chombosan - Fotolia
Much of the media attention around internet of things (IoT) security in the past two years has focused on specific attacks against IoT devices such as connected cars, wearables and smart home devices.
While these relatable incidents have helped highlight the vulnerabilities of specific devices and raised awareness about the importance of IoT security, they fail to provide a complete picture of the security challenges.
Heads of IT security must realise that their staff will encounter two strategic IoT use cases: connected devices and connected business processes will each exist in enterprises and will drive IoT adoption.
Security chiefs will meet with IoT users, makers and operators across the organisation, all with specific use cases. Each of those stakeholders will preside over line-of-business or vertical use cases that will require even more customisation or specialisation.
If the people operating an IoT device that enhances a business process are decentralised globally with poor or limited bandwidth internet connections, security staff will need to make different choices than if they’re located at the company’s head office using a dedicated wireless network and connection.
Core systems at risk
Hackers are likely to target core systems and applications – not just devices. These systems collect, normalise and store the high volume of data generated by IoT-enabled devices.
Strong security mechanisms on the endpoint device are still essential, but from a hacker’s perspective, why exert effort to exploit a single device when attacking the application that controls them will provide an instant fleet of hundreds of zombie in-car entertainment systems for publicity purposes? Why stop a single truck when you can alter logistics data in a competitor’s supply chain to disrupt planned shipping schedules? Ubiquitous connectivity will multiply IoT threats.
Read more about IoT securityExperts say more must be done to mitigate the potentially catastrophic threats presented by connected devices.
The Consumer Electronics Show (CES) in Las Vegas gives a glimpse of what the tech pioneers think will be hot in coming years, and the era of internet-connected things is starting to capture people’s imagination.
Continued innovation in chipsets, form factors and battery life allows IoT devices to be deployed in conditions that humans would find inhospitable or downright dangerous. Those deployments enable collection of datasets and real-time telemetry that was impossible for a company to gather pre-IoT.
According to one Cisco researcher, the biggest difference with IoT devices is that users aren’t aware that their new connected washing machine is a computer. IoT blends the physical and digital domains. Knowing that a fitness-wearable user in his mid-20s jogs at the same track three times a week has value for a sports drink advertiser, but a cartel could also use it to plan and execute a kidnapping.
Understand the threat
IoT devices present opportunities to improve customer satisfaction and engagement. But for CISOs whose firms are manufacturing, buying or using IoT devices, they also introduce pressing potential security problems, including the less obvious – but very real – issue of flawed firmware updates.
Security chiefs need to understand that IoT hacking does not require a specialised skillset. Security professionals often erroneously assume that IoT devices are all so different that any particular internet-connected device will be less interesting to hackers (because there are too few of them) than general-purpose computers.
In fact, versions of Linux such as Riot OS and Windows 10 IoT core exist as common operating systems (OSs) ported to IoT architectures. It’s easy to transfer skills from hacking desktops to hacking devices when the OS is almost identical. IoT security firm Senrio describes just how easy: “Two years ago, we did a public project with two interns. They hacked an ATM, a smart home controller, quantified life devices and a router. The interns were able to compromise them all remotely within a month.” Hence, hackers will quickly adapt their successful ransomware strategies to make money by hacking IoT devices and holding them hostage.
Physical and financial danger
IoT security failures can cause both physical harm and financial loss. Unlike traditional hacks that seek to extract credit card and identity data to propagate identity theft and thus steal money, certain classes of IoT devices can affect a person’s health, as seen in August 2016 when cyber security company MedSec discovered IoT vulnerabilities in pacemakers manufactured by St Jude Medical. Research from Muddy Waters then denounced St Jude to investors, causing potential regulatory action based on patient safety concerns, product recalls and litigation.
Customers are also worried. For example, Forrester’s consumer technographics survey reveals that 64% of respondents are concerned about identity theft when using IoT devices.
Constrained device environments make IoT devices extremely hard to patch. Many IoT devices lack a physical user interface or screen, which makes it hard to notify a user about the need to deploy an update and steps to do so. It may seem strange, but in a handful of years your neighbours will tell you that they’re replacing their refrigerator not because they’re doing a kitchen renovation, but because it contains exploitable, unpatched software.
“People aren’t paying for a development team when purchasing IoT devices,” says one Cisco researcher. “The lifetime of IoT devices is long. If the vendor only maintains it for a year or two, you are left on your own for the rest of the device’s life.”
Privacy a priority
IoT devices generate huge volumes of data that require privacy protection. To develop deep insights into customer context and behaviour, firms must collect and share a broad range of data, which means CISOs need strong privacy controls, especially for data at rest. Customers find it challenging to determine the range and scope of data collected – and potentially monetised – by companies.
Security leaders need to explain that, when collecting data, users must know why it’s collected and what the company plans to do with it. Security should also be prepared to explain the importance of user-centric controls that allow users to manage what data is collected, how it’s used and how it’s shared. Some 67% of security leaders worry about privacy violations emerging from IoT-related initiatives. This presents an excellent opportunity for the chief information security officer to sponsor an informed and empowered user initiative with direct revenue results.
This is an extract of the Forrester paper “The IoT attack surface transcends the digital-physical divide”.