Stuart Clarke, Director of Cybersecurity and Investigation, at Nuix, writes that the internet of things (IoT) promises huge benefits for making daily life easier. But as we know, he says, anything connected to the internet can be hacked, and the more connected devices we use, the bigger the threat landscape grows.
It’s not just our smartphones and PCs that are targets, but now even our homes, cars and medical devices are at risk. For example, an attacker might disable a car’s on-board computer and hold the owner to ransom for payment to re-enable. Let’s not forget devices such as fitness monitors that capture location and biometric data — if that data is not secure, you could be under constant surveillance. Perhaps one reason there haven’t been widespread attacks on connected devices is that hackers are making plenty of money in easier ways, such as ransoming PCs or stealing credit card numbers. But the more people use IoT devices, the more targeting these devices will have value to attackers. While the diversity of connected devices means launching a huge killer blow against the IoT ecosystem is not without challenges, there are still significant risks to end users.
Diverse range of devices
The IoT market is complex, with a huge number devices competing to find a niche. The vendors supplying the software that runs these devices have a tough task working effectively on vastly different sets of hardware and firmware. From a cybersecurity perspective, this can be a positive. A lack of standardisation means the potential scale and impact of a cyber-attack against connected devices in a home or business is limited.
In a traditional office computer network, you will have a few different hardware configurations and a core base of operating system and software. The desktop operating system will most likely be Windows. The server operating system will probably be Windows, a common Linux distribution, or both. If there’s a web server it will more likely than not be Apache or IIS. The advantage for cybercriminals is that this software is used in millions of global businesses, and the vulnerabilities and exploits are well known. If you’re choosing to attack a particular organisation, there are likely to be plenty of ways in. Or if you’re using a particular exploit, it’s going to work in lots of different places. By contrast, the IoT environment is made of countless different devices. This makes them hard to attack en masse. Or if an attacker is targeting a particular person or location, they will have to find out what kind of devices are in use and hope that they can identify vulnerabilities. This diversity can also be a problem for the IT administrator. If a vulnerability such as Heartbleed is discovered in a core communications component, how can you rapidly deploy security fixes or patches to so many disparate devices?
Emerging standards
The manufacturers of some connected devices recognise the vast security challenges they face. There are efforts underway to develop base protocols, software development kits, and open application programming interfaces. Many are standardising around the cloud and the platform-as-a-service web applications model. These developments will certainly aid the growth and scale of IoT, however it creates new sets of problems. Cloud solutions are still fraught with privacy and security issues. Connected devices, combined with cloud architecture, will be a further source of data over which there is no real governance. More data means less control. We should also consider that the internet was originally designed to share information, not to deliver control and monitoring. As a result many current networking infrastructures cannot cope with the IoT ecosystem and require a rethink.
Lessons from the past
History has shown that security is an afterthought with emerging technologies. We’ve seen vendors releasing new software as fast as possible and then fixing the apparent flaws later. When it comes to IoT, vendors often use out-of-the box software components without any security hardening, relying on users to change default passwords and provide other security protections. And attackers are already exploiting this. A prominent example was the Linux Darlloz worm, which infected more than 31,000 devices including security cameras and set-top boxes. Because the IoT is largely made up of devices costing less than $100, the ROI for investment in securing these systems is small. But vendors need to ask themselves if they can afford not to? While the threat of a mass IoT attack may be low, the risk to personal safety can be huge. While there is currently a lack of regulation in this area, there is still a risk of expensive litigation. In light of these risks, the “develop first, secure later” approach is simply not sustainable. IoT implementers should be considering cybersecurity from the outset using appropriate risk management strategies. Let’s hope the industry will take the cybersecurity lessons from the past and apply them to the future of IoT.
