The Internet of Things (IoT) has been the subject of industry analyst and tech-media excitement for just about forever. However, in 2015, it finally feels as though we are about to hit the point of no return with IoT – where all, and not just some, IT departments need to consider and address the IT management and security implications of the IoT. The IoT also impacts consumer-world behavior – with technology users needing to ensure that they understand, and fortify themselves, against the security risks associated with the IoT.
From an IT security perspective, cyber criminals must be giddy with excitement when they read that the U.S. Federal Trade Commission estimates that there are now twenty-five billion devices online, with separate research from HP stating that 70 percent of IoT devices are unsecured. Then there’s the recent Apple pay-by-phone capability using biometrics and the near field communication (NFC) technology. NFC is nothing new; Juniper Research reports that 300 million NFC-enabled phones are out there already with global NFC transactions worth $50 billion.
What IoT means to cyber criminals is more opportunity to make more money. And it’s not as though cyber crime is currently a small market. Europol states the “Total Global Impact of CyberCrime [has risen to] US$3 Trillion, making it more profitable than the global trade in marijuana, cocaine, and heroin combined.” In this slideshow, Sarah Lahav, CEO of SysAid Technologies, has identified eight IoT risks that corporate IT departments, and consumer users, need to consider and address.
IoT Insecurities Prevail
Click through for eight Internet of Things risks that corporate IT departments, and consumer users, need to consider and address, as identified by Sarah Lahav, CEO of SysAid Technologies.
There is often insufficient security functionality embedded within the IoT device, due to a lack of local resources or capacity. This will of course change over time, but for now it needs to be addressed and security might instead need to reside within the web service in front of the device.
In 2013, the U.S. Federal Trade Commission settled with TRENDnet, an IoT vendor that supplied home viewing technology called SecureView. Despite the vendor’s claim that its products were secure, they in fact had an exploit that allowed them to be controlled remotely by anyone with the camera’s address. There was also a third-party website where absolutely anyone could click a camera to see what the camera could see.
Car manufacturers, such as Jaguar Land Rover, have also had issues – for instance recalling vehicles because their on-board computers had security weaknesses that allowed criminals to easily steal them. Insurance companies consequently refused to insure such vehicles unless they were locked in secure garages.
Ultimately, IoT vendors must do more to build security into their products. Corporate IT departments and consumer customers tend to vote with their wallets and put security over convenience and price when buying IoT devices. Cheap, ubiquitous, and insecure IoT devices are ultimately the cyber criminal’s best friend.
Weak Entry Points
Poorly secured IoT devices on a corporate network with known, or easily guessed, passwords and passcodes are the perfect entry point for cyber criminals. If the device is a router or other kind of control or network device, then it’s even better for criminals because they can modify the firewall and network services to their nefarious ends. And even if the IoT device is deemed a risk-free endpoint, for example an Internet-connected fridge, there are potential exploits because Internet-connected white goods still have susceptible functions such as sending emails.
So corporate IT departments, and consumer users, need to lock down their IoT devices, including locking down admin rights and changing default passwords, adding in as much complexity as possible. Organizations may also want to consider putting IoT devices on a firewalled, and possibly non-routable, network.
Cyber criminals can potentially use your PC or laptop camera to see into your home or office, and even listen in if they can get access to your device’s microphone. This breach is not just remote access to visuals and audio – a captured IoT device on your network can passively and actively learn things about the rest of the network using basic Linux networking tools. Given that most IoT devices run Linux, a hacker has a good chance of installing common malware to learn all about you or your company.
This again reinforces the fact that all IoT devices need to be locked down, not just the central control point, such as a router. The security-savvy and technically capable should do regular security sweeps to check for unusual behavior, but unfortunately, “unusual” can be hard to define. You should also be prepared to reset IoT devices back to their factory settings and to reset the credentials to something more difficult at any time.
Hijacked for Criminal Activity
Health care presents an exciting opportunity for IoT, not just for passively collecting patient observations but also controlling medical devices in real time, in response to collected observations. Imagine a heart monitor that constantly sends heart data to a system that analyzes it, along with blood oxygen levels, etc., and decides to modify one of the control units – maybe to deliver a drug to the patient. In the wrong hands, this setup could result in death.
Access to other IoT devices can offer cyber criminals control over your life, especially keyless entry systems for your house, garage, gate or car that can be cloned to give the criminal physical access. It’s essential that users choose IoT products with proven security credentials, which are likely to cost more than the weak ones.
Unknown Network Use
An independent security organization recently scanned the 900 MHz bandwidth used by IoT wireless devices and found, to their client’s astonishment, that the client’s building HVAC (heating, ventilating, and air conditioning) was IoT-connected.
The client didn’t know this, and wasn’t responsible for its security. It was also identified that the HVAC devices had default passwords and very little by way of security. If a hacker had gained control of these devices, they could have caused potential business damage.
This is a good lesson learned for us all. Enterprises need to regularly, if not continuously, scan for IoT devices on their network. Enterprises ultimately need to know what is normal before they can know what isn’t normal, and take remedial action as necessary.
Convenience and Price over Security
IoT device vendors might want to give consumers an Apple-like experience, of simplicity and convenience, or they might want to compete based on price. Both strategies can be at the expense of security. Plug-and-play without configuration should not be possible – there needs to be some configuration by the consumer because they at least need to program the IoT device with a passcode or password that only they know. If you can just plug a device into your corporate or home network with no configuration, then you have likely unwittingly created an opportunity for a cyber criminal.
Consumers in particular need to be more technology-savvy and again vote with their wallets – only buying products that offer sufficient levels of security. There are no industry standards for IoT device security, and many products are not interoperable using differing technologies. Therefore, the best way for consumers to become IoT-security savvy is to read the online reviews and forum posts to educate themselves.
You Can’t Secure Insecure IoT Devices
Some IoT devices, especially those that offer plug-and-play installation, can be difficult, if not impossible, to configure – especially embedded devices that need special diagnostic equipment to interface with them. In this case, the user needs to check whether (and how) the IoT device is configurable and securable. If it isn’t, the user needs to think twice about purchasing it because they will be deliberately connecting an insecure IoT device to their network.
The fact that the device is a fridge (or similar household device) is unimportant. Security research has shown that fridges can be recruited into botnets and used to send spam and/or learn more about the rest of the household network for a future criminal act.
Forgotten IoT Devices
People, especially corporate IT departments with huge asset estates, can forget about older or unused devices, and some of these devices will likely be IoT-enabled. These devices might not be monitored or maintained but they will remain on the network. These devices will potentially become risks over time as security exploits are left unpatched. Once an attacker finds such a device, they will find a way to hijack it.