Probably the best £100 I’ve ever spent was on a Nest Protect. It’s a Wi-Fi enabled smoke and carbon monoxide detector. My “dumb” one worked just as well, but this one has a number of key advantages, like letting me know when my batteries are running low. I can also check on the safety of my home, from anywhere in the world, be it on a beach in Bali or at a conference in California. It really doesn’t matter.
I know it sounds trivial, but this convenience is important to me, yet there’s another side to the convenient world of connected devices, and the Internet of Things (IoT), which is responsible for some serious security issues.
Attack of the Washing Machines
So, why is your internet-connected widget a threat? Fundamentally, it comes down to design—getting things connected took priority over security.
For criminals, the proliferation of connected devices can be used for nefarious purposes. There are common tactics criminals use, such as compromising devices and recruiting them into botnets, which they then use to launch attacks against other devices.
When devices aren’t being used to attack, it’s possible for the devices themselves to be attacked. As IoT devices from a particular manufacturer reach a critical mass, they become enticing targets to hackers.
There’s also the potential for ransomware to be placed onto household items. Imagine what it would be like if your home’s central heating was hijacked unless you paid an attacker one bitcoin. To incentivize you, the attacker might crank your heat up to 30º Celsius in the middle of summer.
Smart home devices also present a troubling threat to our collective privacy. Most devices provide at least two pieces of information—a status and a location. With these two bits of information, an attacker can infer many things about a potential target. For example, knowing the location and status of a security system could tell a burglar if their mark is at home. It’s ironic. The tools we depend on to prevent things like this from happening could be the things that allow them to happen.
IoT could also change the way people are “doxed”. This used to be just addresses, passwords and phone numbers. But with the Internet of Things, an entirely new dimension could be added containing information about how we eat, sleep, live and love.
Consider Security Early and Often
Because of these threats, it’s important for buyers to be more aware of security in their purchasing choices.
Some considerations are:
1. Assess the risk of compromise before buying and using any smart device. Pay close attention to ransomware-IoT developments, as education and awareness are a critical line of defense. The Malik/Langford IoT Risk Model below can help you make more informed risk decisions.
2. Evaluate how easy it is to harden the IoT product. Ensure you can change default credentials, disable insecure protocols, and whether firmware updates will be provided by the vendor.
3. Have a recovery plan in place. Some devices can be reset to factory settings with the press of a button, while others require manufacturer involvement. It’s up to buyers to understand the recovery process for the devices they own, and to create a contingency plan should they become infected.
4. Assess how any data collected, stored or processed is secured and evaluate the impact if it is compromised, altered or made unavailable. This includes data that is stored by the device itself and any cloud storage services.
5. Do not reuse passwords for smart devices. Choose unique strong passwords and, where available, implement two-factor authentication.
We live in an era where convenience and instant gratification are paramount. If we have to wait in line to order a burger at McDonald’s, or to order a latte at Starbucks, we huff and moan, and head to Twitter to complain. This has led to a flurry of innovation—resulting in apps, appliances and devices that streamline our life. But we judge them through one prism: Do they make our lives more convenient?
We don’t ask the important questions: How is this data stored? How is it transmitted? How much effort did the manufacturers and developers take to secure it? Despite many high-profile incidents, IoT security is getting worse, not better.
Enterprises need to factor these risks into their assessments, not only in how IoT devices are used within the enterprise, but how they can be used to attack the enterprise, and also how employee-owned smart devices could compromise a business.
Securing these devices isn’t trivial, and it certainly won’t be a quick process. Therefore, it’s in everybody’s interests to understand the implications of connected devices and what parts we all play in securing them.