In just a few short years, the Internet-of-Things has gone from a buzzed-about trend to a major force driving business and technological development across dozens of industries. The numbers alone tell a story of remarkable growth: In 2015 there were around 15.4 billion devices installed, and that number is expected to nearly double by 2020, and then more than double again by 2025. However, those rosy predictions may be derailed by serious security vulnerabilities.
The FBI has warned that Internet-connected cars can be hacked. The former Director of National Intelligence has warned about the national security implications of IoT devices connected to critical infrastructure. A massive Distributed Denial of Service (DDoS) attack in October 2016 brought down dozens of major websites across the Eastern US was powered by a massive botnet made up of hijacked webcams, routers, and DVRs. And experts warn that it’s only going to get worse as we come to rely more and more on the IoT.
What are the major security challenges the IoT creates? And what can organizations do to secure their devices and data? The answers are some of the most pressing security challenges we’re facing.
A Victim of Its Own Success
The major factor that’s made the IoT a massive security challenge is its own explosive growth. As device manufacturers and developers come under great pressure to produce devices as quickly and cheaply as possible, security concerns are often pushed aside. This problem isn’t unique to the IoT, but it’s compounded by a number of factors, namely the massive number of devices involved. A decade ago, a large botnet attack might consist of several thousand or tens of thousands of hijacked PCs. Today, an IoT-powered botnet could easily consist of a million or more devices.
While large DDoS attacks are the splashiest examples of IoT security failures, there are lots of other potential vulnerabilities that can put organizations at risk and hamper adoption and growth of the IoT.
Change Your Passwords!
Possibly the most prevalent vulnerability of the IoT is one of the oldest and most vexing problems in all of information security–bad passwords. This applies to individual users–15% of whom don’t even change the default passwords on their IoT devices–and device manufacturers.
Several of the most devastating botnet attacks only worked because millions of IoT-connected devices are equipped with default passwords that aren’t necessarily easy for users to change. All a botnet has to do is scan a network for devices using a certain protocol, and then try a number of common username and password combinations until it gains access to any devices that haven’t been updated. These attacks have prompted manufacturers to release firmware updates that patch some of these vulnerabilities, but there are still many, many devices out there running old firmware.
More Devices, More Vulnerabilities
One of the major challenges in Internet security stems from the simple fact that a system is only as secure as its weakest link. You might have designed an app free of major security flaws, but if the payment API you rely on turns out to have a flaw in its encryption, then all of your users’ payment data becomes vulnerable as well. The same principle holds for the IoT.
In response to a number of high-profile examples of hacker-researchers hijacking the control and navigation systems of Internet-connected cars, car manufacturers released patches that made it much more difficult for hackers to access these cars’ systems remotely. However, another group of researchers proved that you could get around these updated systems by accessing a common USB plug-in used by insurance companies to monitor a vehicle’s speed and fuel efficiency. Security experts warn that until device manufacturers make security a priority, we’re likely to see more and more of these kinds of attacks in the future.
Integrity and Privacy
Security concerns with the IoT don’t only exist at the system level. As organizations turn to IoT as a data collection source, the integrity of that data becomes increasingly important. And yet, most organizations don’t pay nearly as much attention to the integrity of data as it’s collected as they do once it’s loaded into their system. A database itself may be secure, but the data it’s protecting may be worthless if it’s compromised before it reaches the data center.
Compromised data may not result in your system being hijacked, but it can still cause major problems for your organization. An IoT-connected electricity meter can be manipulated so that it sends lower readings to the power company. Sensors in a manufacturing facility can be directed to send fake error reports. This makes securing and encrypting data at the point of collection and in-transit all the more critical.
Besides manipulation, there’s also the problem of unauthorized snooping. Unsecured devices make it easier for individuals, organizations, and governments to potentially eavesdrop on individuals. A Wikileaks dump in March revealed alleged techniques used by the CIA to spy on targets by turning certain models of Internet-connected TVs and smartphones into remote listening devices. These sorts of vulnerabilities are one of the major obstacles to more widespread consumer adoption of IoT devices, especially in the home.
What Can You Do?
All of these security challenges can be overwhelming, but there are steps your organization can take to secure your IoT ecosystem. Some of these are obvious but often overlooked, others may require you to critically examine your organizational goals and how you’re using the IoT to accomplish them.
- Change your passwords! This can’t be overstated enough. Unsecure, duplicate, and default passwords are one of the biggest vulnerabilities faced by any organization. Look into creating and enforcing organization-wide policies to make sure passwords are difficult to crack and changed regularly. Never use the default password, and don’t use the same password for multiple devices.
- Configure your devices with security in mind. Default device settings are often used by attackers to gain access to a network. Figure out if every device actually needs internet access. Consider putting devices behind your router, turning off listening ports, and disabling remote management or administration features. Most importantly: Always keep your firmware up to date.
- Consider managing devices from the cloud. With the profusion of IoT devices, it’s only natural that IaaS solutions have emerged to handle them. Amazon Web Services, Microsoft Azure, and Google Cloud all offer their own IoT management options. Not only do these tools offer the ability to manage devices en masse, they also give you the ability to send secure, bidirectional messages to and from your devices and revoke access for specific devices if they appear compromised.
- Start thinking about blockchain. As we’ve discussed in our article “Blockchain Explained,” distributed ledger technology is not yet ready for primetime. That said, in the future distributed public ledgers could be a compelling way to ensure data integrity, since it’s nearly impossible to modify data after it’s been added to the chain.
- Be smart about the data you collect. This may cut against the ethos of big data, but it’s worth asking why you’re collecting the data you’re collecting. Is it all going to use? Are you collecting sensitive customer or business information that you’re not analyzing? When it comes to security, the more data you collect, the more you stand to lose in the case of a data breach.
Looking for Security Expert?
We’ve covered some of the general concerns around IoT security, but if you’re looking for specific advice for your organization, you’re probably going to want to talk to a security expert. For setting up a properly configured IoT pipeline you may also want to consult a data engineer with experience managing lots of devices. Lastly, you may want to call on an ethical hacking expert to conduct penetration testing to make sure that your devices aren’t leaving your system vulnerable.