Blog Post

The Risk from the Internet of Things

Jan 20, 2017

The Internet of Things has experienced a huge surge in growth and popularity thanks to its main stream exposure due to the likes of smart TV's, Internet fridges, smart grids, and smart homes.

With the inclusion of anything from urban transport to medical devices to household appliances, the Internet of Things has become a large part of our lives. These unusual "smart objects" or "smart devices", that have never been capable of inter-networking on a global scale before, have for the most part made our lives easier. However as with all new developments, it's also brought its own fair share of risks. Cyber criminals have more ways than ever before to make money off the unaware, underprepared or uneducated.

  1. Unsecured Devices
    More often than not, the security functionality embedded within the IoT device is largely insufficient, due to a lack of local resources or capacity. A good example of this are car manufacturer’s like Land Rover; having to recall vehicles for instance, because their on-board computers had security weaknesses that allowed criminals to easily steal them, or in extreme cases, even control them remotely. Ultimately however, security will need to be built into IoT products by the vendors. Cheap, ubiquitous, and insecure IoT devices are ultimately the cyber criminal’s best friend.
  2. Weak Entry Points
    IoT devices that are poorly secured on networks; with known or easily guessed passwords and passcodes are the ideal point of entry for cyber criminals. It’s even better if the device happens to be a router or network control device, as the criminals can modify the firewall and network services to their nefarious ends. Even so called “risk-free” endpoints, such as Internet fridges, have potential exploits because of susceptible functions such as sending emails. To help combat this, IoT devices need to be protected, by locking down admin rights and changing default passwords by adding in as much complexity as possible. It may also pay to segregate IoT devices to a firewalled and possibly non-routable network.
  3. Surveillance Hijacking
    Have you got a PC or laptop with a webcam? Cyber criminals can potentially use your computer’s camera to see into your home or office, and even listen in if they can get access to your device’s microphone. This breach isn’t just limited to visual and audio access however – a compromised IoT device on your network can passively and actively learn about the rest of your network. Due to their common operating system, hackers have a good chance of installing common malware to learn all they can about you or your company. This again reinforces the fact that all your IoT devices need to be locked down, and not just the central control point. Regular security sweeps should be done to check for unusual behavior, and be prepared to reset devices back to their factory settings. Where possible it would pay to isolate your IoT devices from your main network.
  4. Hijacked for Criminal Activity
    IoT in the health care sector presents an exciting opportunity, not just for passively collecting patient observations, but also controlling medical devices in real time, in response to collected observations. Imagine a heart monitor for instance, that constantly sends heart data to a system that analyses it, along with blood oxygen levels etc. It then decides to modify one of the control units – maybe to deliver a drug to the patient. In the wrong hands, this setup could result in death. Accessing other IoT devices can offer cyber criminals a lot of control over your life, especially keyless entry systems for your home, garage, gate, or car that can be cloned to give the criminal physical access. It’s essential for users to choose IoT products with proven security credentials. Greater security will likely cost more than the weaker IoT devices.
  5. Unknown Network Use
    Do you know how much of your home or business infrastructure is IoT connected? Recently an independent security organisation scanned the 900 MHz bandwidth used by IoT wireless devices and much to their client’s astonishment, found that their HVAC system was IoT-connected. The client didn’t know this and wasn’t responsible for its security. The HVAC devices were also identified to have default passwords and very little in the way of security. If a hacker had gained access to these devices, they could have caused a potentially devastating amount of damage to the business. This is a good lesson for all of us, businesses need to scan for IoT devices on their network constantly. Ultimately, company’s need to know what is normal before they can know isn’t normal, and take necessary actions to correct it.
  6. Convenience and Price over Security
    Security can fall by the wayside if IoT vendors are trying to provide an Apple-like experience of simplicity and convenience, or attempting to compete based on price. Plug-and-play without configuration should not be possible – some configuration by the consumer is needed so they can at least program the IoT device with a passcode or password that only they know. If you just plug a device into your network without any configuration, then you have more than likely created an opportunity for a cybercriminal. Consumers need to be more technology-savvy and vote with their wallets – only buying products that are offering sufficient levels of security. Industry standards don’t exist for IoT device security, and many products are not interoperable using differing technologies. Therefore, the best way for consumers to become IoT-security savvy is to educate themselves by talking to industry professionals like Computer Culture.
  7. You can’t secure insecure IoT Devices
    Some IoT devices, especially those that offer plug-and-play installation, can be difficult, sometimes impossible, to configure – especially devices that are embedded and need special diagnostic equipment to interface with them. In this instance, the user needs to check whether (and how) the IoT device is configurable and securable. If it’s not, they need to think twice about purchasing it due to the inherent risks of adding an insecure IoT device to their network. The fact that the device can be a household device, such as a fridge, is unimportant. Security research has shown that hackers can use Internet fridges to send spam and learn about the rest of the network its connected to, for a future criminal act.
  8. Forgotten IoT Devices
    People can sometimes forget about older or unused devices, and some of these will likely be IoT-enabled. These devices might not be monitored or maintained but are likely to remain on the network. These devices have the potential to become a risk over time as security exploits are left unpatched. Once an attacker finds such a device, they will find a way to hijack it. These devices need to be repurposed or disposed of in an appropriate and secure manner.

    If your concerned about your IoT devices and want to know what you can do to help mitigate these issues, come talk to one of our friendly team.


Share by: