We take a look at what's needed to really secure internet-connected devices
- A clear and present threat
- Daft defaults
- Enterprise attack surface evolution
- The smart flip-flop
- An eye on the future
Shutterstock
In 2018, a US casino was hacked through its fish tank, a story that has become particularly notorious in the tech industry. There was an internet-connected thermometer inside the tank which was used as an entry point to infiltrate the casino’s entire system to extract its clientele’s data.
This may be an extreme case, but it highlights the dangers that the Internet of Things (IoT) presents. If you decide to connect an object to the internet, no matter how innocuous it may be, hackers will try and turn it into an open door.
The rise of IoT includes lots of different kinds of gadgets, like office lights linked to Wi-Fi and smartphone-controlled coffee machines. Because to this, there have been numerous calls for security to be included in the design of any and all IoT products, ‘secure by design’, and for no default passwords to be used.
With IoT, privacy is also an issue, especially with audio-based devices that can subtly listen to our daily conversations. Amazon’s Echo can do many clever things, but it can also be ‘woken’ by accident and there have been numerous stories where ‘Alexa’ has begun recording by mistake (it has even been used as evidence in a homicide case). There are also concerns around how the device itself is improved, as Amazon employees listen to recordings from Alexa to make improvements to the quality of service.
There is no sign the IoT industry is slowing down, even with the hacking stories that keep cropping up. More devices are accessing the internet every day and IoT’s business use is also increasing. So what can you do to keep your internet ecosystem safe?
A clear and present threat
It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average 'office' is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells, to phone-controlled light bulbs and robot vacuums.
With employees using their home Wi-Fi network to log onto work devices, having IoT devices on the same network could be putting corporate networks at risk.
That's largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack, and Visa to become unavailable across Europe and North America in October 2016.
These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.
Daft defaults
Shutterstock
The IoT industry is infamous for not prioritising security, especially when it comes to devices in the low budget bracket. Leaving internet-facing device passwords as default leaves the devices, and the network to which it’s connected, vulnerable to cyber attacks. Hackers can target devices with known default access credentials and launch an attack through what is essentially an open gateway.
Indeed, you might think the blame here falls with the manufacturer. In today’s cyber landscape, consumers should expect their devices to be shipped with ample security provisions to protect them from such attacks, however, the blame can sometimes be passed down to the victim. It presents a difficult question around where the onus of security should be placed – on the manufacturer which makes the device, or the customer which actually uses it.
There is an argument to be made for both sides. Manufacturers could quite feasibly ship devices with unique, complex access credentials making it more difficult for an attacker to brute force their way in using known logins. Alternatively, manufacturers could also ship devices with no set login credentials at all and simply require the user to set their own in order for the device to become operational.
On the other hand, consumers should know that in today’s world cyber threats are everywhere and simply setting a strong password on the devices they use should be part and parcel of owning technology. Consumers are also well-known for being poor patchers, opting to choose the ‘remind me later’ option whenever an update notification appears.
Whatever side of the argument you fall on, the general consensus within the industry is that adopting a ‘secure by design’ approach is the best way to prevent IoT attacks. Vendors should work alongside experts in cyber to ensure every stage of the manufacturing process meets the appropriate standards.
The UK government has funnelled millions into the development of adequate standards and education around security by design principles in recent years and most recently the EU mandated a new directive compelling all device manufacturers to secure their products before shipping to the EU.
Enterprise attack surface evolution
It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.
IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.
The smart flip-flop
Shutterstock
Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, start to fall away as vendors see the market opportunity in delivering a secure product.
Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.
An eye on the future
Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.
Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.
Keyword: IoT privacy and security concerns