With a vast and growing number of business, industry, consumer and civic IoT devices and systems now being used, we look at their advantages, the threats to the IoT and how we move forward in a way that maximises the benefits and security.
The Internet of Things (IoT)
IoT devices are those devices that are now present in most offices and homes that have a connection to the Internet and are, therefore, ‘smart’ and inter-connected. These devices, each of which has an IP address, could be anything from white goods and smart thermostats to CCTV cameras, medical implants, industrial controllers and building entry systems.
IoT devices transmit and collect data which can be processed in data-centres or the cloud. IoT devices use several different communications standards and protocols to communicate with other devices. These include Wi-Fi, Bluetooth, ZigBee (for low-power, short-distance communication) or message queuing telemetry transport (MQTT).
The IoT can be categorised as the consumer IoT, industrial IoT, smart homes and offices and even smart cities.
Cloud providers also provide IoT platforms that allow IoT devices and gateways to connect with the applications used to deal with the IoT data, coordinate IoT systems and help with their functionality.
Estimates on the growing number of IoT devices vary but there is thought to be anywhere between 30 and 50 billion IoT devices worldwide which could generate more than 4 zettabytes of data this year.
The Advantages of the IoT
Devices and systems that are ‘smart’ i.e. have an internet connection have several key advantages including:
– Data can be gathered from IoT devices that can be used to improve design, operation, security and more. This can help to create new opportunities and launch new, improved products.
– They can be updated and even patched remotely and quickly without requiring physical parts to be replaced.
– Customer interaction and engagement with the product and the brand can be increased by having a smart function.
– Companies can use IoT technologies to reduce their operational costs e.g. by helping to track and monitor equipment and reduce downtime, predict errors, and reduce power consumption.
IoT Security Risks
The risks are that the Internet connection in IoT devices can, if adequate security measures are not in place, provide a way in for hackers to steal personal data, spy on users in their own homes, or remotely take control of devices in order to misuse them.
The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cyber-criminals, the IoT devices are wide open to being tampered with and misused.
Also, the fact that IoT devices are so prevalent and are often overlooked in security planning (and are therefore likely left unguarded) means that they are vulnerable to hacks and attacks.
Another big risk is that IoT devices are deployed in many systems that link to (and are supplied by) major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.
“Shadow IoT” devices i.e. connected to corporate networks without the knowledge of IT teams, also now pose a threat to organisations by allowing attackers a way to get into a corporate network. These devices can include fitness trackers, smartwatches, and medical devices.
A poll by Extreme Networks of 540 IT professionals in the U.S, Europe and the Asia Pacific regions found that 70 per cent of companies who said they employed IoT devices were aware of successful or attempted hacks.
Hacks of IoT devices do not just happen to businesses. With so many IoT devices being present in the modern home we are all now at risk. Some real-life examples of IoT hacking include:
– Hackers talking to a young girl in her bedroom via a ‘Ring’ home security camera (Mississippi, December 2019). In the same month, a Florida family were subjected to vocal, racial abuse in their own home and subjected to a loud alarm blast after a hacker took over their ‘Ring’ security system without permission.
– In May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee.
– Back in 2017, researchers discovered that a sex toy with an in-built camera could also be hacked.
– In October 2016, the ‘Mirai’ attack used thousands of household IoT devices as a botnet to launch an online distributed denial of service (DDoS) attack (on the DNS service ‘Dyn’) with global consequences.
Examples of how some bigger IoT systems and devices have been attacked this year include:
– In February, there were reports that a vulnerability in over 2,300 smart building access systems was being exploited by attackers to launch DDoS attacks.
– In May, supercomputing systems in the UK, Germany, and Switzerland were targeted and infected with cryptocurrency mining malware.
– Also in May, a new form of malware called Kaiji was found to have been used to target IoT devices and Linux servers to make them part of a botnet that could be used for several different types of DDoS attacks.
IoT Security Legislation on the Way
In January this year, the UK government’s Department for Digital, Culture, Media and Sport (DCMS), announced that it is preparing new legislation to enforce new standards that will protect users of IoT devices from known hacking and spying risks.
IoT Household Gadgets
This commitment to legislate leads on from last year’s proposal by then Digital Minister Margot James and follows a seven-month consultation with GCHQ’s National Cyber Security Centre, and with stakeholders including manufacturers, retailers, and academics.
The proposed new legislation will improve digital protection for users of a growing number of smart household devices (devices with an Internet connection) that are broadly grouped together as the ‘Internet of Things’ (IoT). These gadgets include kitchen appliances and gadgets, connected TVs, smart speakers, home security cameras, baby monitors and more.
In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.
The proposed new legislation will be intended to put pressure on manufacturers to ensure that:
– All internet-enabled devices have a unique password and not a default one.
– There is a public point of contact for the reporting of any vulnerabilities in IoT products.
– The minimum length of time that a device will receive security updates is clearly stated.
Even though legislation could make manufacturers try harder to make IoT devices more secure, technical experts and commentators have pointed out that there are many challenges to making internet-enabled/smart devices secure because:
- Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down – sell now and worry about security later.
- Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.
- With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such, these devices are likely to remain available to be used by cyber-criminals for a long time.
The IoT brings many advantages to businesses in terms of cost savings, the gathering of valuable data, monitoring and management. For consumers, smart devices deliver new levels of value-adding functionality and looking ahead, towns and cities will begin to rely even more on the benefits of IoT devices and systems.
The vast number of IoT devices, many which go unnoticed or fall outside of realistic risk assessments and/or still contain known weaknesses and vulnerabilities mean that there are big concerns about IoT security and privacy going forward.
New legislation could mean that manufacturers in some parts of the world are more motivated to pay greater attention to the security and labelling of IoT devices although there is still some way to go. That said, smart systems combined with other technologies such as AI and cloud technologies look like providing more opportunities for businesses in the future.