With more than $19 trillion in profits and savings from the IoT sensor technology over the next decade, according to Cisco Systems, the race is on to bring innovation into every industry and all aspects of our daily lives. Industry estimations, such as the one from Gartner, state that there are around 5 billion connected devices, and the “Security: The Vital Element of the Internet of Things” report from Forrester, expects IoT devices to grow to over 20 billion in 2020.
This includes smart home appliances and devices, industrial control systems, connected vehicles, unmanned aerial vehicles, connected retail, city infrastructure, hospitals and emergency services, and more. Some security experts fear that all of this innovation is happening way too quickly and in a very haphazard manner, potentially leading to a worldwide cyber-security crisis with deadly consequences.
Hidden Dangers of the Connected Future
As Chris Witeck, principal technology strategist at Citrix Labs, points out, hackers and malicious attackers are rarely fascinated by the technology itself; all they look for is the most accessible point of entry which they can exploit in order to achieve their goals.
The Internet of Things devices equipped with a wide range of sensors fit the bill perfectly. Thousands of startup companies are furiously competing with one another for their share of the lucrative market, often putting security on the back burner. Not only are sites like Kickstarter filled with a seemingly endless amount of upcoming IoT products, but the existing products generate huge quantities of data, which have to be transmitted, processed, and stored. Doing all of these things in a secure manner is often too much for a company with a limited budget, experience, and, above all, manpower.
Edith Ramirez, U.S. Federal Trade Commission chairwoman, outlined key security challenges when she addressed the audience at the Consumer Electronics Show in Las Vegas in 2015. In her talk, she mentioned ubiquitous data collection, potential for unexpected uses of consumer data, and heightened security risks as the main security problems that undermine consumer trust.
Her worries are, indeed, justified. An HPE Internet of Things Research Study found out that 60 percent of tested IoT devices have problems with user interface security and are exploitable by common attacks, including cross-site scripting (XSS). Furthermore, 80 percent of IoT devices have weak password policies, and 70 percent of IoT devices fail to encrypt their local and internet communication.
The problem is worsened by the fact that, in the enterprise sphere, IT departments don’t have the necessary resources to rebuild their informational technology infrastructure to accommodate for IoT systems. But many of these new IoT devices can serve as a bridge leading to more traditional IT systems containing highly sensitive information and mission-critical applications.
John P. Carlin, the U.S. Assistant Attorney General for National Security, told the Intelligence and National Security Alliance at their annual summit that his division has started a group devoted to nothing but the Internet of Things. “Look at the terrorist attack in Nice,” he continued, “If our trucks are running in an automated fashion—great efficiencies, great safety—on the one hand, if we don’t think about how terrorists could exploit that on the front end, and not after they take a truck and run it through a crowd of civilians, we’ll regret it.”
Real-World IoT Sensor Security Incidents
The Internet of Things is still in its infancy, but there was already a number of security incidents involving IoT devices and sensors. In 2014, a security consultant, Jesus Molina, made international headlines when he managed to find a way how to switch on and off lights, change TV channels, raise blinds, and adjust the temperature in a five-star hotel in China, wreaking havoc in 200 suites, as reported by Sky News. Molina said that he was simply bored, so he took out his personal iPad and tried just how deep into the hotel’s control systems he can get.
But you don’t have to visit a foreign country to come in direct contact with security vulnerabilities in IoT systems. Researchers from Rapid7, an Internet security company, focused on baby monitors and discovered a range of vulnerabilities that could allow malicious attackers to access live audio and video feeds, change settings, and, potentially, talk to the monitored baby.
While many of the vulnerable baby monitors were from smaller manufacturers without extensive experience in IT security, The Nest Learning Thermostat definitely isn’t. First introduced in 2011 and later acquired by Google for $3.2 billion, security research students from University of Central Florida demonstrated at the Black Hat security conference how it can be exploited in just 15 seconds.
If a technological giant such as Google can release a product that’s so vulnerable, who else can? It turns out that just about everyone. A Texas-based firearms manufacturer TrackingPoint released a $13,000 self-aiming rifle, which was successfully hacked by security researchers Runa Sandvik and Michael Auger, allowing them to change its target. Potentially even more lethal security issue was discovered in Hospira’s Symbiq drug pumps. “The security holes can be exploited to remotely hack the devices and possibly change the dosage they deliver to patients,” reported Security Week.
With incidents like these, it’s easy to imagine a future where an attacker could hold a person hostage by taking control over her car or smart house door lock, keeping her inside until she agrees to pay a hefty sum of money. The ransomware of today pales in comparison to its possible future version. “Imagine what would happen to a city if its traffic signal control system was hijacked for ransom?” asks Guy Barnhart-Magen, CTO at Nation-E.
The Path Toward IoT Security
Unfortunately for the IoT industry, there’s no easy solution for the security storm that’s just beginning to form on the horizon. The Internet of Things sensor technology spans countless different industries, each dealing with very specific circumstances and risks.
Steve Grobman, the chief technology officer for Intel Security, emphasizes that companies and IoT device manufacturers “should add only enough connectivity and access required to achieve the goals that they’re working towards around automation and enhanced control.”
Chris Witeck from Citrix stresses the importance of encryption and encourages organizations, companies, and individuals to “carefully look at IoT device manufacturers to see if they are adhering to any of the competing IoT standards and understand how they wrap security into their devices.”