What does the rise in IoT mean for cyber security?
Grayson Milbourne, Webroot
Internet connected devices are becoming embedded in our everyday lives, with almost every object either already connected or currently being modified in an attempt to be smart, writes Grayson Milbourne, the security intelligence director at Webroot.
In 1984 there were only 1000 devices connected to the internet, but over the past decade this number has soared, in part thanks to the advances in mobile phones. And this trend will only continue, with Gartner predicting that by 2020 there will be 25 billion devices connected to the internet. There are many benefits to this, you might even say 25 billion benefits, but this could all unravel if one element is overlooked – security.
In almost perfect correlation to the rise of connected devices, cybercrime has increased dramatically and we hear about a new data breach or attack on an enterprise on a near daily basis. In October 2015 the Office for National Statistics included cybercrime in its crime survey for England and Wales for the first time, reporting an estimated 2.5m cyber-related incidents in one year. Vulnerabilities such as ‘Heartbleed’, which was first detected over a year and a half ago, is still present on 200,000 connected devices. This of course has a huge impact on everyone involved, with the Centre for Economics and Business Research estimating it costs the British economy £34bn a year.
Part of the problem is that security is often seen as an afterthought. Mobile devices have advanced at an astonishing rate – taking us from the humble SMS, to applications that can control homes in just a handful of years. Although this innovation is incredible, security is rarely a priority as manufacturers often push out cheap, affordable tech but with limited aftercare in terms of software updates. This leaves devices and networks vulnerable to various types of attacks, from simple hacking to vulnerabilities such as Heartbleed.
The scale of the problem is highlighted by websites such as Shodan, a search engine to expose vulnerable devices online. This is alarming for organisations as every vulnerable internet connected device is a potential access point for an attacker into businesses or to individuals’ personal data.
Just recently, in January 2016, security researches at a University in the USA found that the Google-owned, Nest thermostat was leaking users’ postcodes over the internet. The data was unencrypted, meaning that anyone that anyone who intercepted the traffic had access to the sensitive information. On top of this, in July 2015 one of the biggest car manufacturers, Fiat Chrysler hit the headlines when hackers remotely took control of a Jeep Grand Cherokee through an internet-connected entertainment system. This resulted in 1.4m vehicles in the US being recalled. What made this hack most disturbing is that they were able to connect to the car via a remote mobile connection through listening ports in the media system – something which should never have been open. Large organisations such as these should be leading the way when it comes to security, instead even basic requirements are not met.
The sensitive data collected by IoT devices makes them attractive targets for attackers. In a way we have already had a warning with the vulnerabilities mentioned above, it is now down to manufacturers of IoT to take heed and not make the same mistakes twice – especially as the consequences could be far greater. The security of every connected device needs to be considered at its inception, whether that is physical, built-in or through third party anti-virus software.
Security is especially important as we move towards Industrial IoT. If a hacker gains access to one point, no matter how trivial it seems – such as an entertainment system on a car – it’s all linked to a greater network which can contain more sensitive or dangerous information. As the Jeep hackers proved, it can lead to control of an entire vehicle and organisations from all sectors could find themselves in a similar situation. Devices communicate with networks, whether cloud-based or legacy systems, so unless every point of the network is protected, entire organisations could be left open to a breach.
Threat intelligence is vital to breaking up this chain as it stops known threats before they progress through the network and allows security teams to actively seek anomalies in data. There is a common misconception that this intelligence is only possible on certain parts of the network because of the computing power taken to run anti-virus software. But next-generation, cloud-based, tools run almost silently in the background, taking up very little computing power which makes them ideal for low power end points and smaller IoT sensors.
As the IoT continues to grow, makes tasks in our lives more convenient and increases the efficiency of organisations, security improvement cannot be left behind. This is especially important as they become more imbedded in our everyday lives and have more access to sensitive data. We’ve seen a huge amount of attention towards large data breaches in recent months, and early IoT devices are receiving some of negative press, resulting in some scepticism. It is down to manufacturers to address the issues within the product and give users the tools and knowledge to protect devices from attackers and prove the cynics wrong.