Security is one of the greatest threats facing any business today, and this threat is compounded for companies producing, supporting or leveraging connected devices. Data transmission between devices can drive tremendous efficiency increases, from supply chain automation to software updates, to self-monitoring, self-adjusting and self-optimizing smart systems. But these useful interactions also create potential new attack points for malicious entities.
The current state of device security leaves much to be desired. Many devices on the market today are designed for convenience, not security, and as a result can often easily be penetrated. For one, manufacturers — particularly startups forced to deliver for investors — often prioritize functionality and speed to market over robust security testing or firmware development. Compounding vulnerability is the fact that many manufacturers fail to properly secure devices against threats because they are looking to minimize costs and maximize profits and because consumers aren’t asking for it (because they often have no idea of the risks).
A study by HP found that 70% of the most commonly used IoT devices contain vulnerabilities, including password security, encryption and general lack of granular user access permissions. The study also found an average of 25 distinct vulnerabilities per product. In another study, HP found that 100% of devices used for home security contain significant vulnerabilities, including password security, encryption and authentication issues. The problem is that manufacturers fail to design devices with robust protections against malicious code or the capabilities to be easily patched. But the problem is far from a device-only problem.
Securing devices means securing systems
Because any connected device inherently connects to one (usually many more) other nodes on the network, IoT security is a function of identifying and constantly mitigating risks across the entire technological stack and associated ecosystem. From devices, gateways and firmware, to software and applications, to networks and networking technologies to people, both nodes and connectors face a variety of vulnerabilities. Indeed, threats and losses can take numerous forms:
- Hacking, breaches, theft, cyberintrusion of devices, networks, private and public services, individuals, transportation mechanisms, infrastructure
- Nefarious use, manipulation or exploitation of data, device identity, assets, rules, features, services, workflows, system upgrades, etc.
- Disruption of features, services, functions, safety mechanisms, identity authentications, etc.
- Use of surveillance leveraged (by hackers, foreign states, terrorists, domestic law enforcement) for nefarious purposes
What manufacturers, service providers, and yes even consumers must understand is that the strength of any connected system is beholden to its weakest point.
Hackers often deploy brute force tactic wherein software scans device credentials for factory password settings (e.g., 1111, 1234, admin, password, etc.) or for out-of-date firmware. Since many users never bother to change factory passwords, their devices are vulnerable. When the software detects vulnerable devices, it infects them with malware and directs them back to a central control system where the hacker or group of hackers directs DDoS attacks by using the botnet to overwhelm or “flood” a site with hits. This is what causes sites to go down or run slowly à la the Mirai botnet attacks which took place in October 2016. Sometimes devices themselves are then turned into actors scanning for other vulnerable devices. This is but one illustration of how and why systems introduce widespread vulnerability to IoT architectures.
Tangible actions we can all take
Cybersecurity is tricky because it not only expands in scope, but also evolves in sophistication as one attack offers insights and optimizations for future attacks, and as malicious code itself is shared on the internet. The good news is there are a variety of actions we can all take to work towards greater overall security. Some are simpler and more immediate than others, but all are essential to rising the proverbial tide of security protections, a tide which lifts all boats.
- Change passwords regularly; use sophisticated passwords
- Change passwords to multiple devices
- Turn off unwanted features
- Upgrade devices
- Periodically wipe or backup sensitive data
- Encrypt data, use security software, anti-theft GPS, beware of public Wi-Fi
- Be aware of devices’ processing power (e.g., cameras, microphones in particular; some computation, storage, processing limitations)
- Consider more vulnerable users (children, babysitters, elderly, etc.)
- Prioritize vendors that are proactive in return, demand security by design
- Safely dispose of personal information before disposing or selling devices
- Be proactive
Consider software or hardware services too. The Bitdefender Box, for instance, plugs into in-home internet routers and constantly scans users’ networks and the websites for potentially harmful software or viruses.
Manufacturers and service providers can:
- Prioritize security and privacy in the design of their products (e.g., security software written into device functionality plus ongoing security updates)
- Provide clear, easily accessible and consumable privacy and security communications, support and tools
- Encrypt and authenticate device and software communications by default
- Alert and even require users to regularly change their passwords and upgrade their devices (with security software updates)
- Provide security monitoring and constantly monitor device network for anomaly behavior; identify suspicious cross-bound and outbound activity originating from devices
- Isolate suspicious devices, notify owners, urge them to take action
- Include security services in device offering
- Offer offline or non-cloud backups to support device functionality if connectivity is disrupted, especially for devices impacting user safety
- Be aware of and apply the strongest industry standards for security
- Educate decision-makers, employees, support staff, field agents and consumers of the risks and mitigation tactics
- Be more restrictive, less permissive by default
Consider taking an assessment of your organization’s position and requirements around personal data protection.
Questions we should all be asking:
- How is device data stored and accessed, and with whom is it shared?
- How does our device data generate personally identifiable information? How must we rethink PII when combined with other data sets?
- If data is compromised or lost, what first- and third-party liabilities arise? Who is accountable and how are protections enforced?
- Who is liable when a device malfunctions because of penetration (nevermind defects) in its software design? How must this be accounted for in critical devices like cars, security devices, electricity systems, etc.?
- How are shifting political and regulatory landscapes altering protection requirements and/or doing away with them altogether? (E.g., Europe’s Global Data Protection Regulation coming in 2018)
As connectivity and, increasingly, software intelligence infuse the objects around us, responsibility falls on all shoulders. While data ownership remains an unresolved question and business model lever, it is in everyone’s best interest to take responsibility to mitigate risks by taking action.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.