a fundamental shift in the industry’s approach to managing cyber risks, namely, a need to move away from placing the burden on consumers to securely configure their devices and instead ensure that strong security is built in by design.
Provisions from Secure by Design include a requirement that all IoT device passwords must be unique and not resettable to any universal factory default value, an implementation of a vulnerability disclosure policy, a requirement to keep software updated, and a need to store credentials and security-sensitive data in a secure manner, monitor system telemetry data, and more. Other provisions include a requirement that users can easily delete personal data on devices and that installation and maintenance of devices is made easier.
Another interesting proposal is a voluntary labelling scheme for consumer IoT products to aid consumer purchasing decisions and to nurture consumer trust in companies. The UK government hopes that a labelling scheme will provide consumer with essential information on IoT products to help them make informed purchasing decisions, which will in turn boost consumer trust with retailers and manufacturers. On the retailer side, they will be able to select products with security features when deciding what should be available for consumers to buy, and manufacturers can use labels to demonstrate their commitment to protecting consumers’ privacy, safety, and data.
How the Guidelines will be Implemented
The Department of Digital, Culture, Media, and Sport has stated that it would work closely with retailers and consumer rights bodies to provide advice and support.
NCSC technical director Ian Levy has said that “we are pleased to have worked with DCMS on this vital review, and hope its legacy with be a government ‘kitemark’ clearly explaining the security promises and effective lifespan of products.” He likened the aforementioned IoT provisions to food labels, that just as people can manage fat content of people, the same can be done for cyber security of technology products. Currently, the DCMS is inviting feedback on its draft proposals ahead of conducting more work this year to develop recommendations further, with the hope that the provisions and guidelines might evolved into full-fledged regulations.
Conclusion
With the United States and the European Union beginning to take the problem of lax IoT security seriously, the UK government has joined the discussion with its own Secure by Design review. The review introduces provisions and guidelines for IoT security, such as forbidding default passwords, requirements that devices be up to date, and a voluntary labelling scheme, to name a few. With the guidelines, the UK government hopes to facilitate a more trusting relationship between consumers, retailers, and manufacturers by requiring the latter to step up to the plate on securing their devices, while helping consumers make informed decisions.
Hack the planet: Security concerns about the IoT
IoT security concerns
The 2010s has seen a proliferation of the Internet of Things (IoT) on a tremendous scale. According to Gartner, there are 8.4 billion smart devices in use in 2017, a number projected to increase to 20.4 billion by 2020. Automation and smart technology are not only finding their way into phones and tablet computers, but also cars, refrigerators, and even toys.
With more devices and tools adopting IoT technology, the possibilities are endless. However, with more possibilities comes more potential problems. As one might have already guessed, if something can access the internet, someone on the internet can, in turn, access it and sometimes with malicious intent.
Everything can be hacked…
In other words, any unprotected IoT endpoint is vulnerable, even smart baby monitors. In one particularly disturbing incident, an unknown cyber intruder hijacked a smart baby monitor to speak to a three-year-old-boy and his mother. Moreover, children’s toys, particularly those from Genesis and Nuance, have come under scrutiny, with some products found to have recorded children’s voices without notice nor permission.
Information was also found to have been sent to a database with few safeguards. In addition to the ethical implications of children’s information being shared with third parties, the lack of privacy protection and security means the collected data could be stolen and used ultimately against them.
And everyone
In addition to IoT devices being hacked on a personal level, such as a hacked smart refrigerator spamming pornographic content while making ice cubes, organizations, private and national are affected as well. For example, security cameras were hacked for Distributed Denial of Service (DDoS) attacks against Dyn, a Domain Name Service (DNS) provider for companies like Twitter and AirBnB. The attack was performed via a botnet called Mirai.
A botnet is a network of automated scripted applications, controlled remotely by a hacker, which is nested in a group of internet-connected devices. What might be alarming to businesses dealing with IoT is that building a botnet is easy and can be done in 15 minutes. If a potential attacker does not want to bother with building a botnet themselves, they can always rent one for as cheap as two dollars an hour, or buy one for $700 on the dark web.
Cyber and physical warfare
The March 2017 WikiLeaks Vault7 data dump revealed vulnerabilities in many devices, from computers to smartphones to routers. The data dump also illustrated that cyber weaponry is difficult to secure. Moreover, the incentives for cyber weaponry developers and consultants to obtain copies is substantial, as there is a “vulnerability market” that pays as much as millions of dollars for such copies.
Warfare may be entering a semi-autonomous age with the use of Unmanned Air Vehicles (UAV), but the infamous capture of an American RQ-170 Sentinel by Iran (accomplished by spoofing GPS signals), brings up the notion of connected US military equipment being hacked and repurposed. It certainly does not help that instructions on how to spoof GPS signals to UAVs are publicly available. Oliver North, in a video promoting Call of Duty: Black Ops 2 in 2012 said “I’m not worried about a man trying to hijack a plane. I’m worried about a man trying hijack all the planes.”
Lock Your Doors
In July, Irdeto polled consumers from Brazil, China, India, Germany, the UK, and the US and found that around 69% of them were concerned about their devices being susceptible to hacking. The poll also showed that 90% of respondents wanted their devices to include robust, built-in security features to stave off digital intruders.
There are precautions consumers can take to reduce the risk of a security breach. Just as it is simple to attack an IoT device, it might be as simple to secure it, or at least take precautions.
For example, BrickerBot specifically targets IP-operated cameras, DVRs, and other devices with default credentials. In other words, devices with default passwords that remain are unchanged are particularly vulnerable. In fact, Radware’s number one tip regarding BrickerBot is simply to change the default password.
Speaking to MIT’s MBA students about cybersecurity, Stuart Madnick, an MIT Sloan professor, made light of how ineffective both consumers and businesses are at security, saying that the average cyber-attack goes on for as much as 270 days before discovery. He went on to say that there are three stages for dealing with a cyber-attack: penetration, detection, and recovery. According to Madnick, “we do a poor job at prevention, a terrible job at detection, and a godawful job at recovery.”
Madnick believes that cybersecurity is a management issue, stating that between 50-80% of attacks are aided and abetted by insiders.
The evolution of IoT Security
Fortunately, companies are finally beginning to take IoT security more seriously. This is because the widespread deployment of unprotected connected devices has created an attractive target for cyber criminals and other unscrupulous operators. IoT security should therefore be viewed as a primary design goal, rather than a tertiary afterthought. To be sure, consumers increasingly expect their devices to be protected out of the box, with seamless over-the air-updates (OTA) implemented securely.
However, OEMs need to be assured that securing IoT devices is not an insurmountable goal that negatively impacts profitability or time to market. As such, IoT devices should be protected by a turnkey security solution that can be easily implemented, maintained and upgraded to meet the evolving challenges of a dynamic threat landscape.
IoT has allowed for near-infinite possibilities and change in the way people live their lives, but it has also created challenges for cybersecurity. What becomes of those challenges will ultimately be up to the IoT companies who create the devices and the consumers who use them.
