The Internet of Things (IoT) is proving revolutionary in how we engage with technology. Earlier this year, analyst firm Gartner made the prediction that by the end of 2017, 8.4 billion “things” would be connected to the internet worldwide, an increase of 31% from 2016.
These days, everything is connected to the internet; from fridges and smart televisions at home, through to security cameras and even cars at work. Even light bulbs are now controllable through an application on your phone and your wireless connection.
The benefits of the IoT are significant. Through the IoT we gain great control over our technology environment. Whether we’re able to use it to save money, in terms of cutting power bills by remotely accessing air conditioners, lights and so on, or in helping to keep our offices secure by watching security camera feeds from everywhere, the IoT takes the already ubiquitous technology that we all live with, and takes it to the next level, to make technology a seamless part of our day-to-day lives.
But there are serious security considerations and risks that we need to be aware of, as well. A study found that IoT devices have serious security vulnerabilities, more often than not. In fact, a full 70% of IoT devices are easy to hack, and this is something that we need to talk about, because with people using IoT devices for everything now, this means there are serious potential risks that people need to be prepared for.
The case of the hackable car
Perhaps the most frightening way to highlight the risks of IoT is in highlighting how easy it was for hackers to take control of a person’s IoT-enabled car – while they were driving in it.
Sharing the details of the attack on Wired, the victim said: “As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.
“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape.”
Imagine you were in a car that started behaving erratically like that, only to find that the reason for that behaviour is that hackers now had control over your car, and you were powerless to do anything about it. This is why both the IT industry, and consumers of IoT applications, need to be aware of the risks to security of this technology, and how to mitigate risks that can arise against it.
10 biggest security areas of the IoT
The IoT’s greatest security concerns can be broken down into 10 distinct themes. Being secure means addressing these different problems across all the technology that you have in the home or office.
- Insecure Web interface
- Insufficient authentication or authorization
- Insecure network services
- Lack of transport encryption
- Privacy concerns
- Insecure cloud interface
- Insecure mobile interface
- Insufficient security configuration
- Insecure software or firmware
- Poor physical security.
It’s worth noting that not all of this should be considered the responsibility of the consumer. There’s a real and pressing need for the IT industry to come together to develop standards around the IoT, so that the vendors of the technology themselves are no longer selling products that fall below a minimum security standard; and, remember, that’s about 70% of them.
Until such standards can be developed, however, consumers will need to be mindful that many IoT devices won’t meet a minimum security standard, and in the meantime, they should strongly reconsider purchasing any IoT device that they can’t guarantee across the 10 themes above.
What would an attack on my IoT devices look like?
Most of the time, hackers won’t take control of your devices to do scary things with them, as happened in the car example, above. Most of the time, hackers find IoT devices a useful way to run a DDoS attack on a person or organisation’s network. DDoS attacks are common; 59% of Australian businesses experience them on a yearly basis, and the IoT devices help to facilitate these attacks by giving hackers an easy “in”.
Once they’ve got a person’s devices turned into a botnet, it becomes easy to cripple the network, which might be an inconvenience for a home user, but for a workplace, having the website and online services compromised by a DDoS attack might cost the business thousands of dollars per minute the attack goes on.
DDoS attacks don’t generally lead to a person’s identity, passwords, or data being compromised, but they’re a nuisance, and because they’re inexpensive to launch, it’s easy for a disgruntled employee, neighbour, or customer to initiate an attack. And, of course, if your network can be compromised by a DDoS attack, more malicious and damaging attacks are quite possible.
How do I protect myself (without giving up my IoT technology)?
As with anything you do online, the IoT is safe enough if you are responsible about how you use it. Follow a couple of basic best practices, and you’ll significantly reduce the risk of being affected by a DDoS attack – or worse – through your IoT devices.
1. Update the administrator usernames and passwords so that they’re strong
“Admin” as a username and “Password” as the password are unbelievably common across all internet-enabled devices, let alone those that are IoT-enabled, and indeed a lot of people don’t even realise that there is a username and password in there as often the setup process bypasses the IoT hardware’s password. If a device doesn’t seem to have a username or password at all, then it’s a good idea to avoid that device. Hackers can still take control of it.
2. Strongly consider disabling remote access to devices
Look for the following protocol ports: SSH (22) and HTTP/HTTPS (80/443), and block unauthorised access using those ports. Have a chat with your ISP about what else you can do here. There are some IoT devices that you’ll still want to have remote access to, but there should be ways to clamp down on the security of these. Anything that’s unessential for remote access, switch off.
3. Buy devices from reputable organisations
Only trust organisations that have a good track record in security, and then make sure that you keep the devices patched and up-to-date, as you would any other device that you own. Devices that don’t have regular updates are security risks, and should be treated as such. If a vendor should discontinue support for a particular device, also consider at that point upgrading to a more modern version that will have regular security updates again.
4. Train your staff
IoT security is obviously something that the IT team needs to be aware of; how to effectively deploy and add additional technology onto the network safely. But, at the same time, other people within the team need to take responsibility; the physical security team, for example, might want to purchase IoT-enabled cameras to watch the building remotely, and that’s fine, as long as the staff is also familiar with how to properly set up the cameras so that they’re secure.
Don’t assume you’re ever safe
Security risk and the IoT are real, and should be taken seriously. There are, according to studies, as many as two million IoT devices that have already been compromised by hackers. Again, this doesn’t necessarily mean that they’re stealing your data or able to access your entire network, but that many compromised devices means that there are some large – and powerful – botnets out there, capable of crippling businesses for days at a time.
The good news, however, is that there are the tools out there that IoT device manufacturers and businesses can work together to ensure that the technology remains secure. One benefit of IoT devices is that they’re generally quite simple, in that they’re set up to be predictable in behaviour and ‘call back’ and ‘talk’ to a single server; the manufacturer’s. If the device starts connecting to other servers, it’s a sure-fire way to detect a compromised device.
What’s important, then, is that businesses and their customers come together to create regular reports and monitoring of devices for aberrant behaviour, and immediately move to fix or replace a compromised device.
With IoT devices becoming more commonplace than ever, businesses will find that they need to make use of the technology in order to remain competitive with their rivals, which are using the tech. The IoT is an undeniable force in computing, just as Cloud was a half decade ago. There were security concerns around Cloud too, in those early days before it became ubiquitous, and now we’re having similar discussions about IoT. Ultimately, you should not be avoiding the IoT, but you should be approaching it was a careful eye for security all the same.