The Internet of Things (IoT) is finding its way into every room of the house and every corner of the office. According to Gartner, there will be 6.4 billion Internet-connected things by the end of this year, a 30 percent increase over 2015. And by 2020, that could climb to 20.8 billion.
It’s no wonder: Connected devices promise amazing conveniences, allowing everything from light bulbs to construction equipment to send and receive data, while providing remote access to smart home systems, manufacturing facilities, and more. IoT technology will provide unprecedented volumes of data — from just about everywhere — and give businesses and consumers much greater control over their world.
But as we step into this exciting era, it’s essential to push forward behind the scenes as well, to ensure security and privacy. Establishing sound, innovative security standards for this new wave of devices will be critical to realizing their full potential.
Many IoT devices transmit mundane information — hackers probably aren’t that interested in what’s in an IoT fridge, for example — but others handle more sensitive data. For example, if hackers were to access sensors on connected manufacturing equipment, they could potentially gather a company’s proprietary manufacturing information.
Hackers could even take advantage of a common IoT capability, remote control over connected objects. Last year, to bring attention to these risks, two engineers exploited a vulnerability in a Jeep Cherokee’s connected entertainment system. From miles away, they were able to take control of the vehicle’s air-conditioning, radio, and windshield wipers, before killing the engine. The stunt led Fiat Chrysler to issue a massive recall to add a security patch to 1.4 million vulnerable vehicles.
Some IoT devices handle the most personal data of all — what’s going on in your body. ABI Research predicts that by 2019, there will be more than 780 million wearable devices in circulation, from simple activity monitors to advanced medical devices.
Accessing a specific connected IoT “thing” is rarely the goal. The immediate security challenge is protecting against breaches that go beyond the individual device.
In the IoT ecosystem, every connected device is part of a network, which may be connected to other networks. Cybersecurity measures need to prevent “hack one, break all” attacks — that is, hackers breaching IoT devices with limited security measures in place so they can access everything on a network.
They also need to protect individual devices from being used in distributed denial of service (DDoS) attacks. In a DDoS attack, hackers take control of thousands of individual devices and control them as a zombie army, called a botnet. Then they direct all the devices in a botnet to hit a target, such as a website, with data requests, overwhelming its servers and shutting it down.
Last month, hackers took control of more than a million IoT devices (mostly video recorders) to create a botnet, which they used to attack journalist Brian Kreb’s site, as retaliation for his reporting on hacker activity. They then posted the botnet code, Mirai, to forums, giving others the tools to find and control connected devices with default factory usernames and passwords.
Just last week, hackers used the Marai code to attack Dyn, an Internet infrastructure company that provides Domain Name System (DNS) services. DNS is an essential web service that resolves everyday URLs into the actual IP addresses of web servers to deliver requested content. The evidence suggests that by recruiting an army of vulnerable IoT devices into a botnet attack on Dyn’s east coast DNS servers, the hackers were able to keep users from accessing dozens of sites, including Twitter, Netflix, and Spotify, through much of the day.
With these challenges in mind, we need a safe and secure foundation for the IoT ecosystem.
This begins with manufacturers being more diligent about integrating security measures into their product development process. Best practices include ensuring devices transmit encrypted key chains and data and building in secure, personalized password protection, rather than universal default log-ins. It’s also essential to make it easy for users to update security software, through automated downloads and reminders.
Manufacturers will also need to work together, to keep the entire IoT ecosystem secure. This will likely mean private industry working closely with governments to set IoT security standards. The Federal Trade Commission has taken initial steps, creating a detailed report with recommendations for maintaining security and protecting consumers’ privacy.
The critical steps for businesses and consumers are to understand their vulnerabilities, keep up to date with firmware, and carefully consider how to structure their networks. For enterprise networks, it’s important to collaborate with vendors throughout the supply chain and distribution chain to identify and address weaknesses.
The IoT revolution is just getting started, and we can expect to see waves of new technology transforming industries and opening up new possibilities. In these early days, it’s essential to take these cybersecurity risks and challenges seriously, and to meet them head-on.
What should businesses do to address IoT cyber security risks?