Robert Miller, head of operational technology at MWR InfoSecurity, unpacks the topic of security in the Internet of Things (IoT) environment.
In a world of interconnected devices, it can be all too easy for consumers and businesses alike to focus purely on the productivity, accessibility and ease of use that connected devices can provide. From vehicles, health devices, cameras, or even your fridge, there is no shortage of devices designed, apparently, to make our lives easier.
However, as a result of this connected device revolution, the potential for the Internet of Things (IoT) being used by unscrupulous hackers to target individuals and, potentially, invade their privacy has become a very real possibility. In the wake of incidents such as last year’s Mirai botnet, which was used to conduct Distributed Denial of Service (DDoS) attacks, it has sharply bought into focus just how insecure connected devices can be.
In this highly competitive market no vendor wants to be left behind its counterparts. Each is determined to be the first to market the most innovative product at a competitive price. Therefore, it’s easy to see why security comes second to more affordable components and shorter development cycles.
Unfortunately, with a significant portion of IoT devices being accessible over the Internet, they have become a perfect target for attackers, who simply connect using default or hard coded credentials. The attackers then update the device’s firmware to run malicious code that adds the device to their botnet.
Less haste, more safe
For manufacturers, it is important to understand the impact such attacks can have on a brand and the value that security can bring. For IoT manufacturers that fail to take note, they may well find themselves playing catch-up or becoming marked out as “untrustworthy” and failing in this competitive market.
For those manufacturers that have realised the need to build security into their products’ development, the challenge is to demonstrate the value of this to IoT consumers, so they are willing to pay extra for a more securely designed product. Sadly at the moment, many consumers simply don’t prioritise IoT security.
A recent survey by Ubuntu found that only 31% of consumers that own connected devices perform updates as soon as they become available. A further 40% of consumers have never consciously performed updates on their devices. As such, consumers are unintentionally leaving themselves exposed to attack, from DDoS attacks to invasions of personal privacy or theft of personal data.
It can also be hard for those consumers who do care to know which products might allow attackers into their home. There are no golden badges to look for, so instead many are choosing to buy from manufacturers that can demonstrate their interest in security in other ways. This might be in a warranty that includes security updates, or activity in the security community such as having a bug bounty programme.
How real is the threat?
The potential for invasion of privacy is currently limited. Using the Mirai attack as an example once more, the owners of the IoT devices themselves were left relatively unaffected.
However, recently industrial control systems were shown to allow an attacker to read and write memory remotely, in essence creating a remote file share. If a similar attack could be designed for IoT, then a user’s home could end up sharing files and data on behalf of an attacker.
With the data from Ubuntu suggesting that consumers are not currently paying close enough scrutiny to the security of the device they buy, the onus remains on device manufacturers to build security into the development of their products without pricing themselves out of the market. Those that manage to achieve this feat will have established a trusting customer base and a strengthened brand.