It’s been months since the European Union introduced its new General Data Protection Regulation (GDPR). Companies around the world have been scrambling to make sure they’ve met data storage consent rules, while also working out how to respond to customer enquiries about data retention. However, many of the more subtle aspects of GDPR best practice have been lost on firms who have ensured basic legal compliance and promptly forgotten all about it.
You’ve probably heard a great deal about the Internet of Things in recent years. Commonly abbreviated to IoT, this panoply of connected devices has been described as a revolution in the making. Some people predict it will be as transformative as the internet itself, liberating us from mundane tasks through automation and machine-to-machine communication.
Yet despite our appreciation of desktop and website security, IoT security issues have remained a perplexingly peripheral topic of discussion. Fortunately, that’s about to change. The rapid rollout of web-enabled devices throughout our homes and workplaces means IoT security solutions are becoming big business. From public key interfaces to semiconductor technology, an entire industry is developing around counteracting security risks or threats.
This article considers why IoT security issues are becoming such a headache. We look at the latest solutions, and look at how these are likely to evolve in future. Finally, we offer practical advice on how to ensure today’s services are ready for tomorrow’s challenges, with a series of steps any IT manager can easily implement.
The IoT Security Problem
An estimated five million web-enabled devices are introduced to the Internet of Things every day, and this already startling number is predicted to increase fivefold by 2020. The majority of devices are aimed at consumers rather than corporate audiences, and every single one is responsible for uploading information about us – from smart TVs to security systems. Much of this data is potentially harmful in the wrong hands; GPS usage data can pin us to specific locations in potentially unwelcome ways, while personal information might be misused by black hat marketing firms in their pursuit of new ways to target specific demographics.
As our awareness of internet threats expands, consumers are increasingly conducting online communications through encrypted peer-to-peer communication platforms like WhatsApp rather than publicly visible forums like Facebook. Yet IoT data is often transmitted insecurely across open Wi-Fi networks. A stranger sitting in a van outside your home or place of work could easily intercept data during transmission, potentially accessing information they have no right to view. Sensitive data about health or personal activities could then be used for identity theft, blackmail or countless other nefarious uses.
Such activities would be easy to prevent if all IoT-enabled devices had a global security standard, but they don’t. Every manufacturer attributes different values to data protection, with proprietary software and varied connection methods. A modern smart office contains dozens of incompatible trust standards and device visibility levels, with reams of largely unrelated data being uploaded and processed in real time. Unsurprisingly, this has attracted the attention of criminals: Gartner recently predicted more than a quarter of enterprise attacks by 2020 will involve the IoT.
There hasn’t been any industry-wide attempt to impose security standards or global protocols across the Internet of Things, in stark contrast to the collaborative and co-operative approach to developing HTML5 security. Since IoT devices are usually fairly simple and intended to require minimal resources, Original Equipment Manufacturers (OEMs) are reluctant to include advanced features that could complicate setup or usage. Expensive protection is frequently unjustifiable on products or services with low price points, in industries where every cent counts. Bolstering security also has the potential to adversely affect battery life on non mains-powered devices, adversely affecting reliability and usability.
Some manufacturers have claimed their IoT devices don’t need robust data protection. It’s been suggested that when smart bathroom scales report to My Fitness Pal, nobody will be interested apart from the owner and their doctor. However, it’s easy to see how a teenager might be embarrassed or even bullied if their weekly weight data was hacked by a classmate and written up on the chalkboard in class. And that scenario pales into insignificance compared to someone’s weight being sent to potential employers during recruitment and selection, or exfiltrated by advertisers to target overweight individuals with junk food ads.
The IoT Security Solution
Individual IoT devices are often modest, carrying limited volumes of data. It’s often when they’re added into a smart office or connected home that the volume of potentially compromising information being transmitted becomes an issue. And while developers have historically been reluctant to incorporate adequate security measures, the tide is turning.
From securing existing networks to embedding security into IoT-enabled devices, below are some of the ways IoT security solutions are being developed…
- Security credentials. This phrase has been turned into action by Verizon Enterprise Solutions, who have developed a way of overlaying existing security with additional protection. Credentials may involve digital certificates or 2FA tokens, producing an over-the-top layer of protection that can be applied to devices irrespective of their existing features. Since a great deal of IoT communication is between machines with no human input, traditional authentication methods like biometrics are invalid. Instead, devices are secured by repelling network threats detected via vulnerability assessments and URL blacklists. This enables connected devices to transmit information without impediment.
- Embedded systems. Rather than retrospectively adding a security layer over IoT devices, it’s obviously preferable and advisable to have security integrated during the manufacturing process. While that increases costs, it ensures everything from ICS to POS devices transmit data securely. At the same time, in-built analytics can detect threats from malware or hackers. Semiconductor technologies are being used to spearhead the authentication of user credentials, guarding against malevolent activities.
- Protected networks. Before data is distributed across the internet, it can be agglomerated in a local network. Bitdefender has pioneered a security solution that effectively provides a firewall against network flaws such as weak passwords or unsecured communications. Outbound connections are checked for unsafe or unsecure sites, while granular control of individual devices can remotely install OS updates or resolve system issues.
- PKIs. Public Key Interfaces eliminate the need for 2FA tokens or password policies, with SSL encryption ensuring that data is secure during transfer between a device and the cloud. It’s easy to confirm software and settings haven’t been tampered with, while message signatures ensure data can’t be manipulated or copied in transit. Digital certificates can be used on cloud-hosted and on-premise devices alike, though simpler ones might lack the system resources to implement PKIs.
Increasingly, IoT protection involves a larger focus than merely protecting individual devices against hacking or spying.
These are among the industry-wide approaches being undertaken or invested in, to bolster safety among connected devices:
- Machine learning. Today’s critical mass of IoT devices is driving the development of an entirely new security analytics sub-sector, with companies aggregating and normalizing data to identify unusual activities. While big data solutions to IoT issues remain in the developmental stage, firms from Cisco to Kaspersky Lab are developing AI and machine learning models to identify IoT-specific attacks, such as botnets. These may not be identified by traditional network protection tools, which are aimed chiefly at browser-based attacks.
- Pre-emptive troubleshooting. Firms like Trustwave enable IoT developers and providers to assess vulnerabilities in an existing IoT ecosystem, from devices and applications to connections. Through penetration testing and threat analysis, OEMs and software developers can resolve weaknesses in apps, APIs, products and protocols. A more dependable service for consumers ensues.
- Security toolkits. Alternatively, why not get one company to handle every aspect of IoT security issues, from initial design to final beta testing? The open source libsecurity platform is IBM’s one-stop shop for application developers, covering everything from APIs and libraries to encryption and secure storage via password/account management. These IoT security solutions are designed for the restricted runtime environments of today’s applications, removing the burden of coding from developers.
Data hosts also have a role to play in improving this industry’s historically poor security record, by ensuring that the volumes of aggregated data being delivered to their servers can’t be hacked or stolen. This can be achieved by finding and appointing a trusted hosting partner like 100TB. Our data centers are specifically designed to repel DDoS attacks and malware, with the option of a managed firewall. Offline security is taken care of with digital video surveillance and biometric access allied to proximity keycard control, plus round-the-clock security details and restricted access to server cabinets. From San Jose to Singapore, your data will be safe in our centers.
The Future of IoT Security
With an estimated 20 billion IoT-enabled devices expected by 2020, what does the future of IoT security look like? Many believe it will involve significantly more reporting and two-way communications. At present, devices passively upload data into the cloud. In future, analysts expect a degree of machine learning from either the devices or their host servers, identifying unusual data patterns and proactively responding to perceived threats. This will take place behind the scenes, since many IoT devices are designed to operate autonomously without any human input during their operational lifetime. Trusted Platform Modules are among the technologies being tipped to authenticate hardware and software without draining battery life, which remains a valid concern at present.
Another difference will involve standardization. The plethora of processors and operating systems currently being marketed will dwindle to a smaller number of industry-leading protocols, helping to simplify the process of identifying and resolving weaknesses. Regulatory standards for data protection will be agreed upon, possibly at Governmental level, with Certificate Authorities ensuring standards are being met. Consumers will also become better educated about the practicalities of IoT security solutions, though it might take a Wikileaks or Ashley Madison-style data breach to focus the public’s attention on database vulnerabilities.
Finally, developer and manufacturer arguments about cost cutting or simplicity will be rendered moot as economies of scale dovetail with greater industry regulation. Securing the Internet of Things won’t be devolved to aftermarket routers any more – it’ll become a central part of the design, manufacture and installation process. An industry standard for tackling common IoT security issues is almost inevitable, allowing devices to be sold with a seal or notice confirming their adherence to regulatory protocols. In short, IoT encryption will become as ubiquitous as HTTPs, and possibly even more valuable in our daily lives.
What Are the Next Steps?
If you want to ensure your connected home or office isn’t vulnerable to attack, these are some of the key steps to take:
- Secure your router. Routers are the primary gateway for all local IoT content before it reaches cyberspace, yet many people persist in using unsecured connections or default passwords. Ramping up router protection should be your number one priority.
- Keep devices local if possible. Devices often default to an internet connection, but it may be sufficient to keep them within a LAN. Hiding them behind a secure router reduces public exposure, so investigate whether you can prevent port forwarding.
- Ensure devices that authenticate against other systems do so securely, with unique identification details or SSH encryption keys. This might not apply to simpler IoT devices, but it should cover CCTV systems and any satellite-based services.
- Manually check for updates. Because there are no industry standards to adhere to, manufacturers and software developers don’t always promote updates. It’s presently incumbent on end users to check for software updates, security patches and so forth.
- Employ TLS where possible. On-chip memories can be used to encrypt information, preventing so-called ‘man in the middle’ attacks on data in transit. TLS is a logical extension of the end-to-end encryption already used by platforms like WhatsApp.
- Scan for vulnerabilities. Imperva Incapsula’s Mirai scanner investigates every device sharing a TCP/IP address, probing their resistance to the Mirai DDoS botnet. A quick Google search will reveal similar free or open source scanning tools.
- Change default passwords. This is perhaps the simplest and most obvious recommendation of all, yet it’s commonly ignored. Breaching one IoT device may open up your entire network, so why leave passwords set as ‘1234’ or ‘password’?
While you might love to be online, how protected are you from the threats of hacking, snooping and surveillance?
Staying anonymous online and conducting your activities securely isn’t as easy as it sounds. As many as 6.6 million people in the U.S. were stalked online in just a single year. As many as 21% of users reported to having their online or social media accounts hacked at least once. Privacy concerns in the U.S. have made as much as 74% of respondents in a study limit their online activity.
For organizations, losing out on privacy is a big risk factor, and as Pew Research Center found out, not many believe it’s possible to be completely anonymous online.
Do we live in a state where there is “an absence of unmitigatable surprise?” This is a phrase from Dan Geer, a noted security authority. It was written in 2014. You might think we have just about worked out this cyber security thing by now. But no, we’ve hardly begun.
The thing is cybersecurity is just about impossible to achieve.
It’s an ongoing challenge and, as the cyber environment we all take for granted becomes more dynamic, the opportunities for potential attacks grows alongside. Now society ‘owns’ the cyber space and has specific expectations and demands then how can we ever really protect that environment?