When I last blogged about the Internet of Things (IoT) just over a year ago, I pointed out that it’s not just wearable tech and fitness gadgets that present a security risk. Lighting, heating and cooling systems, smart displays, electronic gateways and vending machines – unobtrusive, almost invisible smart devices that are increasingly being deployed in homes, offices and factories – are becoming a much bigger security issue.
Take this recent story. Smart thermostats have been found to have vulnerabilities which could be used to gain remote control of the thermostat, run rogue code and also gain access to the local network. Similarly, a backdoor vulnerability discovered in millions of smart TVs could allow an attacker to inject malicious code into a digital broadcast and use it to gain access the users’ network (Incidentally, this attack vector was used in the plot of a recent CSI: Cyber episode.)
Three characteristics make these IoT systems a soft target for malicious hackers. First, they are, for the most part, technically simple. An internet-enabled vending machine has nowhere near the same technical complexity as a smartphone or laptop – and therefore is less able to support sophisticated security solutions. In many cases, so-called security measures in these devices can be a simple 4-digit PIN code, or a default password.
Second, their manufacturers are, again for the most part, not building on 30 or more years of security-focused research and development. Thermostats and TVs simply aren’t expected to have the same sophisticated security capabilities as servers, desktop and laptop computers. A wide variety of defense mechanisms are already baked into a smartphone – and it is industry standard for manufacturers and designers to do so. While this security will never be perfect, it can still be effective. But the people designing and building many smart devices have neither the experience nor the expertise – nor, often, the inclination – to work to similarly high standards of security.
Third, once those devices are purchased by a business, their installation and management is often not the responsibility of the IT or network security teams – it usually falls to buildings and facilities management teams. And the skill sets and cultures within facilities management teams simply don’t marry well with robust information security practices.
So what, theoretically, could happen once malicious hackers identify such vulnerabilities? Two directions of attack are possible through IoT devices. First, attackers could move from the physical side to the IT side – so, for example, somebody sitting in the parking lot could compromise vending machines through a wireless attack, and then jump to the payment system and steal money. Second, attackers could move from the IT side to the physical side – for example, setting the temperature controls in a building’s server room to ‘high’, which could cause equipment to overheat. Both are viable IoT attack directions, which achieve different goals.
So, until smart device manufacturers catch up with other elements of the IoT industry, what can businesses do to protect themselves? Here are some key best practices:
When it comes to security the IoT, things really can only get better. And they need to get better quickly.
Receive notifications of new posts by email.