The advent of mobile phones, as we all know, changed the game of communications—”made the world smaller” as it is said. Then came the internet, which brought in a whole new definition to making the world smaller, anything you need or want to know is simply a click away. Technology innovations took it one step further and decided to connect everything capable of providing some form of information and made them communicate with each other through the internet—this is the Internet of Things (IoT).
Internet of things (IoT), by definition, is a network of objects, which are enabled with sensors and unique identifiers and provide communicable data in real-time to provide insights for the desired outcome.
This world of IoT has surely boomed and shows no signs of slowing down. By 2020, Cisco estimates the number of connected devices on the Internet will exceed 50 billion. And Gartner estimates, internet-connected things will outnumber humans 4-to-1 by the same year.
This clearly shows IoT is the new cool kid in town, and everyone wants to be his friend.
IoT – from apprehension to the necessity
Now, what happens when so many network ports are facing the internet? It opens up many pathways for hackers to reach you. Yet, this fear has not slowed down the rapid progression of IoT adoption or the businesses that provide these solutions. The hype of IoT is so huge that everyone is playing catch up to offer flashy devices to grab the attention of the user. From temperature sensors in AC to fully automated smart homes, from smart meters to fully optimized power grids, IoT is slowly growing in every nook and corner. IoT, in combination with cognitive solutions like Artificial Intelligence, can not only gather data, and also make sense of it. This data can make enable people to be more proactive rather than reactive in several scenarios by predicting dire outcomes before they can happen.
Internet of Things is not only about providing convenience to the user or speeding up everyday activities—its use cases can even save lives.
“Whenever I hear people saying AI is going to hurt people in the future I think, yeah, technology can generally always be used for good and bad, and you need to be careful about how you build it … if you’re arguing against AI then you’re arguing against safer cars that aren’t going to have accidents, and you’re arguing against being able to better diagnose people when they’re sick.” — Mark Zuckerberg
This quote quite aptly summarizes the fear of technology that is part and parcel of innovations and yet how important it is to go beyond security hassles and reap the benefits of technology.
Now that we have established how that Internet of Things isn’t going anywhere, and all of us are on the same page that innovations are indeed a requirement in today’s time, let’s further understand how to secure IoT. Instead of fighting innovation, let’s know how to protect ourselves from the bad actors.
Loopholes preventing IoT security
What is IoT Security?
IoT security is the act of protecting the connected devices, their networks, and providing solutions to safeguard the data integrity from the bad actors.
The speed at which IoT grew, made it almost a compulsion for businesses to provide these solutions.
In an interview with the HuffPost, Maciej Kranz, the Vice President of Corporate Strategic Innovation Group at Cisco, spoke at length about the business impact of the Internet of Things. He talked about how, in the technology industry, companies have to reinvent themselves every 3-7 years to survive. With IoT, this pressure of reinvention is now present across all industry segments like the autonomous vehicle industry.
In this race to survive and stay ahead in business, a lot of those who provide IoT solutions, be it consumer-facing or business facing, have missed on a very crucial aspect of technology—security. The security measures, or lack thereof, leave not just one object vulnerable for hackers, but due to the interconnected nature of IoT, they leave the entire network open for attacks.
The famous attack on Dyn shocked the entire industry. Dyn is an internet performance management and web application security company. It controls much of the internet’s DNS infrastructure, and an attack on it made giants like Twitter, Netflix, and Reddit websites unavailable for hours. The attack was made by the Mirai Botnet, which is the largest botnet seen to date.
What could’ve helped it become the largest? What is present in abundance and prevalent among people? If you guessed devices, in this case, connected devices, then you’re right. The Mirai Botnet made use of consumer IoT devices, their cameras, routers, and DVR systems. The botnet launched a distributed denial of service (DDoS) attack on the server. DDoS is an attack where several compromised systems like computers are infected with malwares like botnets. These are orchestrated to bombard a server and overwhelm them with malicious traffic until they break out of strain.
The company estimated that the attack involved around “100,000” endpoints with an attack strength of 1.2 Tbps.
This story shook the industry and showed the repercussions of insufficient IoT security. All through a code which was, funnily enough, written initially to gain control over the game, Minecraft!
However, this was still a business repercussion. Since IoT has advanced to great lengths, its presence is there in automobiles, healthcare, and much more. Pacemakers are a prominent use case of IoT in health care. Now, if there is someone with an evil intention, the repercussions of a hacked pacemaker can be fatal. Likewise, in cars, the result of a hacked accelerator can completely take over an individual’s power over their vehicle. There are unthinkable crimes that can happen if IoT is not shaped into a much more secure technology than what it is today.
Here are some ways by which the Internet of Things is vulnerable:
- Everyone wants IoT. We discussed previously, the demand for IoT has driven many businesses to focus on innovation and be competitive over providing secure solutions. So organizations that give these solutions pay little attention to ensuring the security of the devices. Securing IoT devices has not been on their list of priorities.
- Hardcoded passwords is a common practice in these devices. Protocols to reset passwords once the device is in the hands of customers is often not a mandatory practice. This process may provide convenience to the end-user but also provides convenience to the hacker.
- Lack of security capability of the IoT resources is a major concern. Devices like humidity detectors may not be designed to handle security measures like encryption.
- There are no unified framework or standards which are supposed to be followed for IoT. Businesses provide their own set of regulations, which cause conflict for interoperability. The lack of standard protocols itself exemplifies how IoT security has not been a primary concern as opposed to providing cutting edge IoT solutions.
- IoT thrives on data. And yet sometimes, there aren’t enough measures in place to protect this data. Although making sense of consumer data is a significant use case of IoT for businesses, there is a line to be drawn as to what kind of data businesses can use. Data which can also be your Personally Identifiable Information (PII) must be monitored stringently. Otherwise, it can leave users exposed to a lot of risks. (Understand what is PII here)
- Updates may take forever to install. Whenever a vulnerability is found, a security patch must be released. But, oftentimes, the end-user takes time to install these security updates. Can you think of the number of times you have not updated an application on time? This delay in the installation of updates provides a considerable amount of time for the hacker to take advantage of the vulnerability even though the means to fix it is with you.
- Legacy assets have a downside that they are not equipped with the right security measures to combat modern threats. And more so, they are not IoT enabled. The investment to ensure these systems are IoT-ready with the appropriate security can be a lot. And thus, due to the downsides to upgrading these systems, it is often overlooked. This increases the surface area for a hacker.
- Code vulnerabilities in the IoT devices. In a toolkit, which is essentially a bundled code available for use, called gSOAP, a vulnerability called Devil’s Ivy was discovered. And this toolkit was popularly used by many companies to enable their device’s communication with the internet. It was found deep within the communication system of Axis smart cameras. To rectify this and develop a code devoid of this would require expertise in the domain specifically. This brings us to the last point of IoT insecurity.
- Lack of expertise against hackers. The manufacturers who design and develop the IoT devices, secure them to the best of their understanding. Yet, they aren’t in the field of cybersecurity, and so they will not have the expertise. Thus, the standard security measures which they might be inclined to follow will not be foolproof here.
Ramp Up Your IoT Security
We’ve discussed at length the ways and vectors to attack IoT networks. But we have also established that it is indeed a necessity and there is no escaping it, and why should we, considering how it can be an absolute boon. Let’s talk about the ways of securing it:
- Stringent patch management policy can ensure patches are released and installed on time. Test the patch thoroughly, to avoid further complications and ensure the time taken to apply it is not too long.
- Notch up your password policy. It is a no brainer that your password shouldn’t be something obvious. It cannot be something that can be figured out by a glance at your social media profile, be smart about it, and ensure it is not accessible by anyone. On a device level, manufacturers must ensure that if there is a default password, it has to be updated once the device is in the hands of the consumer.
- Encrypt the data. All the data that is stored or in transit must be encrypted, including passwords. When encryption is in the picture, it is necessary to enable effective key management policy in place too.
- Authentication of all the devices in the network. Usually, the term authentication implies passwords, OTP, and security questions. Authentication here refers to that of devices. They must be enabled with authenticated by digital certificates and Public key infrastructure (PKI). This provides the factor of trust for the exchange of data between the device identities.
- API security must be a priority. Given that the exchange of data happens via API, this interaction must be safeguarded. The access to the system, which is at the receiving end of this IoT data, must also be streamlined.
- Secure the networks too. When there are so many devices communicating over a network, it becomes increasingly important to ensure the safety of this network as well. Firewalls, antivirus are some measures that can protect them.
- Analytics in IoT and for IoT. Analytics applied over IoT can surely give you a great deal of data to scale your businesses. Use analytics to monitor this network, as well. Cognitive technologies can monitor anomalous behavior on a real-time basis and empower you with the right information to take quick action.
- Be wary of your device. As simple as this sounds, you must be careful while handling your devices in public. And manufacturers must also ensure the devices cannot be easily tampered with in case you lose them.
- Identity Management can be your IoT savior. In IoT, devices have unique identities. Thus, it is imperative there is a solution in place to manage the identities as well. You must streamline the access to these device identities, and monitor the authentication of the devices as well. At an organizational level, IoT can accelerate the productivity of your employees by connecting devices and providing insights for your business. But, with the BYOD culture, an increasing number of remote employees, along with the rising number of insider threats and phishing attempts, all the accesses must be streamlined. Using ‘Intelligent IAM’ solutions, the devices, and the behavior of the user with these devices can be tracked. And every time a user logs in, their current behavior can be compared against a standard set of behavior patterns. Thus, whenever the identity of the device and the employee is compromised, you will be alerted. The importance of the information ‘who has access to what,’’, governance of access, and timely removal of access cannot be undermined. If IoT is going to scale your digital experience, an IAM solution enables it to scale up.
B2B spending on IoT technologies, apps, and solutions will reach $267 Billion by 2020, according to Boston Consulting Group (BCG). As an organization, you are a part of this investment. Organizations can reap the benefits of this only once it is secure. Ensure your devices are safe and ensure your businesses have a reliable network of IoT devices, as well. Let the Internet of Things (IoT) transform your business while you keep the hackers at bay.