Editor’s note: John Jefferies leads security marketing for the Samsung ARTIK platform. He has been championing hardware, software and mobile security products for over twenty years. He previously posted on the top three IoT security trends to watch in 2018.
Whether you leverage the Internet of Things (IoT) to improve your business processes or your business is creating IoT solutions, you need to be aware of security risks you’ll face in 2018. In general, your best defense is preparation—which means identifying security needs at the beginning of any new IoT-based initiative rather than treating security as something that can be added on later. Let’s look at some of the known security pitfalls that could trip up your IoT business. Better still, let’s talk about how to avoid them.
IoT vulnerabilities: connectivity, storage, and trust
Increased connectivity between multiple devices and clouds is both the key functional benefit and the biggest security risk of IoT. But your digital signature can reveal more than you might imagine. For instance, the Washington Post reported in January 2018 that Fitbit devices were displaying sensitive U.S. troop location information on a publically-accessible internet GPS heat map. Or, in another example, in IoT systems with poor security, side channel attacks can analyze a home security system’s power or communication delays to defeat its encryption, leaving the home vulnerable. Simple things like changing default passwords, can go a long way towards keeping your communications private. Secure communications can prevent hackers from intercepting and modifying data traffic or sending unauthorized commands to connected devices and clouds.
Secure storage allows you to keep sensitive data such as access tokens or user data on individual devices. IoT hardware must also have built-in capabilities to run local applications securely and protect data. In addition, devices require adequate storage to receive and install over-the-air updates for operating systems, applications and firmware. These are more than just IoT best practices—devices lacking secure storage and encryption are non-compliant with the European Union’s General Data Protection Regulation (GDPR), which comes into effect in May 2018. GDPR regulations include provisions for issuing stiff penalties to non-compliant IoT service and hardware providers.
Together, gaps in connectivity and storage security enable the biggest IoT security risk—the opportunity for hackers to install and run custom software on the targeted platform. This means IoT devices and services also need a way to trust that the software they run has come from the legitimate and intended provider. This requires providers to use code signing and IoT hardware and services that have the capability to verify signed software.
Spooky concerns about privacy
Who would have imagined before the dawn of IoT that a cuddly teddy bear could actually spy on a child? But that’s precisely what happened when a connected teddy bear exposed information about more than 800,000 users, including email addresses and easily guessed passwords. Nearly 2.2 million voice recordings collected by the bears were also stored online and unsecured. Wired magazine discussed this in an article entitled “Don’t Get Your Kid an Internet-Connected Toy” published shortly before Christmas 2017. A similar article on Entrepreneur.com echoed the concerns: “Unfortunately, as manufacturers continue to develop and release connected toys, security is not always top of mind when installing components like remote audio and/or video capabilities. Combined with the fact that children can easily be preyed-upon, shoppers should take great caution when selecting any internet-embedded technology device for a child.” Just prior to Christmas 2017, German regulators went so far as to ban an internet-connected doll called “My Friend Cayla” that can chat with children, warning that it was a de facto “spying device”.
And then there are the digital devices specifically designed to capture and respond to your personal data. Your smartphone has your face recognition data, fingerprint, and current geolocation data. What if that information were sent, intentionally or unintentionally, to third parties? Your digital assistants sit and listen to everything taking place in your home, waiting for your next command. It seems police in Arkansas considered an Alexa device a witness to murder in a home and Amazon was forced to hand over recording data.
While IoT may lead to more efficiency in our daily lives, people have growing and legitimate concerns about privacy. Everything from coffee makers to cars to TV sets are now suspect. In addition to GDPR and other compliance regulations, we are likely to see a growing array of government and industry groups, like the National Institute of Standards and Technology (NIST), ratcheting up privacy guidance in 2018. This makes it imperative that you ensure your IoT devices have the right security built into their hardware and software ecosystem.
More dangerous cyberattacks threaten IoT
IoT cyberattacks have caused significant damage to everything from infrastructure to corporate brand reputation. In the fall of 2016, the Mirai botnet malware took over hundreds of thousands of unprotected IoT devices and used them in a distributed denial-of-service (DDoS) attack on major domain name systems (DNS). This attack took down Netflix, SoundCloud, Spotify, Twitter, and a number of other major internet platforms and services across Europe and North America. The Mirai code was not terribly sophisticated—it simply targeted devices running out-of-date versions of Linux with default passwords.
Another DDoS attack last year targeted internet-connected building heating controllers, shutting off heat in two buildings in Finland during a vicious cold snap.
Hackers are upping the ante with their DDoS attacks. Mirai botnet source code is now publically available. It’s just a matter of time before even better hackers than the original creators of the Mirai botnet will infiltrate insecure routers, IP cameras, digital video recorders and other easily hackable devices and use them to flood the internet with botnet attacks. For example, while Mirai only exploited devices with known default credentials, a new botnet called Reaper, also known as IoTroop or IoT_Reaper, is exploiting numerous vulnerabilities in different IoT devices. Rather than just guessing the passwords of the devices it infects, it exploits known security flaws in the code running on the devices. It could allow hackers to raise huge armies of zombie routers, IP security cameras, network video recorders, DVRs and other internet-connected devices.
The Corero Security Operations Centre recently warned of an extremely powerful new zero-day DDoS attack vector with the potential to multiply threats like Mirai to enable terabit-scale attacks. According to Corero, individual DDoS attacks typically costing large enterprises US $444,000 per incident in lost business and IT spending, imagine the economic impact from a botnet shutting down an entire region of the world’s internet.
Physical infrastructure is also under attack via the Industrial Internet of Things (IIoT). For example, in 2017 a massive IoT botnet tried to crash the transportation grid in Sweden.
People’s physical security is another major concern for IoT security. The FBI has warned that without adequate security, hackers could take control of automotive controls, factory robots or home security systems to cause mayhem. For example, the FDA recently confirmed that St. Jude Medical implantable cardiac devices were vulnerable to cyberattacks, showing that even lives are at direct risk from lax IoT security. (Abbott Laboratories has since released updates for the affected devices.)
Brand damage and legal liability from IoT cyberattacks
Finally, innocuous but poorly-designed and poorly-protected IoT devices—a smart, connected thermostat, for example—can provide cybercriminals access to networks and backend IT systems as was the case with the Target breach. Experian, Sony, and Yahoo are just a few example of companies that have recently suffered major data breaches, putting customer data and corporate reputations at risk. Considering the potential for lost customers, stiff penalties and legal mitigation requirements associated with HIPAA, GDBR, SB186 and other privacy laws, few companies can easily afford to become a victim of a major data breach.
An ounce of prevention
One thing is clear—with predictions of IoT-connected devices reaching more than 25 billion within two years, cybercriminals and even state-sponsored attackers are not likely to lose interest in such a huge attack surface. You need to ensure your IoT solutions have connectivity, storage and trust security built-in. Otherwise, don’t be surprised if your business is attacked or your IoT solution is used as the launch pad for a broader network attack.
The best way to prevent your business from falling victim to a cyberattack in 2018 is to ensure your IoT solutions and business initiatives have adequate security built in. Don’t expect to be able to bolt on security after the fact. The Samsung™ ARTIK platform provides comprehensive edge-to-cloud security for IoT ecosystems. Its modular approach also makes it fast and cost-effective for companies to develop and manage secure, interoperable, and intelligent IoT products and services ranging from smart homes to connected consumer electronics to high-tech factories.