It goes without saying that cybersecurity is a serious concern, especially as internet and online services become more ingrained in our lives. Since the advent of Internet of Things (IoT), the number of connected devices in our homes, office and on our person is growing at a fast pace. Connected devices already outnumber human beings, and continue to propagate at a chaotic pace across many fields, including healthcare, home appliances, industrial control systems (ICS) and vehicles.
The rise of IoT brings huge advantages to businesses, consumers, government agencies and researchers in different sectors. Energy savings, better customer service, enhanced health data, improved vehicle performance and accurate crash analysis are just some of the benefits of IoT technology.
But the benefits it brings to malicious hackers and cybercriminals are enormous as well, and the IoT security nightmare has already become a cause of serious concern. In this post, I will explain how IoT security is different from traditional cybersecurity we’ve all come to know and love (or loath, if you like), and why it should be taken more seriously.
IoT devices generate a lot of data. Some of this data, such as health-related information, is quite confidential and intimate, and is subject to laws and regulations such as HIPAA. Others, such as data generated by your connected toaster or light bulb, might not be very sensitive per se, but when combined with data from your smart lock, smart fridge, motion sensors… it can give away much about your life patterns and habits.
Moreover, the storage and distribution of the generated data is the issue of much debate. For most devices, the data is stored on cloud servers, and is later used by service providers to make assumptions about user interaction with devices and make decisions that will improve user experience (or at least that’s what they say).
However, regulations that are in place pertaining to the boundaries of ownership of data are not nearly enough to address the issues we’re facing with the explosion of data generation and consumption. What kind of data can vendors collect exactly (does anyone remember the connected TVs that spy on users or Hello Barbie dolls that record children’s interactions)? How much authority do vendors have over the data they collect from their consumers? Whom can they share it with? How long can they store it? What are the encryption and storage protection laws that apply to IoT data? These are just some of the questions tech experts and legislators will have to deal with very soon.
And the inconsistencies in data privacy rules across different countries only adds dimensions to the IoT privacy Rubik’s Cube.
Network security issues
A considerable percentage of IoT devices are lacking proper means to protect themselves against network breaches. In some cases, this can be critical, such as a smart lock that is remotely compromised and unlocked by a malicious actor, or vulnerable baby monitors that allow hackers to pick up live feed of you children. In other cases, such as smart sensors or connected kettles, it might not be a big deal, you might argue.
Or is it?
Cyber criminals usually grab at every opportunity to exploit a vulnerability. And as far as they’re concerned, IoT security issues aren’t a “let me hack your light bulb and turn it on and off at my own will” situation (though I do admit that such an occurrence would be annoying) but rather an “I’ll compromise you light bulb and gain access to your network” opportunity. See where it’s leading?
The problem is each new connected device can become a path into the network, which we call “attack vectors” in cybersecurity jargon. Compromised devices can become beachheads for more serious attacks, allowing hackers to move laterally across the network and gain access to more critical information and devices. Smart kettles that give away Wi-Fi passwords and smart fridges that give away Gmail credentials are testament to the case.
Of special concern are smart homes, which are lacking the IT security infrastructure that organizations and tech firms are equipped with, house some of the most vulnerable devices, and can become attractive targets for malicious actors.
IoT security issues go beyond the simple data theft, network manipulation hacks, and financial losses. In many cases, it has to do with the health and safety of real human beings or the functionality of critical infrastructure that affects the lives of thousands and millions of people. Smart rifles that can be hacked to designate new targets remotely, drug infusion pumps that can be compromised to harm – or kill – the patient through dosage change, cars that can be shut down remotely while driving at 70 mph, and entire power grids that can brought offline are just some of the cases that have surfaced in the recent year.
The IoT is now responsible for many critical functionalities in the home, office and across the entire metropolitan life. And with the forecasts made by Gartner, it will only grow larger and more prominent in the coming years. It can easily run out of control and pave the way for a new wave of totally different acts of terrorism and felony. Just think about the spooky opportunities that’ll arise when driverless cars become mainstream. Remote abductions and car crashes are two things that comes to the mind. I don’t know about you, but it gives me the shivers.
As we approach singularity, more and more of our identities are being digitized and sent into the cloud, thanks in large part to IoT. IoT is the future, and it is one of the biggest things that has happened in the history of the internet. We have to prepare ourselves for the worst if we want to take advantage of the best. Taking IoT security seriously will be an important factor in this regard.