How secure is the Internet of Things?
Information security is a huge topic of conversation right now, and it’s about to get even bigger. Edward Snowden’s leaks on government surveillance and huge data breaches at Target, JPMorgan, TalkTalk, and others made the subject front-page news, and that is likely to continue given the proliferation of the Internet of Things (IoT).
IoT devices, forecast to grow to 50 billion units by 2020, offer consumers and businesses huge amounts of convenience and benefit, but to hackers they are also a goldmine. This is because such devices represent another piece of hardware or software that can be compromised and lead to stolen data or money.
The early signs of IoT security are not encouraging; researchers have already managed to hack everything from Google’s Nest to an Internet-connected doll and Canon printer, while significant and exploitable software vulnerabilities have also been found in Wi-Fi light bulbs, smartwatches, and Internet-connected baby monitors. There have been questions too on how this affects businesses, if the likes of Nest and Hive are connecting to enterprise Wi-Fi networks. Security experts have been quick to voice their fears over the IoT, with many pointing the finger at device manufacturers.
A recent study of 7,000 information technology (IT) professionals by cybersecurity association ISACA found that 75% thought IoT device manufacturers were not implementing sufficient security measures devices, while a further 73% said existing security standards were inadequate.
BH Consulting managing director, Brian Honan, joined the chorus of discontent. "The IoT makes our lives easier and better in many regards, but unfortunately you also have to take into account that, in the rush to get these devices to market, [manufacturers] forget about security," Honan said. "We’re seeing IoT devices, from kettles and light bulbs to a range of different products, that are insecure out-of-the-box; they have weak security, default passwords… and can allow people with malicious intent to control those devices for their own needs.
Honan added, "We also have issue on privacy as lot of these devices can take a lot of information, which is being used by companies to improve services. But if that information falls into wrong hands, that will impact on privacy."
Ken Munro is the CEO and founder of penetration testing outfit PenTest Partners, which has found numerous IoT device vulnerabilities over the last year, and he agreed with Honan that security must be baked-in to products from the start, especially given the fast acceleration of IoT devices.
"The reason I love IoT as a security researcher is that there’s enormous attack surface," Munro said, adding that attackers can leverage everything from device and mobile application flaws to API and server infrastructure vulnerabilities in order to attack IoT users. He said that rolling such devices out across staff and customers is simply accentuating that risk.
Munro added, "Everyone has got access to everything with IoT, and this means that you need firmware, OS, mobile app, and coding experts… You need to know how to put apps together with wireless or GSM technology. There’s a massive expansion skillset required in order to adopt IoT. We’re seeing crazy acceleration of IoT devices available, primarily because there’s money to be made, but I think we’re going to see standards starting to become available."
Munro is working on standards at the IoT Security Foundation and says the GSM Association, which focuses on the interests of mobile operators worldwide, is working on something similar for mobile communications. Munro added that vendors are too often focused on getting goods to market rather than on devices being secure. Some, he said, simply hope to patch the OTA or "Hope the problems go away."
Munro, who praised Fitbit for bolstering its own security team at the start of the year, said that IoT flaws, which usually reside in app source code or resolve around weak passwords and unsecured Wi-Fi, may enable attackers to take control of devices locally or remotely. The latter could ultimately lead to larger-scale attacks, such as turning off heating or surveilling a property to see when it is not occupied.
Other experts, meanwhile, have cited patch management as a major issue given billions of IoT devices forecast to ship and say that more elaborate IoT attacks could lead to driverless cars becoming mobile bombs or connected devices sending malware via botnets or through spam emails.
Benefits outweigh the negatives
Shipping company Maersk reportedly has one of the largest deployments of industrial IoT, using IoT to ensure refrigerated containers all maintain the correct temperature.
Speaking at a recent conference, Maersk UK chief intelligence officer (CIO) Andy Jones outlined the benefits of the deployment, saying that the firm is now able to monitor goods in real-time via IP-enabled sensors, whereas it previously took engineers two days to check and report on these conditions.
The readings from these sensors are continually fed into Maersk’s monitoring systems via satellite, and any problems at sea can be identified immediately.
Jones said the problem arises where IoT systems are connected to something physical, like braking or airbag systems of vehicles or the heating and cooling systems of buildings. There are many security challenges; not only because of the difficulty in keeping devices and software patched but also because the Internet protocol (IP) used by IoT devices is inherently insecure.
"Combine this with the fact the Internet does not have any form of service level agreement, that there are millions of devices in the hands of unsophisticated users, and that the Internet is accessible worldwide, and you have the perfect storm," he said.
Alan Woodward, computing professor at the University of Surrey, added: "My big concern from a security perspective… is that IoT is set up using embedded computing, which is notorious for cheap, open-source, off-the-shelf bits of software and hardware."
Woodward is also concerned about cheap devices and weak patch management, saying on the latter that updating the firmware on embedded IoT systems is "extremely difficult" and "problematic."
"I think IoT has far more potential than mainstream computing for being compromised," he said. "The IoT is a classic area where people are having to relearn all lessons taken 25 years to learn in computing."
What businesses can do
Munro urged CIOs and other IoT decision makers to be proactive in auditing and managing devices, even it means "walking the floors" to find out what devices are connecting to enterprise networks.
The CIO, he said, must think "really seriously" what data could be compromised if there is a system breach, and what hackers have access to if the network is segregated.
Jones is optimistic about future security plans, but he advised isolating IoT devices at risk. "Any risk assessment should include the criminal mindset and learn from past analogies," he said.
Woodward urged companies to rollout IoT policies so users clearly know their data can be wiped and devices managed.
Doug Drinkwater is editor at Internet of Business, which is hosting the Internet of Manufacturing Conference November 1-2, 2016, in Chicago. This article originally appeared here. Internet of Business is a CFE Media content partner. Edited by Joy Chang, CFE Media, firstname.lastname@example.org.
See additional stories about the Internet of Things (IoT) linked below.