The connected world is coming sooner than you think. App developers and mobile service providers are already taking advantage of the new era of connected cars, wearable devices, and entire smart homes — all fitting into the notion of the Internet of Things (IoT).
According to Gartner, there are currently 4.9 billion connected devices in use, with that number projected to soar to 25 billion by 2020.
This sudden expansion will boost the economic impact of the IoT as consumers, businesses, city authorities, hospitals, and many other entities find new ways in which to exploit the technology. Yet, they won’t be alone. Hackers will increasingly target this technology and exploit it in a very different way.
This begs the question, what about IoT makes it such a vulnerable target for cyberattacks? Here are three security problems that IoT will create:
1. Increasingly Poor Security Design.
From a security perspective, IoT devices share some common features with their mobile brethren. Both store, transmit, and process highly sensitive consumer information within potentially hostile environments that manufacturers have no control over. However, mobile software manufacturers can avoid security incidents by moving the processing of sensitive information assets into a more controllable environment like a centralised server that they can reliably connect to.
IoT device manufacturers do not have the same luxury as their mobile counterparts because IoT devices are typically gathering very sensitive information within a physical world and doing some minimal amount of processing of that information within that device before sending that information to a backend server. At the same time, consumers demand highly responsive IoT devices. Hence, IoT manufacturers cannot completely shift the processing of sensitive information to a centralised server. Hackers will have much more reliable opportunity to access and steal information from an IoT device compared to a mobile device due to inherent design flaws.
2. Increasingly Unaware Environments.
IoT devices have substantially less computing power than other devices like PCs and phones. Hence, IoT devices cannot afford to spend precious computing power on additional functionality beyond their core service. Serious malware detection capability within an affordable IoT device is not currently feasible. Hackers will have more opportunity to infect IoT devices and go undetected by the victim compared to infections that occur on mobile of PC devices. There have already been instances where routers, multimedia cents, televisions and at least one refrigerator participated in a spam botnet blast that sent 750,000 emails to unsuspecting victims.
3. Increasingly Outdated Environments.
Many hospitals and doctor's offices are still running Windows XP, even though that OS is long out of date and subject to serious security flaws. Many industrial controllers are also still running XP, making them potential targets. XP has a notorious history of making security patches difficult to apply.
History has taught us that, when security patches are not automatically downloaded and easy to apply by consumers, consumers are less likely to enforce them. There are several different key technical challenges (limited online availability; restrictions on computer power; limited graphical user interface) that will discourage consumers from enforcing security patches on IoT devices. Hackers will be more likely to exploit known vulnerabilities in these IoT devices because consumers will not apply established security patches.
Beyond a shadow of a doubt, hackers will take advantage of these weaknesses in security, given the opportunity. That leaves a lot of cars, alarm systems, locks and so on open to compromise.
The best and only answer is insisting that designers behind IoT software build security into their systems as a core design requirement. Requirements should include adding new security capabilities that prevent a hacker from conducting static/dynamic analysis of IoT software. Furthermore, IoT software should have runtime modification detection capabilities.
It’s also crucial to involve and educate end users about security and build mechanisms into the device that will help them make the right decisions regarding privacy and security. That means including instructions for secure usage — in layman's terms.
And, this is where end users need to do their part as well. Hackers count on consumers to make their job easy for them by engaging in insecure online behaviour. Everyone always thinks: “Who would want to hack me?” But today, hacking is more business than personal. If an end user chooses to use an IoT device that collects information, they should quiz the vendor on security certifications and policies, pay close attention for firmware upgrades and carefully inspect any email sent by the vendor with a link in it or asking them to download something.
About the author
Jonathan Carter is Technical Director at Arxan Technologies and an application security professional with more than 15 years of security expertise. As a software engineer, Carter produced software for online gaming systems, payment gateways, SMS messaging gateways, and other solutions requiring a high degree of application security. Previous roles include Enterprise Security Architect, Web Application Penetration Tester, Fortify Security Researcher, and Security Governance lead.