How Secure is IoT?

IoT integration

Amidst all the hype surrounding the Internet of Things (IoT), it’s easy to forget that it is already present in countless business and consumer devices we use daily. You’ll find it in multifunction printers (MFPs), video-conferencing systems, phone systems, smart TVs, cars, even lifts. Do you own wearables? Smart watches and fitness monitors use it too. So do various ‘smart home’ technologies, from voice assistants to home heating that can be monitored remotely.

These devices can send and receive data from the internet, directly or via an intermediate controller. Right away, this raises important security implications. While it’s amazingly convenient to have a fridge that can automatically reorder milk and eggs before you run out, it’s easy to imagine an intelligent hacker using it to access your home security system and disable it.

When a large number of IoT devices are targeted in a concerted effort, the damage can be far more extensive. This was shown in 2016 when a piece of malware installed itself on thousands of internet-connected devices – including printers, baby monitors and IP cameras – and used them to perform a distributed denial-of-service (DDoS) attack on Dyn, a company that provides Domain Name System (DNS) lookup services. Because these devices were using default login credentials, the malware was easily able to break into and reconfigure them. As a result of the attack, access to many popular online services and websites was disrupted for several hours.

Oracle Dyn: IoT Threats - The Growing Unnatural Disaster, 2018

Oracle Dyn: Summary of DDoS Attack, 2016

A potential time bomb for businesses?

Adoption of IoT worldwide is accelerating as organisations realise the added value it can provide. In the Middle East and Africa, IDC predicts the regional market will grow to $12.62 billion by 2021 – including $900 million in the UAE – as businesses seek to automate operations and ramp up productivity. Manufacturing, transportation, utilities, and healthcare have already seen big investments.

With IoT being adopted with such gusto, could it be that its risks are being overblown? Perhaps not. Many consumers use connected heating apps such as Nest. What if a hacker installed ransomware onto the control device and demanded payment to unlock access to the heating? The risk has also spread to the world of Bitcoin and other cryptocurrencies. Research by Trend Micro found examples of malware being sold on the dark web which can infect IoT devices and use them to secretly mine crypto.

IoT security has been described by at least one IT expert as a ‘ticking time bomb’. What makes it different from other areas of IT security? And how can businesses stay protected?

IoT market in MEA to grow 15% to reach $6.99b, 2018

IoT security: Is cryptocurrency-mining malware your next big headache?, 2018

A new approach to security

The crucial difference between IoT and ‘standard’ IT security is human intervention. Computers crunch the data, but people make the important decisions. With IoT, however, there’s no person at the centre – just the other devices and systems the IoT device ‘talks’ to.

This means the basic approach to security in IoT must become both more proactive and more risk-aware. Ways that businesses and individuals can meet the challenges of IoT security include

●    A new security mindset: Even with the right training, human employees can’t be expected to secure the coming flood of IoT endpoints. Look at pursuing new security processes that don’t require human intervention, such as automation and machine learning (ML)-assisted threat mitigation.
●    Configure every device: As the Dyn cyberattack showed, default credentials present a very large target to hackers. Before a device functions, users should update them with a strong password, multi factor authentication, or biometrics where possible.
●    Continuous patches/updates: Updating IoT devices regularly through the network or via automation is critical, as it ensures they always have the latest security fixes.
●    Segment devices: Place non-essential devices in a guest network to isolate them from your main business network.
●    Train your staff: Add IoT security to employees’ awareness training, and include advice on how they can protect their smart hardware at home.

Securing the future

Understanding around security risks of IoT is still growing, among consumers and businesses alike. It’s important to keep in mind that every new technology comes with risks which aren’t fully understood until they’re experienced. With any IoT deployment, it is critical to weigh the business benefits against the risks and cost of security before you take the plunge.