IoT is trending. Companies invest in new tech...
IoT brings new opportunities and…security challenges
IoT – or the universal interconnected environment where different objects collect data through sensors and exchange it over a network – is meant to help companies gain an insight into customer and employee behavior, improve asset management, predict equipment failure and eventually reduce operating expenses. From a consumer’s perspective, smart gadgets introduce a new level of convenience for home owners, enable real-time energy and water consumption monitoring and improve accessibility for people with special needs.Judging from Cisco, McKinsey and Deloitte reports, connected devices truly serve their purpose:
- 25% of US households now have at least one IoT gadget. By 2020, IoT consumer spending will reach $ 63 billion;
- Through 2015, almost 80% of the world’s leading manufacturing companies that started using IoT solutions in the workplace reported a 28.5% IoT-driven revenue growth;
- By 2025, IoT’s potential economic impact across such industries as transportation, banking and manufacturing will top $ 4 trillion.
Security challenges in the Internet of Things: from hacked baby monitors to botnet-triggered DDoS attacksOver the last few years the Internet of Things’ concept has evolved from controlling light bulbs via a smartphone app to crafting AI-powered gadgets capable of decision-making – and so have cyber threats. Today anything – including consumer electronics, networks and smart grids – can be hacked.
Here’s the brief record of security and privacy challenges that emerged in the Internet of Things back in the day:
- During the 2011 Black Hat conference Jay Radcliffe, a prominent security researcher and former IBM employee, wrote a simple application which could issue commands to his insulin pump, thus enabling attackers to remotely increase or lower a patient’s blood sugar levels. Radcliffe was unsure how many pump manufacturers produced vulnerable gadgets and suggested implementing a strong verification process so that users could approve the changes made to their devices;
- Two years later Proofpoint, a Californian company that specializes in enterprise security, uncovered the first major IoT cyberattack involving 100 thousand smart household appliances that generated over 750 thousand spam emails. According to Proofpoint, the Internet of Things cyberattacks and security threats aren’t easy to mitigate: the average botnet consists of several thousand gadgets with each node performing a small task (like sending five emails to an enterprise or individual). What’s more, most IoT security vulnerabilities result from misconfiguration and the use of default passwords (which leave gadgets exposed on public networks);
- Through 2015, multiple families across the USA and Western Europe reported the cases of hacked baby monitors. Several incidents involved Foscam wireless cameras. The manufacturer promptly released firmware update and urged parents to upgrade it to the latest version every six months;
- October 21, 2016 will probably be remembered as IoT’s 9/11. That day, the Mirai botnet which comprised hacked Wi-Fi routers, surveillance cameras and other consumer electronics running outdated versions of Linux bombarded the Dyn servers, bringing several large websites (including GitHub, Twitter and the Verge) down;
- A few days ago compromised IoT gadgets tried to block the kill-switch web address that had stopped WannaCry – the malicious program that infected over 230 thousand Windows-powered computers in 150 countries and demanded ransom payments in Bitcoin.
Dealing with security challenges in the growing Internet of ThingsAndrey Pozhogin, Senior Product Marketing Manager at Kaspersky Lab, claims most IoT device manufacturers do not design IoT products with security in mind – simply because the technologies that enable device communication do not allow hackers to interact with a gadget from a substantial distance (and without knowing its precise location).
What are the most common mistakes made by IoT vendors?
- They hard-code passwords into gadget firmware (thus depriving users of the opportunity to generate custom ones);
- Default passwords are easy to decrypt;
- Back-end device management consoles fail to encrypt sensor data;
- The firmware update process is usually complicated (as a result, only 31% of IoT consumers upgrade to the latest version of a gadget’s firmware as soon as it becomes available).
Here’s what you should do:
- Find a custom software development company with a solid IoT portfolio;
- Sign a T&M contract and allocate a decent research budget;
- Make sure your vendor creates multiple product use cases involving possible malware attacks;
- Employ a security expert who will (with the help of an experienced Project Manager, of course!) plan an IoT product roadmap and identify vulnerabilities early on;
- Contact a reliable gadget manufacturer and implement devices with high processing power;
- Develop clear privacy policies to educate customers on sensor data usage and the importance of firmware updates.