IoT Security: The Internet of Threats?
With billions of connected devices, IoT will deliver a new data-rich environment. However, will this new space be safe and secure?
According to the latest estimate from Ericsson, by 2024 there will be 22 billion connected devices in the world. From sensors on public transport to intelligent devices in our homes, IoT looks set to change our world out of all recognition. With so many smart and connected devices, IoT security is vital.
IoT security will have to take many forms: Within Industry 4.0, cyber threats that could take many forms must be mitigated with a layered approach to security. In the built environment, IoT security is paramount. Autonomous vehicles must be protected from potential hacking. And in the home, the security of connected devices is critical to protect the personal data that is collected by these appliances.
John Stock, Network Security Product Manager at Outpost24, told Silicon: “IoT has become a little bit of a ‘one size fits all’ umbrella. If it’s a piece of hardware that has a phone app, and the Internet is involved somewhere, it automatically comes under the IoT banner. The problem is not all IoT devices and platforms are equal.
“A good example is the security systems. Some of the most well-known devices, from recognisable brands, offer a good level of security and good expectations of privacy. However, some of the cheaper offerings from online retailers can offer little in the way of security or privacy and, have even been known to have malware pre-installed.”
Security and privacy go hand-in-hand in the world of IoT. Instead of being separated, these two essential components of trust must be integrated across all IoT devices and the networks they create.
IoT Security
CTOs and CIOs developing IoT devices are being urged to place security at the bedrock of all they do. However, the rush to create and deploy IoT devices could mean high levels of security is present. However, the security in use may not be integral enough to allow IoT devices to update their security protocols, as the threat level evolves around them.
Says the GSMA: “Many IoT devices are designed to have low power consumption, to be low complexity and low cost. To have a long lifecycle duration and to operate outdoors. Low-cost IoT devices may have limited cryptographic capability, small memory and constrained operating systems. The result is that the device may be unable to perform ‘internet-grade’ cryptography or contain ‘secure hardware’ and, they could be subject to physical or localised attack which could compromise the security and privacy of data stored in them.”
Gartner supports this. To protect the expanded threat surface that IoT presents requires security to operate on several levels: “IoT security is cited as the top barrier to IoT success, as the explosion of varying types of IoT endpoints creates an attack surface that has never before seen. IoT-security-related technology disruptions have been broad in their scope. They can be broken down into the following security methods: Asset discovery, profiling and tracking Authentication, network-based protection, secure software development and visibility through monitoring, detection and response.”
IoT in the home requires a different approach to IoT in the built environment or within the manufacturing space. The Avast research found that two out of five (40.8%) digital homes worldwide contain at least one device that is vulnerable to cyberattacks. Out of these, 69.2% are vulnerable due to weak credentials, and 31.4% due to software vulnerabilities.
Avast also points out: “When it comes to smart household devices, the top of the overall most prevalent vulnerable devices worldwide are printers. Printers have been in homes for many years, perhaps causing users to forget that they pose a threat to the network, or perhaps used less than before and so are less likely to be maintained.”
Gerhard Zehethofer, Vice President for IoT at digital identity experts, ForgeRock also pointed out to Silicon: “You don’t have to sacrifice user experience in exchange for strong security; you can have both. The latest identity and authentication technologies are incredibly smart and introduce friction only where needed or desired. Friction in the form of requesting additional credentials or giving only limited or no access will be triggered through implausible user activities. Otherwise, as users work through their daily routine, they’ll have little to no friction when interacting on or accessing their devices – having both seamless user experience and strong security.”
And if your business is developing IoT devices at the moment, is your business sacrificing security for speed to market? Tony Cole, Chief Technology Officer at Attivo Networks, thinks not and explained to Silicon his thinking:
“This will be a growing area of focus for adversaries as more and more IoT devices become pervasive in enterprise and consumer environments. Adding to this issue will be the likely advent of inexpensive 5G modem chips being added to many IoT devices as the 5G services become ubiquitous in most major areas of the developed world which means many enterprises will have minimal perimeter controls. In 2014 I spent the better part of a year on an appointment by President Obama studying the impact of IoT devices on US National Security, and it was eye-opening for sure. Sadly, little has been done since then to take action ahead of the rapid adoption of IoT. IDC now says that over $1 Trillion US dollars will be spent on IoT by 2022.”
Security by design
For businesses, high levels of security across the IoT devices they develop will become a significant differentiator across their markets. This is one of the key findings from the recent report issued by Consumers International and the Internet Society.
“Given the level of concern amongst owners and non-owners, companies could use this as a way to stand out from the crowd and build trust with current and future customers and create a more secure consumer IoT environment,” the report confirms. “If we take into account how much focus manufacturers and retailers place on the price of a connected product as a way to influence consumers’ purchasing behaviour, it is clear from our research that good privacy and security standards in an IoT device could be an equally important selling point and competitive differentiator.”
Jake Moore, Cyber Security Specialist at ESET also told Silicon that IoT security shouldn’t become intrusive: “Security built into devices shouldn’t require anyone to have a degree in computer science to operate them and set them up. Learning on the device about multi-factor authentication without the need for an instruction manual is the best way to assure protection. Also, it will teach the user about the basics of cybersecurity. Ensuring that the device can’t be used without a one-time code that has been sent to a phone shouldn’t be seen as an inconvenience, but rather an essential security measure. Security is in no way incompatible with an easy experience for the user.”
One of the defining aspects of IoT is the masses of data these devices collect. Much of this data will be personalised to users. In this scenario, are users relinquishing some control and privacy to gain the benefits IoT delivers?
Says Bharat Mistry, Principal Security Strategist at Trend Micro: “Data is the lifeblood of any IoT strategy – it’s what enables these devices to be intelligent, after all. While different generations have different sentiments towards sharing their data – for example, Generation X will likely value their privacy more than Centennials and Generation Z, who are much more likely to exchange their data for an experience given the environment they’ve grown up in. However, as privacy increasingly becomes expected, the onus will be on all players in the IoT chain – from hardware manufacturers to software developers – to ensure that security and protection of customer data is a standard.”
Businesses developing applications or devices for the expanding IoT marketplace must place security at the centre of all they do. As Avast concluded: “The reality is that many smart devices can be compromised, including thermostats, streaming boxes, webcams and digital personal assistants – and consumers and small businesses are among the most vulnerable users. Our research shows how many devices are vulnerable to attack, either because they use weak access credentials, or due to outdated firmware, especially where (in some cases) patches aren’t even available.”
The IoT market is about to explode. As the influence IoT will have on a myriad of industries will be profound, paying close attention to security and privacy is paramount. As environments become intelligent, the data they collect will also become more personal, especially in the home. Whether IoT is in a factory, the street or a living room, trust in its security can’t be overstated.
Silicon in Focus
Camilla Winlo, Director of Consultancy at DQM GRC.
Camilla Winlo is Director of Consultancy Services at DQM GRC and has almost a decade of experience in commercialising regulatory change. This includes her part in a leadership team that both developed and launched three new to the market financial services businesses.
As IoT and 5G continue to evolve rapidly, is enough attention being paid to privacy and security?
One of the significant challenges with IoT and 5G devices is that manufacturing typically takes place outside of the EU and often happens in countries with different attitudes towards privacy and security. It is also a nascent field, where companies producing these devices are still developing their use cases and functionality. This combination of situations has led to several privacy scandals and regulatory action.
Amazon is currently being investigated for its use of human reviewers to assess Alexa’s voice assistant recordings and responses. Users were not informed that other people would be listening to their voice recordings, and Amazon did not offer an opt-out option until August this year. The organisation is also subject to a US lawsuit alleging that it has been recording children without consent.
Google included a microphone in its Nest home security devices without advising customers that it was there until it announced that those devices were now compatible with the Home Assistant voice control.
These are large organisations with enough resource to enable them to consider and manage security risks. However, many IoT devices are made by smaller companies. The researchers at the University of California managed to hack into a children’s toy called the CogniToys Dino. The hack could have enabled them to speak directly to a child and receive the child’s voice recordings, and with sensitive personal information. The same researchers also managed to gain access to and control IoT vibrators called Vibease and OhMiBod. In 2017, a casino was hacked via its IoT-enabled fish tank!
5G concerns have typically focused on the threat of nation-state actors using hardware to access or stop traffic over the 5G network. In particular, there have been well-publicised concerns about the use of Chinese hardware for this. Nation-state espionage has been going on for as long as there have been nation-states, but the potential for internet blackouts is new.
We have seen many recent instances of nations removing access to the internet in times of crisis, including Sudan, Iraq, Egypt, Algeria, Ethiopia, Myanmar, Zimbabwe and many more. These blackouts have huge effects, and the idea that a third country could impose one at a time of crisis is a potent threat.
The UK is a liberal country, but many are not. Individuals in progressive countries are free to express views and follow lifestyles that would get them imprisoned or executed in other countries. Privacy is therefore of critical importance to those individuals, especially at a time when the pendulum seems to be swinging towards more populist and conservative world leaders.
From a developer’s point of view, how are privacy and security being built into services and devices?
Privacy engineering is an emerging field, and companies are taking the technical requirements of privacy far more seriously. However, privacy engineers cannot be held solely responsible for ensuring that devices are secure. All teams involved in innovation and lifecycle management should be trained in the principles of Privacy by Design, as well as learning how each team contributes to the overall security of the product.
As the IoT ecosystem evolves and expands, will new levels of security and privacy provisions be needed?
Security and privacy requirements do not standstill. Organisations involved in IoT must have a continuous improvement programme in place to ensure that products continue to have appropriate security and privacy provisions throughout their lifecycle. It remains disappointingly common for launched products to be somewhat neglected in favour of new developments, and we would encourage any IoT company to consider Privacy and Security as Services that should be continually maintained. The newly launched ISO 27701 standard is a great place for companies to start when considering how to do this in practice.
These are the 5 top things IoT companies should be doing to protect their users’ privacy:
- Train your staff – together
All employees must understand how their roles can impact privacy and how their decisions and actions affect the choices and actions available to other teams. Running practical Privacy by Design workshops where a broad spectrum of roles is represented is the best way to achieve this. - Bake privacy right in from the start
Data Protection and Privacy Impact Assessments should be treated as critical success factors – not as tick-box exercises which are completed at the end of a project. When these are done well, they have a significant impact on project delivery and substantially decrease the amount of fire-fighting that needs to take place before the launch. - Include privacy in testing
Penetration testing should already be a standard part of any testing process, but privacy is a new consideration for many organisations. Tests should include Data Subject Rights Requests, process limitation (the ability to stop any data that’s been collected from subsequently being used in unlawful ways) and data erasure. - Talk to customers!
The privacy should be a part of market research. Organisations need to understand the consumer expectations of how the product will use their data, and then build this into processing choices and communications plans. Organisations should also consider publishing a consumer-friendly version of data protection and privacy assessments. - Continuously review and improve
Ensure that products, policies and procedures are regularly reviewed and updated, that risk assessment is frequently revised as a result of this, and that action is taken where appropriate.