How safe is the IoT?

A drawing of a cloud holding numerous apps with an open padlock hanging from it
(Image credit: Shutterstock)

The Internet of Things, spearheaded by advancing connected technologies and solutions, is quickly taking over the world. According to Gartner, there are already around 6.4 billion objects connected to the internet, up by 30% on 2015.

However, this number could grow to 20.8 billion by 2020, so clearly the IoT industry is just getting started beginning. Many tech pundits believe that it'll become a major technological revolution, transforming our lives in innumerable ways. Connected tech has begun to make waves in areas such as the home, the workplace and the car.

But while IoT offers a beacon of hope for the future, some people are more sceptical of its influence. For starters, how secure is the technology? It collects vast quantities of user data, so you can only imagine would what happen if got into the wrong hands.

And with IoT and automation growing in tandem such as in the form of driverless cars could cyber criminals take control of devices? Just last year, researchers were able to compromise a Jeep Cherokee while it was driving at 70mph on an American highway. If that were a real-life scenario, lives could be put at risk easily. These are just a few issues surrounding the Internet of Things and connected technology.

The rise of the botnet

The creation of botnets, internet-connected devices that communicate with each other and coordinate actions, has become a way for criminals to create sophisticated cyber attacks.

While the devices comprising a botnet have traditionally been PCs and laptops, unsecured IoT devices are becoming increasingly popular as an alternative.

Take, for example, Mirai a powerful malware that specialises in turning IoT devices into a massive botnet. In September this year, a Mirai botnet was used to launch a DDoS attack on the website of independent security researcher Brian Krebs, ultimately reaching 620 Gbps. A similar incident occurred when French web hosting company OVH was compromised.

Winston Bond, EMEA technical director at Arxan Technologies, says cyber criminals are looking to use IoT as a way to launch attacks on critical infrastructure. He explains that they're coordinating attacks using the dark web, meaning their efforts are often hidden from the authorities.

"The recent Mirai botnet that brought down a significant segment of the US online infrastructure is just a glimpse into the horrifying attacks we can expect to see taking advantage of the Internet of Things. Hackers are already selling access to these devices across the dark web," he tells IT Pro.

Targeting IoT infrastructure

Organisations of all shapes and forms are quickly adopting IoT infrastructure, not only to make use of rich data, but also to streamline internal processes. Because of this, hackers are quickly turning their attention to connected technology. They've identified a new lucrative opportunity and are constantly looking to compromise devices.

Bond believes that hackers pose an imminent threat to companies and urges them to take it seriously. "Companies should be more worried about direct attacks on IoT applications and devices, which could have devastating consequences around loss of data and privacy, or even a direct threat to safety," he says.

"To protect their own IoT deployments, organisations must look at the full IoT infrastructure from end-to-end and secure all vulnerable points. A typical IoT framework consists of edge devices like sensors, adapters and beacons, as well as a gateway to communicate with these devices and a back-end server in the cloud or on-premises.

"Companies need to take each section separately and start addressing security issues for each from protecting the endpoints to hardening the binary code on the apps.Many connected hacks have gone unnoticed as attackers are waiting until the right moment to strike. IoT is a ticking time bomb waiting to explode, and manufacturers and developers cannot underestimate the threat."

IoT security is poor

Of course, it's not just companies that are risk. Consumers, who are flocking to purchase connected devices in the millions, are also a common target for cyber criminals. Often, their devices possess valuable personal information, such as health data stored on wearables.

Scott Lester, senior researcher at Context Information Security, says there's a serious lack of security when it comes to the IoT. Devices like connected cars, light bulbs and alarms can be exposed to hacks and other threats, he claims, saying manufacturers need to do more to protect them.

"In general, the standard of security for consumer electronics, which includes lots of IoT devices, is poor. Typically, this seems to be for one of two reasons; either the product has been rushed to market without any proper thought or testing of its security, or the manufacturer just hasn't bothered," he says.

This isn't good, and repercussions are felt throughout the industry. "This is bad for everyone. In the first instance it's bad for the owner ... who as a consumer has a right to trust that the device they've bought is fit for purpose and won't compromise or weaken the security of their home or office," continues Lester.

"On a wider scale, as the recent news has shown, if devices with poor security can be captured into a botnet, they can become part of an attack that's powerful enough to break large sections of the internet."

Data and identification challenges

Robin Duke Woolley, CEO of Beecham Research, says the main security challenges the IoT faces are authentication and data protection. "When it comes to sensors and devices, the challenge is largely around identification, authentication and authorisation, to ensure a level of trust and avoid risks such as application hijacking," he tells IT Pro.

"The main threat at the network level comes at the interface between different types of network. With a mix of fixed, satellite, cellular and low power wireless networks, as well as personal and body area networks, the challenge is to secure the transfer of multiple streams of data between selected networks without exposure of key secrets or equipment control.

"The benefits of IoT by definition rely on lots of data with high levels of searchability and analysis, but this also means that the data must exist in plain text, which presents multiple threats not least from insider attacks from sysadmins and authorised users."

Protecting data is far from easy and connected devices generate so much of it, sometimes companies don't have the infrastructure or expertise to be able to manage it. As a result, customer and organisational information can end up in the wrong hands. Firms needn't fear, though, Woolley says, as there are some solutions.

"Data must be protected within the system, in transit or at rest and significant evolution is required in the identification, authentication and authorisation of devices and people. We must also recognise that some devices in the field will certainly be compromised or simply fail; so there needs to be an efficient method of secure remote remediation yet another challenge if the IoT is to live up to expectations," he says.

Although the Internet of Things is an exciting, high-growth industry with a plethora of opportunities, manufacturers, technologists and users need to pay attention to the security challenges. They're often quite complex, but there are answers.

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.