Internet of Things noun
1. network of everyday devices, appliances, and other objects equipped with computer chips and sensors that can collect and transmit data through the Internet.
This has given rise to items such as smart home devices, wearables, connected car/autonomous transportation, connected health (digital health/telehealth/telemedicine) and smart children’s toys, among others.
With all these new shiny gadgets, the future must look rosy, right?
Just a quick internet search of “IoT” and “security” will show just how wrong things can go. Within the Cybersecurity community there has long been a view that the security around the Internet of Things has not been given the importance it requires. Unfortunately, any system where information is transmitted (esp. wirelessly) from one point to another on a network is vulnerable to hacking. Your “smart” IoT devices can be easy points of access for a hacker to a network (e.g. your home network) and thereby compromise the data transferred across it.
If some of these horror stories weren’t so serious, they would be farcical. A doorbell that reveals the network key of your home Wi-Fi. Soft toys that store information gathered about your children in an unsecured database that can be interrogated—including voice messages. Hackable wireless printers allowing cybercriminals to break into home networks and sabotage files. Connected cars being compromised. Security cameras that may be hacked and controlled remotely—the list is seemingly endless. The most bizarre hack I have come across so far is an old botnet exploit where refrigerators were hacked to send out spam… [insert your own pun here]
Clearly though, this is no laughing matter. It appears that in the rush to capitalise on the lucrative nature of the industry, manufacturers have simply ignored good security practice.
Now we’re aware of the nature of the problem, what should be done?
For producers of IoT devices, the security measures should be on a par with the technology being used and the sensitivity of the data being transmitted. It seems evident that building the security measures into the device during the design, rather than trying to bolt it on afterwards, is a standard practice for IT design. An article by Mike Turner (Capgemini’s Head of CyberSecurity) gave important guidelines on the processes to be followed when securing the Internet of Things. These were:
- Integrate security best practice with the IoT product development process
- Set up an integrated team of business executives and security specialists
- Educate consumers as well as front-line staff in security best practice
- Address privacy concerns with transparent privacy policies.
For those involved with the security architecture around IoT, there are a number of methods of intelligently applying security to IoT:
- Network security, i.e. protecting and securing the network connecting IoT devices to back-end systems on the internet.
- Authentication: Providing the ability for users to authenticate an IoT device, ranging from simple password to more robust authentication mechanisms such as two-factor authentication, biometrics (and possibly blockchain?)
- Encryption: Encrypting data at rest and in transit between IoT edge devices and back-end systems using standard cryptographic algorithms, thereby preventing data sniffing by hackers.
- PKI: Providing complete X.509 digital certiﬁcate and cryptographic key and life-cycle capabilities, including public/private key generation, distribution, management, and revocation.
- Security analytics: Collecting, aggregating, monitoring, and normalizing data from IoT devices and providing actionable reporting and alerting on speciﬁc activities or when activities fall outside established policies.
- API security: Providing the ability to authenticate and authorize data movement between IoT devices, back-end systems, and applications using documented REST-based APIs.
For consumers it appears that in the United States, Congress is making an attempt to mandate a minimum set of security standards for IoT devices, which is positive news. However until such regulation becomes an accepted standard, some simple rules of thumb are:
- Change the default passwords on all connected devices. If the default password cannot be changed, understand that this is presents a risk to any network the device is connected to.
- Understand what data is being collected from your connected device. This will allow you to make an informed decision as to how much security is required for that device, or whether to buy that device at all.
- Keep your software and firmware up to date by applying the latest security updates from the manufacturer. Ensure your vendor is still providing security updates.
- Understand (as much as possible) what your device does and how it should be protected. The manufacturer should be able to help. If they can’t explain it to you in a way you can understand, consider choosing a new vendor—or a different product.
Also ask yourself—do I really need a refrigerator that is connected to the internet?
In conclusion, as the amount of IoT devices and their applications proliferate, it is crucially important that security relevant to the importance of the data to the consumer be included in the design of the product. In an increasingly interconnected world, our lives will rely on the authenticity of the connections between those objects that depend on the internet for their functionality.