Security risks of the IoT

In the internet of things, cybersecurity is everything-security

Over the last few years, one of the major success stories in consumer technology has been smart speakers and the various digital home tools that can be controlled through them.

Connecting devices to the Internet is not, however, anything new. In fact, the first Internet-connected device may have been developed at Carnegie Mellon University in the early 1980s, when a team of academics – tired of walking to the campus drink vending machine only to find it empty – wrote a programme to monitor its status. With that, in the earliest days of the Internet, for the sake of convenience, the Internet of Things (IoT) was born.

More devices, more threats

What is new is the richness in the data that connected devices are sending to and pulling from the Internet.

It was recently reported that the smart speaker penetration rate in the UK has now passed 20 per cent of households, from just 1.4 per cent at the end of 2016. These devices will typically be associated with user accounts that hold personal data such as payment details, home and office addresses, and calendars in order to give them the data they need to usefully operate.

More and more, consumers are also expanding their home networks to include heating, lighting, physical security, and other household basics, giving them the same kind of always-on control of their physical environment they have come to expect from their digital environment.

While this trend clearly offers a lot of promise in terms of ease and efficiency, it also amounts to a significant potential threat vector from a cybersecurity perspective. Whereas unauthorised access to the Carnegie Mellon vending machine would lead to, at worst, a third party knowing how many chilled drinks it contained, unauthorised access to a smart speaker leads to a much more troubling set of potential outcomes, from identity theft to remotely unlocking doors.

Commercial IoT

This threat, magnified to an industrial scale, is also present in commercial IoT adoption. Across industries, businesses are adopting IoT approaches, for reasons similar to those of the consumers using smart home technology.

Monitoring, analysing, and controlling physical assets automatically, as well as in real time, can be a means to deliver everything from increased safety and efficiency to decreased overheads and downtime.

IoT in manufacturing plants might identify production bottlenecks and scale processes up or down accordingly; IoT in energy networks might accelerate response times to emerging issues and so avoid blackouts; IoT in healthcare might give medical practitioners insights which would be prohibitively expensive to acquire otherwise.

Increasingly, in fact, it seems that IoT is becoming the very nature of many activities, rather than merely an additional feature which can be added on to them.

Skimping on security

With this profusion of connected devices in mind, it is therefore alarming that – as the most recent findings from the Neustar International Security Council showed – fewer than half of cybersecurity professionals have established a plan for if, or when, their IoT networks are compromised.

In a survey of cybersecurity professionals, the research also found that 48 per cent of organisations had experienced a cyberattack on their IoT equipment in the year-to-date, while just 27 per cent were ‘very confident’ that staff would know how to respond to this kind of attack.

The rollout of IoT technology is creating a new, and significantly larger, attack surface for malicious actors looking to breach businesses’ cybersecurity. Whereas previously a company or institution might have had to consider their staff’s computers and mobile phones, along with any mainframe computing capacity, when designing security policy now we face a reality where every security camera, delivery vehicle, and plug socket is a potential point of access for an attacker.

This, together with the increasing value of the data which might be lost or stolen in an attack, means that cybersecurity professionals must race to respond to IoT-enabled dangers.

The issue here is compounded by the fact that IoT devices, more often than not, are themselves built by third party vendors.

Even where a business has extensive oversight of the design, manufacture and installation of its equipment – as may be the case in a heavy manufacturing plant – components such as modems which are required to connect that equipment to the network will be sourced from an external manufacturer. It can therefore be incredibly difficult to understand what security measures are actually built into an IoT device, and how effective those measures might be.

IoT and trust

For me, cyberattacks which are performed via IoT technology represent part of a new frontier for cybersecurity where the principle damage at hand is not financial loss from lost productivity and data, nor the legal repercussions of failing to meet the security standards established by governmental legislation, but the much broader ability of attacks to generate mistrust.

One of the key places where IoT technology is being implemented is in smart city initiatives. Like the smart home on a grand scale, smart cities are making our built environments digital, promising a better, more efficient way of managing our increasingly crowded public spaces.

The potential risk of this, however, is shown by events like the recent ransomware attack on the city of Johannesburg. There, a hacker group compromised the city administration’s network, with its sensitive data on Johannesburg’s citizens, and demanded ransom in return for leaving that data safe and unreleased.

With the ransom note stating that ‘[we] have control of everything in your city,’ the administration had no choice but to take systems offline, which – in today’s Internet-reliant world – means not just that residents couldn’t get information, but also that they couldn’t make key payments or access vital services.

As cities bring more of their infrastructure onto the network, the potential for attacks like that on Johannesburg will only increase. Banks and financial services, likewise, can suffer compromises with wide-ranging, real-world consequences, while for healthcare the outcomes can more directly be a matter of life and death.

Clearly, the damage to public trust in the systems they rely on can potentially last far longer than the attack itself.

Responding to the IoT threat

The risks generated through the adoption of IoT devices based on third party technology mean that, now more than ever, businesses and institutions must act as though a breach will at some point happen, as well as labouring to minimise its likelihood.

Putting an organised, cohesive security strategy in place which considers the full extent of the network is an increasingly difficult challenge. That said, it is a vital countermeasure – as is a rapid-response system for applying security patches to existing hardware. Nonetheless, large networks should also be preparing for the worst by identifying and encrypting important data, limiting the damage which an attack might inflict in anticipation of its occurrence.

Meanwhile, over the festive period, citizens in the UK and elsewhere will have acquired millions more consumer IoT devices – not just smart speakers and smart home technology, but also smart watches, activity trackers, intelligent headphones, and all manner of life-enhancing tools besides.

Where these devices come into contact with institutional networks – on the office Wi-Fi, for instance – those institutions must now take a zero-trust approach, treating devices as dangerous until proven otherwise.

While those devices are in the home, on the other hand, let us hope that the companies building them have taken the proper steps to ensuring security at every level, before disaster strikes.