A World of Data
One in five people now use a health wearable of some form. Users can now collect data about sleep patterns, exercise routines, heart rates, and calories consumed. Data of all sorts can be collected every day, quickly, easily, and as frequently as desired. Aggregated by dozens of individual devices and analyzed by centralized cloud-based applications, these raw measurements can be transformed into actionable insights to help users live healthier. Such is one of the many great things being made possible by the Internet of Things (IoT).
More of a concept than any particular set of hardware or software, the IoT can be implemented in information systems across many industries. In its 2016 report, Verizon estimates that the market for the IoT is $591.7 billion and growing rapidly. Cisco projects that there will be more than 24 billion internet-connected objects by 2019. The McKinsey Global Institute predicts that the IoT will have an economic impact of $3.9-11.1 trillion by 2025.
The rapid expansion of the IoT, while enormously beneficial, also brings a host of new security challenges. To remain secure and safely reap the rewards of this evolving technology, all stakeholders, from manufacturers to end users, will have to contribute.
Cybersecurity Implications
The IoT describes a connected network of devices or everyday objects that can generate, exchange, and act on data with limited human input. Its basic components are data collection via in-device sensors, data transmission from devices to the cloud, and data analysis via cloud-based services.
Data Collection
Data collection starts with individual devices through sensors that gather information from a device or the environment. These sensors can take the form of any instrument that measures data, from thermometers measuring the temperature of meat on a grill to GPS units pinpointing your location in traffic. Machines at this level of the IoT network are typically referred to as end nodes, for they are the dispersed points from which data is collected and funneled into centralized databases.
The use of IoT end nodes is growing rapidly. A problem arises, however, from the fact that many of these devices are not manufactured with network security in mind. As a result, end nodes are often left vulnerable to breaches. A big point of failure stems from their processing power, which is generally low. This usually means data collected is not stored behind a firewall and is kept in a readily accessible plaintext (unencrypted) format. Adding to this vulnerability from the manufacturer is an even more basic problem that is largely the fault of the user—password security. Login and password details are factory set, are rarely changed before devices are connected to the internet, and are thus highly vulnerable to password cracking.
These kinds of vulnerabilities make end node security perhaps the weakest point among the possible attack surfaces of the IoT—and hackers are taking advantage. Last month two exceptionally large DDoS attacks were launched against the popular online blog KrebsOnSecurity and French hosting firm OVH. A series of attacks — powered by a network of tens of thousands of hacked IoT devices (CCTV cameras, routers, and DVRs) secured with default passwords — launched rounds of 620 and 800 Gbps bogus traffic at each firm, respectively, temporarily grinding both of their operations to a halt.
Data Transmission
What makes the IoT a marvel is its ability to collect data from billions of endpoints, analyze it, and churn out actionable insights. Key to this process is the transmission of data from endpoints to the cloud. Naturally then, this stage is also rife with security vulnerabilities.
IoT data flow from devices to the cloud via Wi-Fi, Bluetooth, or a cellular network. Like any form of traffic, this flow of data always runs this risk of being unintentionally diverted. Remember that because of the low processing power present in most IoT devices, CPU and RAM-intensive features like firewalls typically aren’t present.
Without firewalls to police inbound traffic smart devices are vulnerable to port sweeping scans by hackers looking for easy prey. In simple terms, ports are the locations within a device where incoming information from the internet or other devices is sent. When IoT devices are manufactured, they are typically given a standard port number, just as with default passwords. Numerous programs exist to aid hackers in scanning the internet for these standard open ports and finding the IP addresses of particular devices. Armed with these two points of information, skilled hackers can begin the process of deciphering login information and breaking into your device.
Outward communications are also troublesome due to a general lack of encryption on smart devices. Data sent in plaintext from sensor to the cloud are subject to interception and more often manipulation by hackers. To illustrate, at Defcon’s 2015 hacking challenge a team of participants was able to launch a man-in-the-middle attack against Samsung’s model RF28HMELBSR smart refrigerator. By intercepting traffic from the device, which actually did employ SSL encryption but failed to properly validate SSL certificates, the hackers were able to monitor activity to determine the username and password information used to link the refrigerator’s display to a Gmail account.
The receiving end of data transmissions, or the web interfaces to which sensors communicate with the cloud, are also of concern. Numerous technical vulnerabilities exist and are often overlooked by manufacturers. Among the most prominent are: weak password recovery mechanisms, susceptibility to cross-site scripting, SQL injections, cross-site request forgery, lack of account lockout controls, and lack of strong password requirements. When things go wrong at this stage the results can be disturbing. In one example, the software for the web interface of a remote baby monitor produced by Foscam had authentication flaws that resulted in hackers being able to take over control of the camera and its audio, and in one strange case, yell at babies.
Data Analysis
For the IoT, the cloud is where the magic happens. Terabytes of data coming in from billions of connected devices on different systems around the world stream in to cloud-based services to be processed for insights. Naturally, these treasure troves of data are attractive targets for hackers like nation-state groups or black market profiteers who see the big data analytics opportunities presented by such vast collections of information. Recent years have seen numerous examples such as the Office of Personnel Management and Anthem breaches announced in 2015 and the Yahoo breach revealed last month.
At this level of the IoT security concerns include traditional corporate-level network security considerations. Security measures typically include robust encryption, network segmentation, least-privilege access protocols, multifactor authentication requirements, and proper backups— among numerous other basic network architecture considerations.
Engaging Stakeholders
Given the myriad problems, what can and should be done to improve the IoT’s security? Any solutions adopted will ultimately be most effective if, and only if, the IoT’s varied stakeholders take steps to become more aware of the dangers that exist and close obvious security gaps.
Manufacturers will have to implement stronger security standards as the first line of defense against hackers. Future smart devices should be designed with an easy, convenient way to receive regular software updates as quickly as possible once new threats are discovered. For better security, research needs to be done that will eliminate the tradeoff between processing power and security. This will allow much needed features like firewalls and encryption to protect the data on these devices and the data that transmit between them.
To stay secure, organizations allowing use of IoT devices within their offices will need to be diligent and proactive when creating security measures for their employees. Think smart password policies, multifactor authentication, and properly segmented networks for starters. From there consider adding multiple layers of complexity to security defenses and mandated cyber awareness training and drills. This is especially true when the IoT is used in large public services or critical systems, like national energy grids or traffic control systems.
When it comes to the individual user, applying the same best practices for personal computing to your IoT security is all that’s really needed. Don’t stick with factory defaults when it comes to password and port settings. Hedge your security settings with fail safes like multifactor authentication. If you’re storing important data on a cloud service, be sure to frequently backup your data backups, just in case. Always stay up to date on software patches. Doing all of these steps won’t guarantee your safety, but will dramatically shrink your risk exposure. Barring advancements in security technology from product developers, also consult a technology expert on ways to bring your various IoT devices under the umbrella protection of security devices like firewall and antivirus used by your personal computer.
IoT is likely to pop up all over. Systems will be connected in unprecedented ways, presenting new security challenges. As we know, industry will not slow down because of potential vulnerabilities. We must keep up. It will take a collective effort to ensure robust IoT cybersecurity, but it can be done.
