IoT: Synonymous with poor security?

Why the IoT security concern?

With the world progressing toward connectedness, companies in the technology ecosystem also appear to be rushing electronic and electrical devices to the market, adding features that require connection to the internet. In this race, however, companies that likely have zero experience with networked devices are bound to overlook the complications involved around software and hardware security design and construction.

Why does this happen? It mostly involves getting the coolest, newest function out first — working at the lowest possible cost.

For example, inexpensive old chips with archaic designs are attractive building blocks for devices that require merely limited capacities or capabilities. Software testing is rendered down to the goal of simply confirming its functionality and ease of setup, mostly with default selections and passwords. What this implies is that cybersecurity, as important as it is with cyberthreats, is an afterthought at best.

It frightens the mind to think about it. Hardware chipsets used in most new products are old with multiple known vulnerabilities. Software integrated into said devices rarely receives any form of in-depth security testing. This equates to potentially tens of thousands, and perhaps hundreds of millions in the near future, of devices being installed into businesses and homes ripe for hijacking, worldwide.

Vulnerabilities, once discovered in a widely distributed service or product line, leave hundreds of thousands of businesses and homes open to view and attack.

But IoT is everywhere: Enterprise and consumer

IoT has encroached the consumer landscape significantly, with footprints:

• At households — In 2018, a smart home is almost commonplace with internet-connected thermostats, door locks, lights, televisions and even refrigerators. People are now able to control home functions and services without actually being physically present on site. For instance, smart refrigerators can now monitor the amount of milk you have and reorder based on usage from a preferred store, automatically.
• On person — Smart watches, fitness devices and wearables that offer biometric measurements such as perspiration levels and heart rate as well as complex measurements such as oxygen in the bloodstream are examples of on-person IoT-connected devices. In healthcare, implanted devices frequently communicate with doctors via reports on health statuses and, in some cases, take actions based on instructions from the medical staff. Unfortunately, this data is subject to return to a central database that is hackable.
• On the go — Consider present-day transportation systems and their utilization of sensors working in combination with GPS. Cars are getting smarter as well, with diagnostic systems and on-board navigation systems.

On the flipside, businesses are beginning to also see the importance of IoT-connected devices in terms of cost-effectiveness, efficiency improvements and newer functionalities. For example:

• RFID tags that enable retailers in monitoring inventory;
• Farms with connected sensors to manage crops and cattle, including the optimization of food, pesticide and fertilizer distribution;
• Driverless trucks that can operate at 24/7 capacity; and
• Infrastructure systems, such as delivery systems, power generation, transportation systems, water systems and more, with IoT-connectedness serving to improve accuracy of control and data.

By now, you realize that the technology activates the creation and sharing of loads of data, making individual devices susceptible to malicious attacks, breaches and misuse. This realization is a must to venture into avenues of IoT security — logic, code and vulnerability assessments to dynamic testing at the development phase itself.

Vulnerabilities in IoT

Gartner expects the number of internet-connected devices to rocket to about 25 billion by 2020. And while it is a step in the positive direction toward improving many lives, the number of security risks associated with the increase in number of devices is also something to look out for. There is cause for concern with regards to privacy as well, with most stakeholders being unaware of the situation.

In recent times, IoT devices have come under immense scrutiny over several vulnerabilities and poor security controls. Here are some of the common problems:

• In most cases, and for several reasons, IoT users tend to approve the collection and storage of data without adequate technical knowledge or information. Think about it — this data lost to or shared with third parties produce a detailed picture of our personal lives. It’s unlikely that this is something users would consider sharing rather casually with strangers on the street. At a digital level? Well, it happens quite naturally.
• There are people deeply plugged into the digital world, and they do prefer sharing data to improve personalization. On the flipside, despite this generosity, these people expect anonymity, at least to a certain level. And anonymity has been a constant issue in the world of IoT, with barely any importance allocated to the same.
• Things can get dangerous with the concept of layered security protocols to manage IoT-related risks ranking at a nascent stage, still. Take the example of smart health devices used to monitor patients today — they could be altered, and it’s all the more severe when you consider that the medicines or treatment involved is decided upon post analysis.
• Automobile devices that are now computer-controlled are at a risk of being hijacked by those with the capacity to gain access to the on-board network for personal gain, mischief or fun.
• Internet appliances such as refrigerators, kitchen appliances, television sets and cameras could be used to monitor people within the confines and apparent safety of their own homes. This is valuable personal data, which when shared with other databases or third-party organizations are prone to being abused.

IoT is not bad, and it is becoming an integral part of our daily lives. At the very least, it is crucial for these devices to undergo thorough testing and establish what could be considered a minimum baseline for IoT security.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.