IoT privacy and security concerns
We take a look at what's needed to really secure internet-connected devices
There is a well known story told within the cyber security industry, of an American casino that was hacked via a fish tank.
An unauthorised party, as the story goes, remotely accessed the tank's internet-connected thermometer and used it as an entry point into the casino's wider network, where they eventually found client details.
Whether true or not, this is a rather extreme case, but it is useful in explaining the dangers of the Internet of Things (IoT). With all manner of gadgets and objects, connected to the internet – and your home/work network – the options for entry have never been greater for hackers.
Yet, the internet keeps expanding. You can find smart versions of Office lights, TVs, teddy bears, and even coffee machines you can control with a smartphone. It also seems that with each new IoT product there comes a new exploit, another story of ransomware or DDoS attack. It's because of this that governments and experts have called for 'secure by design' products, effectively banning default passwords.
IoT also creates issues around data privacy, particularly with audio-based services, such as smart speakers that are often reported to secretly listen to our daily conversations on the grounds of service improvements.
Still, there is no indication that this expansion of the internet is ever going to slow down. So instead, we need to ask ourselves what can we do to make out ecosystems safer?
IoT security threats to businesses
It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average 'office' is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells, to phone-controlled light bulbs and robot vacuums.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
With employees using their home Wi-Fi network to log onto work devices, having IoT devices on the same network could be putting corporate networks at risk.
That's largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack, and Visa to become unavailable across Europe and North America in October 2016.
These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.
Security by design
The IoT industry is infamous for not prioritising security, especially when it comes to devices in the low budget bracket. Default passwords leave devices, and the network to which it’s connected, vulnerable to cyber attacks. Hackers can target devices with known default access credentials and launch an attack through what is essentially an open gateway.
Indeed, you might think the blame here falls with the manufacturer. In today’s cyber landscape, consumers should expect their devices to be shipped with ample security provisions to protect them from such attacks, however, the blame can sometimes be passed down to the victim. It presents a difficult question around where the onus of security should be placed - on the manufacturer which makes the device, or the customer which actually uses it.
There is an argument to be made for both sides. Manufacturers could quite feasibly ship devices with unique, complex access credentials making it more difficult for an attacker to brute force their way in using known logins. Alternatively, manufacturers could also ship devices with no set login credentials at all and simply require the user to set their own in order for the device to become operational.
On the other hand, consumers should know that in today’s world cyber threats are everywhere and simply setting a strong password on the devices they use should be part and parcel of owning technology. Consumers are also well-known for being poor patchers, opting to choose the ‘remind me later’ option whenever an update notification appears.
Whatever side of the argument you fall on, the general consensus within the industry is that adopting a ‘secure by design’ approach is the best way to prevent IoT attacks. Vendors should work alongside experts in cyber to ensure every stage of the manufacturing process meets the appropriate standards.
The UK government has funnelled millions into the development of adequate standards and education around security by design principles in recent years and most recently the EU mandated a new directive compelling all device manufacturers to secure their products before shipping to the EU.
Enterprise attack surface evolution
It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.
IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.
The smart flip-flop
Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, start to fall away as vendors see the market opportunity in delivering a secure product.
Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.
An eye on the future
Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.
Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.
This article was first published on 09/11/21, and has since been updated
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.