First, we had the desktop computer and floppy disks. Then along came the Internet and our communications changed forever. Email then Instant Messaging then social media and Cloud apps, opened up the airways and allowed cyber threats to move off the floppy disk into the ether – viruses became ultra-viral and cybersecurity became part of our everyday lives. Then, yet again, technology threw a blinder, and the Internet, already touching most things we do, become ubiquitous. Connected became hyper-connected as the Internet of Things (IoT) created an ever-complex web of data and communications for us to use.
Internet-connected devices are everywhere: They are the driving force behind the new industrial revolution known as, Industry 4.0; they are in our offices controlling our lighting; in our hospitals helping determine patient treatment; and, they are in our home “Hello Alexa, what’s the weather like today?”. It looks like the IoT is here to stay. The Industrial IoT market is expected to reach around 933.62 Billion USD By 2025 1 and healthcare IoT 158.07 Billion USD by 2022. 2
The IoT is opening up new opportunities to improve productivity and innovate. But with every Yang, comes a Ying, and privacy and security are a part of the IoT that has given it the title by some “creepy tech”. In a 2018 Ponemon Institute study into cybersecurity concerns of CISO’s, they found that 47% were concerned about a security breach caused by insecure IoT devices. A full 60% of CISOs said that IoT devices were the most challenging to secure.3
In this article, we will take a look at some of the security and privacy issues of the IoT and how they can be mitigated.
When Security and Privacy are an IoT Afterthought
There have been some very high-profile cases of IoT security issues in recent years Here are three cases where security by design and security awareness can help create a solution.
Case 1: Smart botnets and the Dyn DDoS attack
The issue: In October 2016, a large section of the Internet, went down. Web servers everywhere became overloaded and stopped working. The attackers targeted Dyn, a managed DNS service which controls the web traffic between web servers. 4 In a Distributed Denial of Service (DDoS) attack, the target in question (usually a website or similar) is flooded with queries – so many, in fact, that the DNS server which handles the traffic slows to a crawl or crashes altogether. The October 2016 attack was traced to botnet malware, codenamed Mirai. This malware infected 100,000s of hijacked Internet-connected video cameras and routers – each IoT device being controlled by the botnet master. The underlying security issue identified after the attack was insecure login credentials. The attackers located the IoT device, then used a list of well-known default/admin passwords and usernames, to gain access to the device.
Resolution: The use of default administrator passwords and usernames in IoT devices is more common than you think. In a study by ForeScout, they found that almost half of UK businesses have not changed the default password for the IoT devices used in their organisation. 5 To help prevent DDoS attacks that piggyback on IoT devices, always change the default password immediately. For advice on how to choose a robust password, check out our previous article on “Are Passwords Still the Key to Your Castle?”
Case 2: Here’s looking at you kid – smart cameras and privacy
The issue: There are a number of concerning cases where IoT devices used by children or with babies have been hacked and used as surveillance equipment. One recent incident involved the FREDI baby monitor. 6 A young mother noticed that her baby monitor was moving across the room, seemingly, of its own accord – and, focusing on the place where she was breastfeeding her baby. It transpired that the camera had been hijacked. Another incident involved an Internet-connected teddy bear which recorded children and parents’ voices. The data from the bear recordings, along with personal identifying data, was stored in Cloud servers. Unfortunately, the manufacturer had not protected the Cloud server so the data was left vulnerable to attackers. 7
Resolution: Basic security measures such as good authentication, common web security measures, and good security hygiene can go a long way to protecting the data generated by IoT devices. This security, in turn, provides a good basis for ensuring user privacy is upheld. One of the most fundamental things you can do as an organisation is to ensure any IoT device you use is a secure one. Check out the manufacturer’s security measures and policies. Like any supplier or partner, you should carry out a risk assessment on the manufacturer, the device, and its data lifecycle protection.
Case 3: Patchy service – getting down to security basics
The issue: Kaspersky demonstrated that in 2018 there were 3X the number of attacks against smart devices than in 2017. When a new device enters the marketplace, the hackers are all over it looking for vulnerabilities.8 Because the IoT is a hot market, manufacturers can sometimes be guilty of getting a product to market as quickly as possible – worrying about security later. Patches to fix those vulnerabilities coming too late for those already affected.
Resolution: Patching an IoT device is not always easy or possible. Many healthcare devices, for example, cannot be easily patched as it may involve turning off a life-saving device. Others are manufacturer restricted, only the original maker being able to update the firmware within the device. When you choose a device, check out the manufacturer for guidance in the area of vulnerability and patching support. Also, make sure you have an ongoing inventory of devices. Your organisation may have many IoT endpoints, especially in the coming years. If you know what you have, you are more likely to be able to keep checks against any issues.
Making sure your Internet of Things does not become your Insecurity of Things
I could have called this article “When Good Technology, Goes Bad” but like everything in life and work there is always the good with the bad. The Internet of Things is changing the way that cybercriminals can attack our infrastructure. IoT is adding a level of complexity into our cybersecurity strategy and challenging us to make sure these extended touchpoints are protected. As we embrace Internet-connected devices in our workplace and our homes, we need to make sure we are aware of the issues that these devices can bring with them. With good cybersecurity hygiene practise and security awareness training, we can make sure that we get the most out of this transforming technology.