The Internet of Things (IoT) has been the subject of industry analyst, and tech-media, excitement for just about forever. From an IT security perspective, cyber-criminals must be rubbing their hands together in excitement when they read that the US Federal Trade Commission estimates there now to be twenty-five billion devices online, with separate HP research stating that that 70% of IoT devices are insecure. And as such, there are a number of IoT risks that corporate IT departments, and consumer users, need to consider and address.
- IoT devices are as unsecure as you let them be. There might not be sufficient security functionality embedded within the IoT device, due to a lack of local resources or capacity. This will of course change over time, but for now it needs to be addressed and security might instead need to reside within the web service in front of the device. IoT vendors must do more to build security into their products; and corporate IT departments and consumer customers need to vote with their wallets and put security over convenience and price when buying IoT devices. Cheap, ubiquitous, and insecure IoT devices are ultimately the cyber-criminal’s best friend.
- IoT devices are entry points to corporate networks. Poorly secured IoT devices, on a corporate network with known, or easily guessed, passwords and passcodes, are the perfect entry point for cyber-criminals. If the device is a router or another kind of control or network device, then it’s even better for criminals because they can modify the firewall and other network services to their nefarious ends. And even if the IoT device is deemed a risk-free end-point, for example an internet-connected fridge, there are potential exploits because internet-connected white goods still have susceptible functions such as sending emails. So corporate IT departments, and consumer users, need to lock down their IoT devices – locking down admin rights and changing default passwords, adding in as much complexity as possible. There is also the need to think about defense in more depth, putting IoT devices on a firewalled, and possibly non-routable, network.
- IoT control devices can be hijacked for criminal activity. Medicine is an exciting opportunity for IoT, not just for passively collecting patient observations but also controlling medical devices, in real-time, in response to collected observations. Imagine a heart-monitor constantly sending heart data to a system that analyzes it, along with blood oxygen levels and other data, and decides to modify one of the control units – maybe to deliver a drug to the patient. In the wrong hands, this set up could be a death-dealing device. Access to other IoT devices can offer cyber-criminals control over your life, especially keyless entry systems for your house, garage, gate, or car that can be cloned to give the criminal physical access. Only choosing IoT products with proven security credentials, which are likely to cost more than the weak ones, is essential as is the ongoing secure installation and management.
- Convenience and price is put ahead of security. IoT device vendors might want to give consumers an Apple-like experience, of simplicity and convenience, or they might want to compete based on price. Both strategies can be at the expense of security. Plug-and-play without configuration should not be possible – there needs to be some configuration by the consumer because they at least need to program the IoT device with a passcode or password that only they know. If you can just plug a device into your corporate or home network with no configuration, then you have likely unwittingly created an opportunity for a cyber-criminal.
- Forgotten IoT devices are secret doors to your network. People, especially corporate IT departments with huge asset estates, can forget about older or unused devices, and some of these devices will be IoT-enabled. These devices might not be monitored or maintained but they will remain on the network and will potentially become risks over time; as security exploits are found and patches produced, these forgotten IoT devices will never be patched. Once an attacker finds such a device they will find a way to hijack it.
So while the IoT offers a great deal of business and consumer-world opportunity, both corporate IT organizations and home users need to ensure that they are aware of, and mitigate, the risks associated with IoT devices.
[su_box title=”About Sarah Lahav” style=”noise” box_color=”#336588″]
SysAid Technologies’ first employee, Sarah is now CEO and a vital link between SysAid and its customers since 2003. As CEO, she takes a hands-on role evolving SysAid with the dynamic needs of service managers. Previously, Sarah was VP Customer Relations at SysAid and developed SysAid’s Certification Training program, advancing the teaching methods and training technology that is in place today.
Sarah holds a B.Sc. in Industrial Engineering, specializing in Information Technology from The Open University in Israel, and spends her free time with her three beautiful children.[/su_box]
CEO, SysAid Technologies
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.