According to a 2014 HP report, titled “Internet of Things Research Study,” 70 percent of the most commonly used Internet of Things (IoT) devices contain vulnerabilities involving password security, permissions and encryption.
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” said Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP, in response to the report.
Concern No. 1: Unlawful surveillance/invasion of privacy
“The Internet-connected modules installed on various devices (e.g., cars, toys, home appliances, etc.) can be used for unlawful surveillance,” says Daniel Dimov, security researcher, InfoSec Institute. “For example, an Internet-connected door lock can be used to monitor when a person enters or leaves their home,” he says. And smart TVs and child monitors can watch you.
“These types of threats are not merely speculative,” he adds. “Vulnerabilities have been found and documented in several Internet-connected modules installed in cars, medical devices and children's toys.” And let us not forget Samsung Smart TVs.
“Before you buy a connected device, do your research,” says Caroline Tien-Spalding, senior director of marketing at ArcSoft, a photo and video imaging software development company. “How is your data protected and encrypted? Where is it stored? Does it include an option for a public stream?”
One way “to defend against IoT attacks is to segment your network, which means creating two different networks in your house, separating your IoT devices from the network that houses your personal computer and mobile devices,” says Stephen Coty, director of Threat Research at Alert Logic, which provides security and compliance solutions for the cloud.
“This will help limit the exposure if you are compromised through an IoT device,” he says. “Personally, I have three different networks in my house. One for my IoT devices, one for my family to use with their personal devices and another that I use for my workstations and servers as part of my job.”
Also be sure to “change your connected device password,” as soon as you install the IoT device, says Kent McMullen, senior director, Internet of Things, Symantec.
“Since most connected devices have IP addresses, hackers can find a way to access them. Enterprises and consumers can protect themselves, [however,] by changing default usernames and passwords immediately after installation and regularly updating these credentials.”
Just “ensure that the passwords you're creating for IoT devices are unique and complex [i.e., include a combination of uppercase and lowercase letters, numbers and special symbols], as many IoT devices only require the use of simple passwords or other simple authentication methods to manage themselves, allowing attackers to eavesdrop on the data stream,” adds Aamir Lakhani, security strategist, FortiGuard Threat Research and Response Labs at Fortinet, a network security company.
Concern No 2: Threat to enterprise data and network security
“Businesses should be wary of IoT in terms of connected devices and the security of their networks,” says Reggie Best, chief product officer, Lumeta. “Any device with built-in network connectivity creates a risk, a so-called backdoor connection that could be exploited for data exfiltration,” or a DDoS attack.
As a result, “enterprise IT managers need to be constantly aware of when new devices connect to the network, identify the types of devices and know where in the network these devices are located,” he says. “If a smartphone joins a guest wireless zone of the network, it's likely expected behavior. If a ‘smart’ refrigerator connects to the payment card zone, however, that's a different story.”
“IoT devices represent a tremendous blind spot for organizations,” says Rehan Jalil, CEO, Elastica, a provider of cloud app security. “Aside from questions regarding what data is stored on these devices, there are broader issues around what data is transmitted from these devices and where that data ultimately lands,” he says.
“Questions around data governance have always been central to security and IoT is no exception.” And “making a multimillion-dollar investment in IPS and firewalls is of little benefit when employees can easily copy data to the cloud.”
And unfortunately, “most company’s BYOD policies don’t cover IoT,” notes Rob Clyde, vice president, ISACA International, a global association of 115,000 professionals that helps enterprises maximize the value of their information and technology.
“ISACA’s recent IT Risk/Reward Barometer study reveals that only 11 percent of companies have a BYOD policy that also addresses BYOW (bring your own wearables), even though 81 percent in the same survey said that employees bringing wearable devices to work represents an equal or greater risk than bringing their smartphones or tablets to work,” Clyde says.
To limit potential breaches and protect sensitive data, “company policy should dictate whether wearable devices are allowed in the workplace, what types are allowed and what security is required,” he advises. “For example, restrict employees’ wearable devices to only connect to the Internet via a cellular or guest network.”
Concern No. 3: No good, comprehensive way to manage all of these IoT devices
“When looking at the current state of the Internet of Things, the industry lacks one glaring success factor: a set of standards for application program interfaces (APIs), which are credited as being the building blocks of the IoT – and are essential for managing all of these disparate devices,” explains Lee Odess, general manager, Brivo Labs.
“In order for IoT devices to efficiently and securely communicate, and be properly managed, APIs need to essentially speak the same language. So creating a standardised API will make a world of difference,” he says.
“IoT is creating a surge in the number of mobile devices, with the number of M2M devices expected to surpass 40 billion by 2020,” says Frank Yue, senior technical marketing manager, F5 Networks. “That’s five times more M2M devices than consumer wireless devices.”
“The scale issue is not the volume of traffic, but the type, frequency and cadence,” Yue continues. “M2M devices do not behave the same as consumer devices. These devices are typically low-energy, short interval update types of devices.”
And while “the size of the communication is small, the issue is they send regular updates consistently throughout the day causing a tsunami of connections and data at periodic intervals,” he says. “How will the service providers build an infrastructure that has these regular surges of traffic that may surpass baseline or average traffic by a significant multiple of existing traffic patterns?”
“The complexity of creating and maintaining an IoT system, which includes sensors, actuators, communications protocols, and device provisioning processes, among others, poses unique challenges,” says Annie Hsu, associate strategy director, frog, a product strategy and design firm. And “finding a browser-like solution for the IoT won't be straightforward.”
9 questions companies should ask and answer before leveraging IoT
- How will the device be used from a business perspective, and what business value is expected?
- What threats are anticipated, and how will they be mitigated?
- Who will have access to the device, and how will their identities be established and proven?
- What is the process for updating the device in the event of an attack or vulnerability?
- Who is responsible for monitoring new attacks or vulnerabilities pertaining to the device?
- Have risk scenarios been evaluated and compared to anticipated business value?
- What personal information is collected, stored and/or processed by the IoT device?
- Do the individuals whose information is being collected know that it is being collected and used, and have they given consent?
- With whom will the data be shared?