The internet of things (IoT) comprises of the billions of connected devices embedded in our homes, offices and cities, which are constantly collecting, analyzing and transmitting data. Some IoT devices, such as fitness trackers, are present with us everywhere we go. Others we interact with remotely, such as a smart thermostat system. Many are also invisible, operating to modulate traffic flows, industrial control systems and much more.
The opportunities afforded by the IoT are abundantly clear and seemingly limitless, but a major deterrent is the uncertainty around device and network security. Security and the IoT are often not found in the same place. As a result, IoT devices are highly vulnerable to being hacked. In a survey conducted by Bain & Company in 2018, enterprise and industrial customers listed security as the top barrier to IoT adoption. To overcome this challenge, organizations must understand the different types of security vulnerabilities. More importantly, all parties involved in the manufacture of connected devices must build security into not just the products, but the components and the services that the product operates.
Manufacturers have not concerned themselves too much about the cybersecurity of their devices, especially in less expensive equipment. Even as devices have become increasingly connected, it has been more usual to offer security in separate packages, post-production. However, with the rapid proliferation of connected devices, and the prevalence of hacking, security breaches and cyber threats, to avoid major breaches or even public harm, manufacturers of such devices need to ensure cybersecurity is built in from the very beginning. From the outset through to delivery, it should be a fundamental component of every IoT device/system. It is of utmost importance that device security is prioritized as part of the very design of a product, now more than ever.
Somewhere along the line of production, security takes a back seat in order to get an innovative and affordable product out the door. Operating on a low-cost business model with little-to-no margins results in developers overlooking, or just plain ignoring, basic security principles. When they have addressed security at all, they have tended to use amateur technology that minimizes complexity and maximizes convenience for the end user.
Oftentimes, it is not only the end consumer who lacks expertise on the system they are using. The problem is heightened by the fact that many companies are diving into the IoT from other markets and don’t have the expertise to foresee and address even common security pitfalls. As a common example, a thermostat provider decides to add internet capability to its systems. This means that they are now in the IoT business. However, the problem is that they have not been in the networking business previously, and have not had to think about key factors such as building in security features and protecting networked devices from vulnerabilities.
In an ideal world, manufacturers would learn from past mistakes and start developing more secure IoT devices. However, the scramble to innovate and bring a product to market is evident in a fast-paced society. And even if the industry did suddenly strengthen its security game, there’s little it could do for the millions of IoT devices already being used in homes and businesses that are defenseless against increasingly sophisticated attacks.
With that in mind, it is necessary for organizations to have a vast knowledge of security vulnerabilities in order to counteract these attacks. The vast number of IoT connected devices equates to an enormous attack surface. In other words, with more devices come more points of entry; whereby, an unauthorized user can try to enter data, extract data or even gain entry to other devices connected on the same network. In particular, DDoS attacks can be the most harmful. These threats can take advantage of a vulnerable system as a means of targeting organizations, companies and even governments.
DDoS, or distributed denial of service, is a malicious network attack that involves hackers forcing numerous internet-connected devices to send network communication requests to one specific service or website with the intention of overwhelming it with false traffic. Hackers use this method to take control of multiple compromised devices to create a “traffic jam,” preventing necessary information from getting through to its destination. This has the effect of tying up all available resources to deal with these requests, and crashing the web server or distracting it enough that genuine users cannot create a connection between their systems and the server.
One of the biggest DDoS attack was directed at Dyn, a major DNS provider, in October 2016. This attack created disruption for many major sites, including AirBnB, Netflix, PayPal, Visa, Amazon, The New York Times and Reddit. This was done using a malware called Mirai, which creates a botnet out of compromised IoT devices. To create the attack traffic, these compromised devices were all programmed to send requests to a single victim, in this case, Dyn.
Another current threat to IoT devices is network hacks, which occur when devices are compromised via the network to which they are connected. This type of breach enables the hacker to gain control of the device and operate it as he likes. For example, in autonomous vehicles, the hacker might tap into a device in the car, and then it has the power to control its driving and cause an accident.
Solving security problems can often seem like an insurmountable hurdle to overcome, especially for those who lack technical expertise. Unfortunately, because of the lack of any regulation or industry standards and the nature of how IoT devices are developed, security is not always a priority for the developers within these businesses. The IoT is one of the core technologies behind smart homes, self-driving cars, smart utility meters and smart cities, presenting significant market opportunities across all industries. However, it is not safe to use until it’s secure. There is still a lot of work to be done in this area.