Our TVs, thermostats, and refrigerators are all getting internet connectivity. These technologies are built for convenience and to make our lives easier, but they aren’t built for security.
Home and business products that have not traditionally been “smart” have been getting a brain transplant over the last several years. It’s mostly thanks to cheap Wi-Fi technology and pop-up businesses that put consumers in control, putting information about these devices at their fingertips. However, securing these machines is often overlooked during product development as businesses rush to get their item to market.
The idea of every day devices becoming connected to the internet is called the “Internet of Things” (IoT).
This market is exploding with new products, and it has wide application. On a basic level, it can give a family the thrill of seeing a boarded pet on an iPad while on vacation. While a breach at this level may be an inconvenience, on a larger scale, significant hacking incidents can disable an automobile's braking system, shut down airport monitors, and cause physical harm and global disruption.
Here’s how the exploitation works
The camera that sends the video of Fido to the family? It may also introduce weaknesses or security vulnerabilities into your network environment. Some video cameras even publish their management interface to the internet, allowing a live feed of that camera to anyone who enters the right search terms into Google.
Compromised IoT devices can be controlled to build an army of “bots” to perform large scale distributed denial of service (DDoS) attacks on their targets. A DDoS attack is when the attacker commands the network of “bots” to send large amounts of data to the victim’s web server (website) to render it inaccessible due to traffic overflow. As the number of IoT-connected devices surges (Gartner predicts 20 billion such devices by 2020), the popularity of botnet attacks on IoT devices will increase as well.
Government oversight gaining steam
A bipartisan group of U.S. Senators recently introduced legislation to combat IoT insecurity through a bill titled the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. This legislation would define standards for internet-connected devices sold to government agencies. In its current form, the bill would require vendors to contractually state that the devices being sold to the government are patchable, do not contain any known vulnerabilities, utilizes standard protocols, and do not contain any hard-coded passwords.
The stipulated requirements are relatively basic information security principles, which helps to illustrate the current security expectation surrounding IoT devices. The legislation does not cover standards for products sold to businesses and consumers outside of the federal government space.
How organizations should respond
Even if legislation passes, there is still no widespread effort to ensure the devices are being implemented securely when they are installed in a business setting. Organizations will continually face competitive pressure to integrate these devices into their workflow. How to manage integration largely depends on having a robust cybersecurity posture.
Organizations with a mature security posture may already have regular procedures in place that identify weaknesses in new devices and harden the system before they are put into production. As more devices are introduced to their network, organizations without a robust IT security practice may struggle to handle the associated security implications.
If you haven’t already, start building up your security framework in anticipation of this wave of technology. At a basic level, you should take measures to assess new devices for insecure configurations such as default passwords, outdated service versions, and known vulnerabilities, so that these devices do not introduce security vulnerabilities into your environment. Then, once you have a device up and running, be sure to avoid the “set it and forget it” mindset.
How we can help
It is clear from recent events across the globe that organizations must take security into their own hands when incorporating third-party internet-connected devices into their network. Before you hook up a device, or to understand your readiness for the IoT wave, engage a professional to conduct a cybersecurity assessment and gain a thorough understanding of your network’s security.