Consumers, manufacturers and businesses of every size now face the precarious waters of the internet of things. Devices that allow us to remain constantly connected to our personal data and shopping preferences, or ease the way we conduct everyday life are becoming more and more common. Everything from doorbells to dishwashers is perpetually connected to the internet and shares information with cloud-based servers. As enterprises adopt IoT devices and manufacturers develop tools for the enterprise market, there is a shared responsibility from engineers to end users to ensure that data is fortified against malicious attacks.
According to Common Vulnerabilities and Exposures, the number of reported IoT vulnerabilities nearly doubled in 2017 over 2016 — totaling in 11,371 new types. A large portion of those are directed at vulnerabilities in web-enabled products designed to simplify and support everyday human functions. Similarly in 2017, researchers and doctors at the University of Arizona College of Medicine demonstrated how vital systems connected to the internet could be compromised and cause human casualties. Notably, any device connected to the internet is vulnerable to hacking without proper measures in place. Insulin pumps, pacemakers, drug infusion pumps and even complex MRI machines are all connected to the internet and were targeted in this demonstration.
Connecting devices within the enterprise might be as inevitable as the rising tide, but it should be done strategically and deliberately. By asking the question, “Does this need to be perpetually connected to the cloud?” organizations can ensure that connected devices are less likely to leak access credentials in plaintext to other devices or servers on the same network. Through user education and network guidance, users should only connect to the internet on an as-needed basis. As an added measure, organizations can deploy tools that monitor, prioritize and limit the network resources used by each device to prevent network performance issues.
Consequently, security systems and smart lighting are rapidly being adopted by enterprises. Many of these systems are implemented without current manufacturer updates and firmware patches, which could potentially cause plaintext wireless password leaks by bypassing protocols for adding new devices to the system. Even innocuous things like a fish tank could bring down an entire enterprise. Sound far-fetched? In July, researchers at Darktrace revealed that an unnamed North American casino fell prey to hackers who targeted a “smart” fish tank. The tank was connected to the internet to monitor and report temperature, lighting and water conditions. Hackers used this access point to gain entry into other systems within the network and transfer data to an offsite device before being discovered and locked out by the casino’s cybersecurity team.
Manufacturers and businesses have a responsibility to ensure that in-transit data, from the end user devices to their servers, is secured using strong encryption methods including peer-to-peer encryption when applicable. In fact, a solid mitigation strategy includes regular penetration testing each time new code or hardware is introduced into the product. Patches and updates for third-party code should also be closely monitored and applied on a regular basis. And finally, having a solid vulnerability reporting and response strategy will ensure that if there is a bug reported, there is also a clear path to mitigation or remediation.
Ultimately, the shores of IoT security do not end with the product manufacturer. IT security teams and end users have a responsibility to follow security guidelines and adhere to regular patch management strategies. A constant vigilance for monitoring end-user activity, regular system scans for unrecognized devices and patch management of firmware is of the highest priority. Many organizations that set sail on the oceans of IoT need to accept an increase in investments dedicated to strengthening security initiatives. If your company’s reputation is hinged on your ability to ensure the security of your customer’s personal data and livelihood, consider hiring a qualified security team or consultants who are well-versed in IoT infrastructure guidance.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.