The explosion in the amount of data created over the last decade or so has opened up endless possibilities for analysis, and given rise to a new economy entirely. The challenge quickly became less about how best to collect data, and more about how to make sense of the deluge.
Even so, we are set for a second major boom in the amount of available data for collection and analysis, stemming from a web of interconnected devices all producing their own data points - the Internet of Things (IoT).
The concept of making ‘dumb’ objects like fridges or eyeglasses ‘smart’ has lingered in the public consciousness for decades, the automated home being a feature of countless science fiction movies dating back as early as the 60s.
It is now close to becoming a reality, not only in the home but also in the workplace, the supply chain, in urban centres and elsewhere. Connected devices that transmit data are expected to profoundly change not only how we live our personal lives but how our environments are managed.
What all this data represents to some, though, is an opportunity for large-scale theft and disruption.
Anything that is connected to the internet can be hacked. The obvious problem that comes with an extensive connected web of devices is that there are a phenomenal number of potential security weaknesses.
The lengths people go to in order to protect their smartphones or their laptops from malware corruption are extensive, but doing so with every connected device on a projected IoT network would be difficult. This can lead to large scale, costly DDoS attacks.
Attacks are Varied and Large-Scale
The largest of its kind happened in 2016 when the Mirai Botnet took down large portions of the internet, including Twitter, the Guardian, Reddit, Netflix and CNN.
Computers infected with malware called Mirai would search the internet for vulnerable devices and, using known default usernames and passwords to log in, would infect them with malware.
The devices, which were things like digital cameras and DVR players, were then able to be used as a botnet army through which to launch a large-scale DDoS attack.
“The weaknesses inherent in some IoT networks are such that the Japanese government hacked its own citizens to alert them to the dangers”
Another smaller-scale but perhaps more sinister form of attack involved children’s toy manufacturer VTech losing millions of chat logs, videos and pictures of children using its connected devices.
Security expert Troy Hunt alleged that it would be misleading to describe the attack as being “sophisticated”, which further highlights the need for those building connected ecosystems to commit to making their systems as watertight as possible before bringing them to market.
The weaknesses inherent in some IoT networks are such that the Japanese government hacked its own citizens to alert them to the dangers. The exercise began on February 20, when Japanese officials probed 200 million IP addresses tied to the country and highlighted those with little or no security in place.
According to the Ministry of Internal Affairs and Communications, two-thirds of cyber attacks that took place in Japan in 2016 targeted IoT devices. The exercise was carried out as part of the security preparations for the 2020 Tokyo Olympics, fearing that an IoT attack could significantly disrupt the games.
Backdoor After Backdoor
To get a better idea of the extent of the problem, BDJ spoke with Terry Dunlap, co-founder of IoT security company Refirm Labs. Terry was working on firmware security before the IoT had been coined, having previously worked as a global network vulnerability analyst for the NSA.
We asked just how vulnerable IoT networks are to hackers. “Very,” Terry says.
“We have research and customer data to demonstrate that the firmware running the vast majority of the world's IoT devices suffer from a number of attack vectors that (1) could easily be fixed and (2) for some reason make it through the QA process right into production.
“The most common attack vector that is stupid simple for manufacturers to fix is hardcoded user names and passwords”
“The most common attack vector that is stupid simple for manufacturers to fix is hardcoded user names and passwords. Far too often we see products ship with backdoor accounts used by engineers for remote testing purposes. In a basic QA process, these accounts should be removed before hitting the production line. But they're not for whatever reason.
“We have, on occasion, discovered malicious backdoor access purposely implanted by the manufacturer or the manufacturer's government. We've helped a couple Fortune 500 companies find these malicious backdoors before serious harm could occur, like intellectual property theft.”
Given the scale of the problem, it’s little surprise that the market for IoT security is projected to be worth $9.88 million by 2025, with a CAGR of 29.7%.
This figure is according to a September study from Grand View Research, which found that government efforts to implement stringent regulations on the IoT industry in industries like healthcare will stimulate the market’s growth.
The report found that growth could be greater if awareness of the benefits and availability of IoT security solutions was higher. It also found that high installation costs, lack of expertise, low budgets and fears of regulatory compliance are other major stumbling blocks in the market’s growth.
Edge Computing Adds Further Vulnerabilities
The smarter the connected devices in an IoT network become, the greater the potential for hacking becomes.
When the computing power is spread out among an IoT system and pushed to the extremes of the network, the access points become more remote and more easily isolated.
“Insecure firmware of these edge IoT devices could have allowed infiltration by foreign powers into the companies main networks”
We asked Terry what impact he expects edge computing to have on the state of cybersecurity. “It depends on how many of the edge nodes are actually IoT devices,'' he says. “In the cases of our Fortune 500 customers, insecure firmware of these edge IoT devices could have allowed infiltration by foreign powers into the companies main networks.
“In other cases where the edge devices are monitoring activity like sensors, attackers could trick the sensors into sending bogus data which could cause a specific reaction that normally would not occur: opening/closing values at an inopportune time, shutting down or speeding up systems, etc.”
“In other cases where the edge devices are monitoring activity like sensors, attackers could trick the sensors into sending bogus data which could cause a specific reaction that normally would not occur.”
Tighter Checks are Now Needed
The extent of the security risk posed by developing IoT is such that any business looking to interact with it (and most will) will be in need of a company like Terry’s to ensure their security.
Just as with online security for businesses as it exists today, the average company will outsource its defence to a third-party.
It is certainly up to those building IoT technology to ensure that their products are robust, but any company serious about its security will look to put its own checks in place before it employs a new piece of technology anywhere along its supply chain.
We asked Terry which area of IoT security is going to be the most important going forward: “Firmware analysis,” he says.
“Manufacturers need to begin testing the firmware they develop… Gone are the days when you could simply do blackbox testing or penetration testing”
“While it's a relatively new field, manufacturers need to begin testing the firmware they develop in-house or outsource via their supply chain, to vet, validate, and then continuously monitor the security of the firmware on their devices. Gone are the days when you could simply do blackbox testing or penetration testing one time against these devices.
“You now need to consider a deep analysis of the firmware in addition to current testing methodologies. As former offensive cyber operators for the US National Security Agency, firmware was the attack vector of choice for nation-state actors. Now the traditional hacking community has picked up on it in recent years. So firmware analysis will be key for IoT device security now and into the future.”
The range of IoT hacks is not limited to nefarious actors trying to steal your personal data - pranks are also fairly common. One family in California were the targets of such an attack earlier this year, when hackers hijacked their Nest security camera. As a change from the ordinary notifications about delivery men approaching the front door, the hackers issued a fake emergency broadcast warning of an impending nuclear attack from North Korea.
The homeowner described what ensued as “five minutes of sheer terror and another 30 minutes trying to figure out what was going on.” This included checking news outlets both on the television and on their smartphones. When the company was contacted about the hack they insisted they had not been breached, rather than the attack had been a targeted one through gaining access to the family’s password. This needless but amusing prank could cause havoc if demonstrated on a wider scale, though, given the power of misinformation in the current political climate. Not all hackers want your data, some just want to mess with you.
Illustrations by Kseniya Forbender
To contact the editor responsible for this story:
Margarita Khartanovich at [email protected]
- How Vulnerable Is the Internet of Things (IoT) to Hackers?
- Blockchain Interoperability Remains a Critical Missing Puzzle Piece
- How to Keep A Business Safe: Tips From IBM and Shapeshift.io Cybersecurity Experts
- China Vs the US: Who Will Win the AI Race?
- AI Applications and “Black Boxes”: How to Make Use of Recent Research on Artificial Neural Networks