The Internet of Things: The security crisis of 2018?Manufacturers must pause in their race to join the IoT gold rush and think about security standardisation
The infinite possibilities and potential applications surrounding the Internet of Things (IoT) have been well-hyped over the past few years, but the technology is at a tipping point in terms of adoption as we head into 2018.
IoT, the ability of everyday devices to connect and transfer data to each other, is already carving out a place in the consumer market, with devices like smart home locks, thermostats, lighting and energy monitors.
The latest research also claims that 29% of organisations have already implemented IoT solutions, and this is expected to surge to 48% in 2018, as businesses are increasingly sold on the cost-savings and the productivity-enhancing benefits of IoT.
But with the IoT bandwagon rushing full steam ahead, few vendors or customers are pausing to consider the enormous security risks associated with the devices. The influx of additional entry points into an organisation’s network, plus a current lack of security standards for IoT devices, means there is a gaping hole in the perimeter of any home or business that has installed IoT devices.
Consider the operating systems for such appliances. How do you upgrade the OS in a wall-mounted air conditioning unit that’s connected wirelessly? Or a smart light bulb? If you can’t upgrade an operating system, how can you attempt to patch any vulnerabilities?
Then, when you are hacked (and it is when, not if), where does that leave you? You now have a ‘dirty’ corner of your network and all it takes is for another hacker to connect to that ‘dirty’ corner to repeat the process. It’s a case of vulnerability after vulnerability. By 2020, it is estimated that 25% of cyber attacks will target IoT devices.
Worryingly however, a recent survey by price comparison website MoneySupermarket indicates UK consumers are aware of the perils associated with IoT devices – but the apparent convenience, security and cost-saving benefits appear to outweigh the risks.
The research shows more than three-quarters of UK consumers are fearful of connected home technology, citing concerns about hacking and unapproved data collection. But the same survey forecasts that there will still be 25-30 billion devices worldwide by the early 2020s.
Another study revealed that 54% of IoT device owners do not use a third-party security tool to protect their devices from outside threats – and more than a third (35%) don’t change the default password on their devices, leaving them vulnerable to attacks. An astonishing and worrying failure.
Even 2016’s high-profile Mirai attack doesn’t seem to have caused either manufacturers or consumers to stop and consider the security implications. Mirai used IoT devices to mount wide scale distributed denial of service (DDoS) attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.
The current IoT landscape can be compared to the early days of the internet, when viruses, worms, and email spam plagued users. Many companies raced to join the internet ‘gold rush’ without necessarily considering the importance of internet security.
It’s not overly-dramatic to say the same is true now. The priority for IoT device manufacturers is the time it takes to get to market and the potential revenue. But in 2018 and beyond, we’re talking about devices that could potentially wipe out organisations, cities and even pose a threat to human life, if they fall into the wrong hands.
It’s not difficult to imagine five years into the future, where organisations will be forced to change the makeup of their network security, with very steep rises in their security costs. Firms may need to double or treble their IT security budget, just to protect against the threat from wireless light bulbs and thermostats.
These are clichéd examples, but there will be essential applications that organisations will use IoT for, which include managing heating across locations; and financial transactions. IoT will also be used in manufacturing, where devices operating in a machine-to-machine (M2M) environment, without underlying security, have the potential to cause security breaches.
So, what can be done to address these obvious security flaws before too much damage is done?
First and foremost, technology vendors should band together to make the case for security standards that can be implemented around business-deployed IoT devices. Standards could include certification, so the user knows a device is trusted. If a device is deemed insecure, it can be recognised as such, its certificate withdrawn and the appliance isolated.
Currently, the only option for untrusted devices, that can’t be securely upgraded or defended in situ by additional security devices, is to find them and tear them out. And, as they become increasingly embedded in an organisation’s network and systems, the cost of ripping these devices out could be up to 100 times the cost of the device in the first place.
IoT manufacturers need a call to action, to consider the consequences of their actions today.
In 2017, the United States proposed a new bill that would introduce standards for IoT devices purchased by the US government. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require IoT vendors to ensure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that devices are free from known vulnerabilities when sold.
This is a huge step towards forcing developers to take IoT security seriously in the future. In Europe, the European Union Agency for Network and Information Security (ENISA) has called upon suppliers, developers, industry associations, regulators and academia to come together to exchange viewpoints and ideas on cyber security threats, challenges and solutions.
>See also: It’s time to take IoT security seriously
In a position paper the group declared there is currently “no level zero defined for the security and privacy of connected and smart devices,” no legal guidelines for IoT device and service trust, and no “precautionary requirements in place.”
There is some evidence that the UK Government, through the implementation of its five-year National Cyber Security Programme (NCSP), is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative.
Earlier this year, a project team within the Department for Digital, Culture, Media and Sport (DCMS) was established to drive this project, with the aim of tackling the issue at the point of manufacture of the software and hardware.
In 2018, standardisation on IoT devices is a must. It is essential that devices are secure by design, rather than included as an afterthought. The failure of any business to co-operate on a joint plan now to protect themselves is incomprehensible. If they don’t, they are sleep-walking into a security crisis.
Sourced by Ian Kilpatrick, EVP Cyber Security for Nuvias Group