Statista projects that there will be 75.4 billion Internet of Things (IoT) connected devices by 2025, a fivefold increase in the number of devices in a 10 year period. IoT devices are connected via the internet - while one can be forgiven for thinking that not every piece of technology can or should be connected in this way, the truth is that the future will see all kinds of devices made ’smart’.
Griffin already produces a $100 connected toaster which can enable users to adjust temperature and even create presets for different types of bread directly from their mobile phone. The rapid proliferation of such devices raises questions about the safety and security risks that these connected smart gadgets pose.
A toaster may be relatively harmless on its own, but once it connects to the internet it can do more than just burn your toast. As an example, the toaster’s counterpart, a smart fridge, was compromised to send thousands of spam emails without the knowledge of its owners.
Security firm Proofpoint, which caught the errant spamming fridge, found a botnet attack which has the ability to take over devices remotely and send emails. The attack reached 100,000 devices spanning routers, multimedia centres, TVs and that one particular model of fridge.
So, what can we do to protect our IoT devices from this type of attack?
The First Step Is to Diagnose
The US Federal Bureau of Investigation released a public service announcement in 2018 which warned of the dangers of ‘cyber actors’ using IoT devices as proxies for anonymity and the pursuit of malicious cyber activities.
Some of the techniques the FBI listed for judging whether an IoT device is compromised are to check for spikes in internet usage (a larger than usual internet bill, for example, may be a symptom), devices that become slow or inoperable, unusual outgoing Domain Name Service (DNS) and outgoing service or home or business internet connections slowing down.
“The modernisation of critical infrastructure is an area that needs focus to ensure security controls are integrated to mitigate the risk of disruption”
Binary District Journal spoke with Raj Samani, Chief Scientist at security solutions company McAfee. “The modernisation of critical infrastructure is an area that needs focus to ensure security controls are integrated to mitigate the risk of disruption,” he tells us.
“We have seen the impact when this is not the case, often resulting in the loss of essential services, such as power, to citizens.”
The Raging Concerns About IoT
With the IoT growing around us, the concern is real and not just a product of paranoia. We spoke with Tatsuya Mori, a professor at Waseda University in Tokyo, Japan. He confirmed one area of risk as the IoT develops.
“The most worrying threat to the current IoT is the existence of IoT devices with insufficient security measures,” he says. “For example, many IoT devices such as webcams or IoT toys have been shipped with the weak password configuration. An attacker can easily take over the device by logging into the device from a remote site.”
He also told us that there are as many as hundreds of devices worldwide that are infected with malware and controlled by adversaries. These devices can be used to conduct further attacks in the form of denial of service.
Tatsuya also expressed his concerns about the use of the cloud, as many AI devices rely on it for the core of their ‘intelligent services’. Once the cloud is compromised an attacker can steal sensitive data.
The Firmware Is the Soft Spot
Firmware - the permanent software that is embedded into IoT devices - is the Achilles heel of the IoT universe. While software that runs computers and mobile devices is regularly updated by the companies behind them, IoT devices do not always receive the same love from manufacturers. In fact, some of these devices may not even be updatable at all.
Professor Mori revealed that IoT devices which have been discontinued may not be able to receive updates at all. Since many users are not technologically proficient, the ideal situation would be one in which the device comes with an auto-update feature.
Mori also feels that it is vital that users are informed about the End of Life (EOL) of their products, a significant step in them becoming more knowledgeable about the potential risks to the device in the future.
In fact, it could be argued that it is crucial that the IoT industry establishes some sort of universal standards when it comes to updates. This would allow for the rollout of updates irrespective of the device’s manufacturer.
It would also free consumers from having to update their devices themselves, as the process could be widely automated. The update process would work almost as it does in the case of mobiles and laptops, wherein the device connects to an update server, downloads the relevant update, authenticates it and then proceed to install it, largely by itself.
Security Concerns Have Become Obstacles in Development
Security concerns surrounding IoT devices are so strong that they have become an impediment to the development of IoT as a whole.
We asked Gareth Davies, Director of Public Relations at the GSM Association, his thoughts on the impact on development.
“Today we see that the majority of IoT services do not make it past the ‘proof of concept’ stage because of security concerns – with organisations not prepared to take the liability for services that may be insecure and could lead to brand damage and fines (though GDPR rules etc),” he tells us.
“Today we see that the majority of IoT services do not make it past the ‘proof of concept’ stage because of security concerns”
“There are also many examples of IoT services that have been commercialised that have major security issues – you only have to look at all the press stories which appear on almost a daily basis. So today security is a major barrier to the commercialization of IoT services.”
Another big issue is that of privacy. IoT devices pose a number of privacy-related issues such as user identification, user tracking, profiling and utility monitoring and controlling. Since a lot of IoT devices are designed in a particular way, for example, to be in ‘sleep mode’ while not being used, the efforts to secure them are more complicated.
With respect to privacy, Samani says, “I would suggest the most important element is establishing a level of understanding from consumers on the privacy implications of buying connected devices for the home. For example, digital assistants are an excellent technology, but it is imperative that consumers are aware of their ‘always on’ nature.”
Industry Leaders on IoT Security Risk Mitigation
While all risks related to IoT may not be eliminated, there are things that we can do to ensure that we do not end up becoming victims of our own technological innovations. This means developing a security mindset.
It is essential to recognise that connecting previously unconnected devices to a network does have its own hazards, knowing that new kinds of devices may bring new vulnerabilities.
“The reason security is a barrier to market adoption of IoT services is down to a mix of lack of expertise, lack of scalable solutions and lack of cost-effective solutions that fit with the lean commercial models associated with many IoT services,” Davies says.
“To address these points the GSMA promotes a harmonised industry approach to address IoT security issues via the use of the common recommendations contained within our very comprehensive set of IoT security guidelines. We also promote the use of ‘self-assessment’ using our IoT security assessment. The success of the GSMA IoT security guidelines can be seen from the fact they are being references by most global standards organisations, including ETSI, ENISA and NIST.”
“The reason security is a barrier to market adoption of IoT services is down to a mix of lack of expertise, lack of scalable solutions and lack of cost-effective solutions”
McAfee, too, has an ‘Advanced Threat Research Team’ which conducts a significant body of analysis of the security and privacy implications of devices like cars, medical equipment and even padlocks. They also have the McAfee Security Home Platform, which is focused on home networks and can automatically secure connected devices through a router.
IoT Security is Being Addressed
IoT devices are unique in the sense that they are ordinary daily objects and so their need for effective security measures might not be immediately obvious, but steps are being taken to minimise risk.
Professor Mori revealed that efforts are already underway in Japan to address the concerns regarding the security of IoT devices as the Japanese Ministry of Internal Affairs and Communications and the National Institute of Information and Communications Technology (NICT) in cooperation with internet service providers have launched an initiative called NOTICE or National Operation Towards IoT Clean Environment.
“This initiative aims to investigate IoT devices that could be used for cyber attacks and alert users of those devices,” he tells us. “On the basis of their survey, we may be able to take effective actions toward mitigating various threats.”
This is just as well, because as we make strides towards the connected era, we are also taking the first steps towards ensuring our toasters don’t end up spying on us.
Just as domestic utilities are becoming connected, so are the toys that children play with. Naturally, because the target audience is children, manufacturers have to be extra careful to ensure that their products cannot be hijacked by adversaries and potentially put young people at risk.
One example of poor practice came as far back as 2015. The Hello Barbie doll, which was internet-enabled through the use of unsecured Wi-Fi networks, would automatically connect to networks broadcasting the network name ‘Barbie’. Obviously, this is something an attacker could very easily replicate themselves and thus gain direct communication with the child using the product. The same applied to a host of other toys, which were uncovered by a British watchdog in 2017.
If they can gain access to the toy through unsubstantial security measures, attackers can not only communicate with the user directly but can also use the toys to place orders through a nearby Amazon Echo, for example. Toys are a good example to highlight just how sweeping IoT security measures need to be before numerous devices in the home given online access.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]
- What’s Up With... That Virtual Reality (VR)? Is It Still The Thing?
- Can We Stop Our Toasters From Spying on Us?
- Can Blockchain Be Censored?
- Microsoft Cortana Research: Could Negative Perceptions of AI Harm Its Development?
- What Are Digital Twins and Why Are They The Next Stage in the Internet of Things (IoT)?