The Security of ‘Things’: Is the IoT the Next Big Threat?
The CISO of the FBI, Arlette Hart announced in her keynote speech at the IoT Security Conference in Boston last week that the growth of the Internet of Things is faster than the security efforts to protect its users. In a climate where security breaches have already been described as “the wild west” by the U.S. government, the introduction of even more points of failure is extremely worrying.
Unless you’ve been asleep for the past 12 months, you’ll have heard a lot about the Internet of Things or as it’s often called the IoT. The idea that your fridge can communicate with your local grocery store to order up a carton of milk is almost upon us. Smart fridges like one manufactured by Samsung allow you to use your Gmail calendar to send updates to the fridge, reminding you to buy that carton of milk. The connected home is getting more connected too, with smart IoT devices to control your every waking minute, controlling your lighting, heating and TV through mobile apps.
IoT and Healthcare
And the IoT extends to even include our own bodies. The healthcare industry is one of the keenest innovators in this area. A report by MacAfee entitled “The Healthcare of the Internet of Things” shows a saving of $63 billion in the next 15 years as IoT medical devices enter the healthcare eco-system.
The value of the IoT industry is massive. Analysts IDC have predicted that the IoT industry will top $7.1 trillion by 2020. Gartner has predicted that over 13 billion devices will be connected by 2020 – some give an even higher figure of 20 billion connections by 2020. This level of expectation has caused a scramble to get on the IoT bandwagon.
But in this rush, some serious security issues have been ignored and are starting to surface. Security issues, from terrorist control of our home lighting systems to prison breaks have been described, security issues that will affect us all as the rising tide of IoT continues.
The Man in the Middle of a Not So Smart Fridge
The Samsung smart fridge we mentioned earlier is an example of one of those security issues that are haunting the IoT. The Samsung fridge lets you synchronize your Gmail calendar across devices, apps, and the fridge – the calendar displaying on a screen on the fridge itself. To access the calendar, you have to log in. The fridge uses the Internet security protocol, Secure Sockets Layer (SSL). You’ll recognize this being used on websites that have the prefix https as opposed to http – the s standing for secured. Unfortunately, Samsung hasn't implemented the SSL correctly, so it effectively allows a hacker to steal login credentials when you log in. This is known as a ‘Man in the Middle’ attack or a MiTM. So, in effect, your fridge gives away information in your Gmail account. In this case, the ‘hacker’ who discovered the vulnerability was an ethical one and Samsung is now looking at correcting the problem. This is a good example of how the excitement of being in the IoT game can mean that security becomes an afterthought.
An Unhealthy Connection
One of the areas that the IoT is seeing traction in is the healthcare industry. The industry is a perfect playing ground for IoT innovation in areas as diverse as health apps and pacemakers. Heath apps, which collect data on a variety of health-related issues, are being built to ultimately send real-time data back to your healthcare provider. This opens up both privacy and security issues and all the cybercrime possibilities around the theft of Personally Identifying Data. Worse still, security issues with medical devices could end up in a life and death situation if, for example, an IoT connected pacemaker was to be compromised. A number of demonstrations have been performed to highlight the issues of using improperly secured IoT devices for healthcare, especially security vulnerabilities that allow the control of the device to be hijacked. These include the hacking of a heart defibrillator (like the fictitious story in the TV series Homeland) and an insulin pump. Both possibilities could result in an untimely death.
The Disconnected Home and Office
IoT manufacturers are really focusing in on the home and office environment to enhance our everyday lives with connected devices. There have been a number of studies by analysts and PEN testers, Veracode, into the security of some of these devices. These studies have highlighted some glaring issues, including poor authentication measures, no encryption of data and unsecured Internet communications. An example is a garage 
system, which allows the user to open and close the garage door using an Internet connection, including on a smartphone. An analysis of the device found serious privacy breaches that allowed a criminal to hack into the controller, using a Man in the Middle (MiTM) attack and access unsecured data. For example, a criminal could see the times that the garage door was opened and closed allowing them to build a profile of the house owners movements – meaning that they also built a profile of the best times to burgle to the house. The manufacturer is looking into rectifying this issue, but again, security has been an afterthought, leaving the consumer vulnerable.
What Next for the Security of Things
If we think that cybercrime is out of control now, the IoT will just make the problem even worse by creating an intricate web of connectivity. The move into Cloud computing and the security implication of that is nothing compared to the security issues that are and will arise because of IoT. Where we had fuzziness of the perimeter, we now have a gaping hole, and our security approach needs to be highly proactive, not just defensive.
One of the issues of the IoT is that the devices are built upon a patchwork of protocols with no consensus in their use or application. And if existing protocols, such as HTTPS and encryption standards are being implemented in a patchy way or not at all, then the security of such devices is highly dubious. There are some organizations working towards these sorts of open standards, such as the Kantara Initiative where a number of working groups are looking at how identity impacts the Internet of Things. But it will take consumer pressure and manufacturer buy-in to work towards a common solution of interoperable IoT devices.
While we wait for this outcome, we need to ensure that we make the most of this innovation in technology, but we also need to strengthen our own security strategies. You can factor in security to the use of your own IoT devices, even if the device itself has insecurities. Best practices include monitoring device usage and data communications, as well as ensuring that browsers are patched to avoid cybercriminals using software vulnerabilities to hijack your device or exfiltrate its data.
The IoT is here to stay, and it enters the arena as the security landscape becomes ever more complex. A proactive approach to security means you can enjoy the benefits of the connected world, without the dangers.
