The Internet of Things (IoT) is a network of physical devices like a refrigerator, vehicles, buildings, medical devices or other items which are capable of collecting and exchanging data. These small data collectors help to improve our everyday life and will change the way of businesses, governments, and consumers’ interaction with the physical world.
Application of IoT can be done in a thermostat, a pacemaker, a vehicle which has sensors to alert the driver or people. Here the relationship occurs between people & people, things & things, people & things.
IoT is increasing at an exponential rate and is creating a new world where any equipment can be connected and can be communicated each other and can also collect and share simple data to produce usable intelligence.
However, this also means that more personal information and business data are being shared on the networks and more devices can act as potential weak points and loopholes in the network ecosystem. This also offers potential targets for exploitation by cyber criminals. Currently, there are more devices connected to the internet than people and offers a wider attack surface for hackers.
The problem of the hour is that security was often ignored in the early phases of IoT development. This previously ignored entity has now become an issue of high concern. Many of those devices have memory and processor limitations to reduce the power usage and to suit the tasks they perform. The endless variety of IoT applications poses an equally wide variety of security challenges.
New Possibilities for Hackers
Security vulnerabilities in IoT devices were recently exposed and the findings are frightening. It is found that a wide range of baby monitors can expose the private moments over the network. Poor authentication systems, lack of encryptions, etc are some of the issues and many of such devices were vulnerable to simple brute force attacks. Some of the findings were more dangerous than privacy concerns as it can potentially endanger the lives.
It is demonstrated that hackers can use the on board IoT to hack a jeep remotely while it is in the middle of a highway. This could look trivial. If we read in the context of a recent surge in ransomware, we can imagine a scary future with a ransom screen on the dashboard to avoid an accident. An even more dangerous situation will be with insecure biomedical devices which can range from monitoring devices to pacemakers.
An imaginary situation would be a connected pacemaker with a security vulnerability. An attacker can potentially craft a malware which can put the life of the person in direct danger. Similar to the demonstration of a thermostat ransomware rightly done, by Andrew Tierney and Ken Munro – two UK-based researchers for IT security firm Pen Test Partners – at the DefCon security conference in Las Vegas in 2016.
Here the duo chose a thermostat with large LCD display, which runs on modified version of Linux and it has an option of inputting sd card into it. They easily loaded a malware on to that and locked the screen because the thermostat did not really check the files running and executing on that.
You may be interested in reading: How to use Internet of Things (IoT) Securely? An Insight from Global Cybersecurity Thought Leader!
Lessons to learn from thermostat ransomware
A survey by IOActive, Inc., the leader in research-driven security services showed that more than 80% of the IoT devices in the market are lacking adequate security in their designs. These findings are concerning and indicate the importance of focussing on IoT security.
Building security in from the bottom up
Security thinking must be properly integrated right into the innovation process. Many IoT developers often work in an agile manner and miss the critical and remote consequences. Security is often implemented or considered at a later step. This paradigm needs a change and securing the device should be the first pillar.
Most of the companies choose an escape route by putting a disclaimer and handing over the responsibilities to the end user and this tendency should change. Manufacturers have the responsibility to ensure the basic security.Last but not least, we need to keep driving the IoT security innovation to find new solutions to protect against new opportunities for exploitation.
Security must be addressed throughout the device lifecycle, from the initial design to the operational environment. It should start from switching on the device to its operation. Secure booting to ensure that the firmware is authentic and should be verified with cryptographic digital signatures. False modification and updates should be prevented.
Another important aspect to cover is the access control. Role-based access control should be applied to ensure that no unnecessary privilege is available to different components of the system. The principle of least privilege applies here.Other important aspects are device authentication, firewalling and IPS, hot patches and firmware/software updates.