IoT poses complex security questions for business

Businesses must consider the Internet of Things (IoT) and other connected devices more seriously as a security threat vector, according to cybersecurity experts.

In his opening keynote at RSA Conference 2017 in San Francisco, Zulfikar Razman, CTO of RSA, pointed to the many ways that connected devices have been turned to the dark side, both in lab conditions and real life.

"Two researchers remotely disabled an SUV while it was in motion. What happens when there are millions of autonomous vehicles on the road that can be disabled at once, or accelerated at once toward a common target?" asked Razman.

Turning to the Mirai botnet, although without mentioning it by name, he added: "Are the people working on new technologies considering how their designs could be exploited? Did the makers of Wi-Fi baby cams imagine that one day they'd be accessories to the world's largest distributed denial of service attack?"

Razman wasn't the only one to speak up on the subject of IoT vulnerabilities during the morning talks. Also addressing the audience from the main stage, Chris Young, SVP and GM of Intel Security said that despite potential vulnerabilities, we know that self-driving cars will be hitting our streets in the near future. But there is another element involved: potential tampering with traffic systems.

"What about the data models themselves ... that we will increasingly reliant on to ensure the safe transport of millions of people and items every day? So we're no longer worried about going after the car but actually going after the traffic systems themselves through the insertion of false data," said Young.

"I don't see Big Data as a problem Big Data's certainly going to usher in many possibilities for society. But when the Big Data itself gets manipulated by the insertion of bad data, is when that small insertion can become a huge story for all of us."

Young also pointed to the increase in consumer IoT as being a potential risk factor for businesses."Over the past year, we've had pointers to a new attack surface ... one that we've got to pay more attention to as we look forward," he said, "and that attack target is the home."

According to Young, there are several reasons the business security industry needs to care more about information security in the home.

"First, it's increasingly where all of our employees do their work. So if you want to worry about where your next vulnerability or governmental vulnerability might lie, it's likely to be in the home of the people who work for you."

"The other reason is that those homes now have more powerful, more connected devices that are increasingly being used to launch larger and more sophisticated attacks against us," Young said. "The question I'd ask all of us in cyber security here at RSA [Conference] is how many of us actually take the home into account when we design our cybersecurity architectures, when we provision our cybersecurity tools."

Young pointed to the Mirai botnet, which last year caused chaos when it was used to launch a DDoS attack against the Dyn DNS. Mirai is powered largely by unsecured IoT devices, like home routers and security cameras.

"We could certainly in this business ... dismiss it as yet another large-scale denial of service attack. There's many of them ... it's nothing new for any of us. But I'd argue that this is just a test," Young said.

"The attackers are just trying to see what they can do next what's possible, what are the limits of their capability using this new set of attack tools. And we can't think of the Mirai botnet in [the] past tense, it's alive and well today and recruiting new players. And it's no coincidence that 'mirai' actually means 'future' in Japanese, because it points us to where we're headed with new types of attacks."

Features editor Jane McCallion is on the ground at RSA Conference 2017 in San Francisco all week. Follow her on Twitter for live updates and bookmark our dedicated page for more coverage from the business security conference.

Image credit: Jane McCallion

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.