The Internet of Things (IoT) is not a future opportunity and risk, it’s already here. In 2015, we are about to hit the point of no return with IoT – where all, and not just some, corporate IT departments must consider and address the IT management and security implications of IoT.
But the dangers of IoT are not limited to the workplace, they are also relevant to consumer-world scenarios – with technology users needing to ensure that they understand, and fortify themselves, against the security risks associated with the IoT.
Learning from past IoT security mistakes
The IoT industry – especially the vendors that produce and sell IoT devices and solutions – is finally recognising that their security track record has been poor and must improve. High profile cases such as the US Federal Trade Commission (FTC) settlement with TRENDnet have seen to this – with TRENDnet’s so called SecurView Home CCTV system having allowed strangers to see, and sometimes listen into, over 700 home security camera feeds because of poor security practices.
FTC Chairwoman Edith Ramirez summed up the challenge for all IoT vendors and those that purchase IoT devices: “The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”
The FTC went on to establish a precedent for what might be the first kind of standard in the IoT industry – the prioritisation of security, confidentiality, and privacy over the rush to market and the importance of convenience.
Internet connected cameras might be an obvious IoT risk, but many others aren’t. For instance, cars are now computers on wheels and they contain one or more IoT devices, connected to the outside world via diagnostic ports, cellular, and vehicle-to-vehicle technology. There are many real examples of car IoT systems being broken into and hijacked and thankfully some car manufacturers such as Tesla are taking IoT security seriously, even employing hackers to improve their systems. Also a Tesla vehicle can be “fixed over the air” via software updates to remove known security exploits.
The IoT industry needs to do more
For smaller IoT devices, such as those embedded in fridges, there are also risks. Fridges have been recruited into botnets and used to send spam emails.
One of the issues with these embedded devices is that it’s often impossible for the buyer to configure or secure the device - they might come factory preset with no instructions or on unmodifiable chips. If the IoT device comes with an old version of Linux, with a buggy web interface and an easy to find default password that the buyer can’t over-ride, then it’s a danger. And even devices where security can be improved by the buyer rely on the buyer’s inclination and technical prowess.
Thus the IoT industry has a large part to play in mitigating IoT dangers for both corporate and consumer scenarios. IoT device producers and sellers need to:
- Place security, confidentiality, and privacy at the top of their IoT product plans, building security into the design from day one.
- Employ security professionals, including hackers, and offer rewards to people for finding vulnerabilities in their products.
- Not oversell or misrepresent the security features of their products, or how much control the user has.
- Ensure that their IoT systems follows basic security best practices including allowing the buyer to set a unique and complex password.
- Ensure that their IoT systems can be upgraded to patch against new known security exploits.
- Realise that it’s better to be open than closed in most cases. Transparency can improve their products and trust-standing with consumers. Consider open source platforms that will force the removal of obviously weak code elements (such as embedded weak passwords).
Consumers need to do more
The home consumer often values features, ease-of-use, price, and getting the latest gadget before their golf partner does – way before security. This is also true for IoT devices. However, there is thankfully now a greater realisation that buyers should do their research carefully, check out security aspects (even if only in online forums), and only buy from a reputable IoT vendor.
There’s definitely enough information on the internet to allow a regular consumer to do this research for free – as long as they are informed of the security risks of the IoT and are inclined to address them.
In addition to making careful purchasing decisions, consumers should have a strategy for securing their IoT devices – mitigating the risks by doing some or all of the following:
- Using a credentials tracker for the usernames and passwords of all IoT devices. They shouldn’t all be the same. Instead use something like 1Password over a non-encrypted text file on the network.
- Creating a device and network map, and don’t have your baby monitor on a publicly routable IP address. Instead use your router firewall to set up a secure network configuration.
- Regularly maintain and patch your devices. Look for available updates and apply them.
- Monitor your network to understand what is “normal.” Have you swept your network for devices? Do you recognise all the devices using leases on DHCP? Have you reviewed incoming/outbound traffic?
- Know what to do when you’ve been breached - have a plan, such as how to reset a device and reconfigure all the credentials.
Businesses Need to Do More
An independent security organisation recently scanned the 900 MHz bandwidth used by IoT wireless devices and found, to their client’s astonishment, that the client’s building HVAC (heating, ventilating, and air conditioning) was IoT-connected.
The client didn’t know this, and wasn’t responsible for the security of them. It was also identified that the HVAC devices had default passwords and very little by way of security. If a hacker had gained control of these devices then they could have caused potential business damage. Remember that the very public Target breach included credentials stolen from one of Target’s HVAC providers.
So businesses need to do the same as consumers but on a much larger scale. Plus there are some unique mitigations because businesses have to accept that they can’t control everything. To help mitigate the risks associated with the IoT, businesses should:
- Create and employ IoT procurement standards – to ensure that IoT device purchases go through formal procurement procedures that have been designed based on the most current expert advice.
- Create and enforce an IoT security policy. The Chief Security Officer must endorse and fund the implementation of IoT security policies and education.
- Run regular security routines. Scan office and other building facilities for IoT devices, preferably with constant monitoring. Build up a known map of what is “normal” with accountable people for each IoT device network.
- Have set practices for responding to breaches.
- Monitor staff-owned IoT. What is staff allowed to connect to, within corporate networks? The stance will be dependent on your business’ IoT risk management policies and practices.
- Run a collaborative IoT project with external experts. Don’t assume that internal knowledge is enough – if you are planning an IoT project, get the best brains in to help.
Sarah Lahav, CEO of SysAid Technologies