iconimage - Fotolia
There are many narratives relating to the internet of things (IoT), and while definitions of what exactly the IoT is abound, one thing is certain – security is an afterthought.
Of particular concern is that in the very design and utility of the smart devices making up the IoT, suppliers often take a stance that rejects some of what security specialists consider to be fundamental or key safeguards.
There is much to be said about IoT-related risks, but for those organisations using smart devices – which is a large number – the biggest risk is not realising they are at risk.
There have been many data breaches where smart devices are targeted, and even the compromise of systems where safety is a key concern.
The key risks associated with smart devices are that security needs are not considered; they are difficult to secure; they pose a data exfiltration risk; they are often overlooked for security patches; and remote access is easy and readily accepted. These risks are discussed in more detail below, along with some suggestions as to how they might best be managed.
Security needs are not considered
Security specialists are generally not consulted in the procurement of smart devices, as these buying decisions tend to focus on business needs. Even worse, large numbers of insecure smart devices may be procured and implemented without a second thought given to the risks they may pose.
These smart devices are increasingly networked, thereby presenting potential attackers with a direct route to an organisation’s most critical systems and valuable business and personal data.
Suggestion: Ensure security and risk are considered as part of any procurement of even the simplest smart device.
Difficult to secure
Typically, smart devices purchased by any company do not allow sufficient access to native operating system security features. This means security professionals have a limited set of security features to work with. In some cases, there may be none at all. For example, it is difficult to securely configure a smart fridge when it does not have a screen or keyboard.
Suggestion: Only purchase smart devices that can be fully secured in line with your organisation’s formal risk appetite and security policy.
Data exfiltration risk
Sceptics may suggest the rush by suppliers to make all systems “smart” is about exerting control over their customers’ data. While this is another subject altogether, it is clear that a major reason why smart device suppliers require their offerings to be networked is because they wish to exfiltrate valuable usage data – and sometimes other information too.
It is important customers fully understand what data is being exfiltrated and that a positive acceptance is given, ideally prior to first use. Often, business leaders will be surprised and shocked and certainly may seek advice on ways to prevent certain data exfiltration because it may be seen as unauthorised profiling and anti-competitive.
Suggestion: Do not assume data exfiltration is not being performed or is part of a light-hearted or innovative programme of customer service improvement. Read the terms and conditions and ask the company’s network specialists to check what data is being exfiltrated to determine the risks to the business.
The use of business computers has seen the meteoric rise of the security update. While it may be frustrating sometimes, most people realise and appreciate operating systems and application code may contain vulnerabilities, and that the application of updates to address these issues is critical.
Enter the not-so-smart, smart device, with its insecure embedded operating system and associated software, which is all too often devoid of patching functionality. In addition, many smart devices are supplied with out-of-date and vulnerable operating systems and software.
Suppliers are known to have internal wrangling between those who recognise the problem and want to ensure their devices are patched and their less responsible counterparts who do not want smart devices to be updated because they see it as lengthening the time to replacement.
Suggestion: Do not purchase smart devices that do not have simple and effective security patching functionality.
Remote control is a “feature”
Strangely, while suppliers see little need for security patching, they are often quite happy to enable remote access to smart devices by default. Even if this is not evident via the smart and simple to use customer interface, it is highly likely that a process is running in the background ready to welcome any attacker.
Other standard security features, such as firewalls and anti-malware features, are often missing, and with the risk of processes running with privileged access, some smart devices may offer a playground of fun to hackers. Even if a smart fridge is not where you keep your business data crown jewels, it may still be an important stepping stone into your corporate networks.
Suggestion: Ensure remote access is disabled or blocked and only enabled when absolutely necessary – do not rely only on authentication controls.
It is clear there is an awful lot to do when it comes to addressing the cyber risks that the use of smart devices introduces to businesses and consumer households alike. Currently, it seems that from a security standpoint, the IoT represents a retrograde step in cyber risk management.
At present, the picture is a little bleak. The price point at which many smart device suppliers are operating leaves little margin for radical improvements in security. Often the cheapest version of operating system and shareware is the preferred system.
The application of stricter security requirements in procurement will at least begin to change supplier mindset. We need to do this quickly, before the huge explosion of the IoT gives us a legacy of cyber risk that will take many years to address.
Neil Hare-Brown is chief executive at Storm Guidance.
Read more about IoT security
- Symantec expands its portfolio to include embedded critical systems protection to protect internet of things devices.
- The growing threat of the internet of things is quickly becoming a reality as new attack methods emerge.
- The Engineering and Physical Sciences Research Council is to run a contest to develop a research hub to explore the security issues around the internet of things.
- Security threats from the IoT have yet to reach wide public perception, says the chief information security officer at GE Europe.