In-depth

IoT privacy and security concerns

We take a look at what's needed to really secure internet-connected devices

In 2018, a US casino was hacked through its fish tank, a story that has become particularly notorious in the tech industry. There was an internet-connected thermometer inside the tank which was used as an entry point to infiltrate the casino’s entire system to extract its clientele’s data.

This may be an extreme case, but it highlights the dangers that the Internet of Things (IoT) presents. If you decide to connect an object to the internet, no matter how innocuous it may be, hackers will try and turn it into an open door.

The rise of IoT includes lots of different kinds of gadgets, like office lights linked to Wi-Fi or smartphone-controlled coffee machines. Due to this, there have been numerous calls for security to be included in the design of any and all IoT products, ‘secure by design’, and for no default passwords to be used.

With IoT, privacy is also an issue, especially with audio-based devices that can subtly listen to our daily conversations. Amazon’s Echo can do many clever things, but it can also be ‘woken’ by accident and there have been numerous stories where ‘Alexa’ has begun recording by mistake (it has even been used as evidence in a homicide case). There are also concerns around how the device itself is improved, as Amazon employees listen to recordings from Alexa to make improvements to the quality of service.

There is no sign the IoT industry is slowing down, even with the hacking stories that keep cropping up. More devices are accessing the internet every day and IoT’s business use is also increasing. So what can you do to keep your internet ecosystem safe?

A clear and present threat

It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average “office” is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells to phone-controlled light bulbs and robot vacuums.

With employees using their home Wi-Fi network to log onto work devices and carry out vulnerable devices, having IoT devices on the same network could be putting corporate networks at risk.

That's largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack and Visa, become unavailable across Europe and North America in October 2016.

These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.

Daft defaults

Internet of Things
Related Resource

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

The Forrester Wave: Top security analytics platforms - whitepaper from IBMFree download

Most IoT vendors don't put security at the front and centre of development. Unfortunately, a lot of vendors and the technology industry pass the blame onto users for not making enough efforts to secure devices by changing passwords from their defaults. Sometimes the manufacturers get the security fundamentals seriously wrong by hard-coding easy-to-guess passwords into devices.

Admittedly, users don't change default passwords to something more difficult to guess, but why shouldn't manufacturers offer difficult-to-hack, unique default password instead?

Users can all too easily be blamed for not updating systems with the latest patches, but these updates aren't that frequent and only arrive after a device has already been hacked.

IoT devices are made to be easy to use and in a lot of cases, security is developed by those who don't possess any reasonable degree of security knowledge instead of these devices being developed alongside security professionals that understand the consequences of bad security.

Added to that, the IoT industry is in no way standardised or regulated, meaning it's all a bit of a confusing mess for end users. That might change with the government's bid to encourage IoT device makers to take a privacy-by-design approach to building products, something that government might seek to make law if device makers don't heed the advice.

Enterprise attack surface evolution

It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

A city skyline connected by networks to represent IoT

Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, is already starting to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021