IoT privacy and security concerns

There is a famous hacking story that’s become something of an urban legend in the cyber security industry – about a casino that had its IT network infiltrated via an internet-connected fish tank. It’s said that the tank’s IoT thermometer was used to access the casino’s entire system and extract data on its clientele.

It’s a rather extreme example of what could happen, but serves to highlight an important point – if you connect a device to the internet, regardless of how innocuous it might seem, it can be turned into an open door for cyber criminals.

The rapid increase of the Internet of Things (IoT) includes smartphone-controlled coffee machine, office lights linked to Wi-Fi and even connected fish tanks. But each new thing seems to come with a hackable flaw or a route into a user’s wider network. This has led to calls for security to be made part of the design – ‘secure by design’ – and for stronger passwords rather than easy default options.

Another issue is privacy, particularly with devices that have audio and recording capabilities. Your Amazon Echo can do many amazing things, but ‘Alexa’ can also be ‘woken’ by mistake. There have been a number of reports where the device has ‘listened’ to its users without their knowledge; in one US court, a recording from an Alexa-based device was used in a homicide case. There are also concerns around Amazon employees listening to Alexa recordings to improve the quality of the service.

While the hacking stories keep surfacing – with some even becoming legend – there is no sign that the IoT industry is slowing down. More and more everyday things are getting internet access and its business use is also going up. So what can you do to keep your internet ecosystem safe?

A clear and present threat

It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average “office” is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells to phone-controlled light bulbs and robot vacuums.

With employees using their home Wi-Fi network to log onto work devices and carry out vulnerable devices, having IoT devices on the same network could be putting corporate networks at risk.

That’s largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack and Visa, become unavailable across Europe and North America in October 2016.

These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.

Daft defaults

Most IoT vendors don’t put security at the front and centre of development. Unfortunately, a lot of vendors and the technology industry pass the blame onto users for not making enough efforts to secure devices by changing passwords from their defaults. Sometimes the manufacturers get the security fundamentals seriously wrong by hard-coding easy-to-guess passwords into devices.

Admittedly, users don’t change default passwords to something more difficult to guess, but why shouldn’t manufacturers offer difficult-to-hack, unique default password instead?

Users can all too easily be blamed for not updating systems with the latest patches, but these updates aren’t that frequent and only arrive after a device has already been hacked.

IoT devices are made to be easy to use and in a lot of cases, security is developed by those who don’t possess any reasonable degree of security knowledge instead of these devices being developed alongside security professionals that understand the consequences of bad security.

Added to that, the IoT industry is in no way standardised or regulated, meaning it’s all a bit of a confusing mess for end users. That might change with the government’s bid to encourage IoT device makers to take a privacy-by-design approach to building products, something that government might seek to make law if device makers don’t heed the advice.

Enterprise attack surface evolution

It’s clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

Given what you cannot do to prevent IoT device compromise, what’s the flip-side? It’s not quite as much of a ‘length of string’ exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that ‘built by bean counter’ accusation we made earlier will, in fact, is already starting to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.