The Mirai botnet that took down the domain name system provider Dyn in a massive distributed denial of service attack last fall awakened the world to the vulnerability of Internet of Things devices.
Increasingly, businesses that adopt IoT devices must contend with a wide variety of new and emerging security threats, beyond devices with weak passwords that get hacked and turned into botnets.
The size and scope of the threat will only grow as the number of connected devices in use skyrockets. Gartner forecasts that 8.4 billion connected things will be in use worldwide in 2017, up 31 percent from 2016, and will reach 20.4 billion by 2020.
New potential threats include manipulating connected vehicles in fleets or delivery services, locking and encrypting IoT devices via ransomware, using connected devices to carry out attacks and more.
Security technologist Bruce Schneier recently told Linux.com that IoT “is fundamentally changing how computers get incorporated into our lives.”
“Through the sensors, we’re giving the Internet eyes and ears. Through the actuators, we’re giving the Internet hands and feet. Through the processing — mostly in the cloud — we’re giving the Internet a brain. Together, we’re creating an Internet that senses, thinks, and acts. This is the classic definition of a robot, and I contend that we're building a world-sized robot without even realizing it.”
The IT world has a great deal of experience with traditional digital security and privacy threats. “The new ones revolve around an Internet that can affect the world in a direct physical manner, and can do so autonomously,” Schneier notes in his Linux.com interview. “This is not something we've experienced before.”
CIO ran through some of the next-generation IoT threats likely to pop up in the next few years. Some are applicable to the consumer world, and some will definitely impact the business market.
If businesses use connected vehicles with sensors that link to cellular or Wi-Fi networks to monitor and control engine functions and entertainment systems, those vehicles may be vulnerable to attacks that take control of the vehicle or cause it to crash. Autonomous vehicles are likely to be at greater risk for this.
Also, businesses that use IoT sensors to lock doors and windows or secure access to sensitive materials need to make sure their physical security remains as tight as it was before a digital component is added.
Connected devices inside businesses may also be “bricked” and locked, as thieves encrypt data and hold it for ransom. Such devices, if they have weak passwords (or default passwords that have not been reset) can also be easily hacked and used — as the Mirai attack showed — to form botnets that direct massive amounts of traffic against unsuspecting targets and cause their services to shut down.
Given these threats, what can be done to protect your business? And what is the state of IoT security today?
According to a recent AT&T Cybersecurity Insights Report, which surveyed more than 5,000 enterprises around the world, 85 percent of respondents are considering, exploring or implementing an IoT strategy. However, just 10 percent say they are fully confident that their connected devices are secure, and only 12 percent are highly confident about the security of their business partners’ connected devices.
Sanjay Khatri, director of product marketing for IoT Services at Cisco Jasper, says that “delivering IoT services takes a village,” and that a whole constellation of players should be responsible for securing the IoT ecosystem. Writing in Tech Target, he notes that device makers themselves have a huge role to play in that “security at the device layer is mission critical as it impacts so many other parts of the overall solution.”
Application developers, network providers, cloud service providers and security firms also have a role to play, Khatri says, as do the companies using IoT devices. “The organization deploying connected devices needs security protocols to protect not only the data transmitted to and from devices, but also to safeguard their IT infrastructure interacting with and managing the devices,” he says.
Dwight Davis, an independent writer, researcher and consultant who has analyzed computer and communications industry trends for more than 35 years, says that businesses should start by “identifying the devices deployed, their locations, the types of data they generate, the equipment they may control and the networks over which they communicate.”
In a CSO blog post sponsored by AT&T, Davis notes that companies must then “contemplate worst-case scenarios for data or device compromises, so you can develop security protections commensurate with the potential risks.”
In what is becoming a common assessment, Davis writes that “far too many IoT devices ship and are installed with easy-to-identify default passwords” and that “in addition to creating unique and strong passwords for each device, IoT devices should have software/firmware updating capabilities, a system reset option to return to original factory settings and no backdoor entry points.”
“They also should restrict their activities and communications to those functions that directly relate to their core role,” he adds.
IoT security needs to be created and understood at all levels of a business, Davis notes. “As with all cybersecurity initiatives, IoT protections should be developed by cross-functional teams that include IT and security professionals, business unit managers and C-suite executives,” he says. “Beyond device and network protections, IoT security plans must include incident response blueprints and other relevant information, such as legal and regulatory requirements that may apply.”
The threat from IoT devices is not going away. But businesses can do a lot to shore up their defenses ahead of an attack.