Locking down the Internet of Things

Much has been made of the economic benefits of the Internet of Things, but at what cost to our security and privacy?

Keeping securely connected

The security problems IoT could cause is another area that needs to be more openly discussed, states Curran, because it could pave the way for remote attacks against individuals and businesses.

The problem stems from the fact not all connected devices were built with security in mind from the get go, according to the European Commission.

"Information security, privacy and data protection should systematically be addressed at the design stage. Unfortunately, in many cases, they are added on later once the intended functionality is in place," the document states.

"This not only limits the effectiveness of the added-on information security and privacy measures, but is also less efficient in terms of the cost to implement them."

It is an area manufacturers are becoming more mindful off, claims Curran, but the devices they are trying to lock down sometimes lack the compute power needed to do this effectively.

"There is an international ISO/IEC 29192 standard which was devised to implement lightweight cryptography on constrained devices," he offered.

"There was a need for this as many IoT devices have a limited memory size, limited battery life along with restricted processor...and traditional heavy cryptography is difficult to deploy on a typical sensor hence the deployment of many insecure IoT devices."

Back door bad guys

Connected devices are often fitted with 'back doors' so manufacturers can easily monitor their activity and stop them carrying out particular functions. But these could easily be easily taken advantage of by hackers.

"Every server, router, switch, laptop, tablet and mobile has a back door in it," says former BT CTO Peter Cochrane, who now runs his own IT consultancy business.

"That is the reality of the threat. China has declared that all of the power meters they are manufacturing have got back doors in...so they can [remotely] monitor them and check they are working okay."

In some instances it might be in the manufacturer's best interests to maintain this access point into the product, depending on who it is being sold to.

"If you were a military manufacturer making missiles, for example, you always put a back door in so it can be remotely disabled just in case the friend or ally you sold it to become your enemy tomorrow," he explains.

Remote attacks

Security experts often cite medical devices as examples of connected devices with back doors that could be remotely exploited with devastating consequences.

"There is a pacemaker on the market today, with a wireless interface, that is being fitted to people and somebody has hacked that wireless interface and it has a back door. If I had the knowledge, I could sit in Starbucks killing people as they walk past. It's that severe," says Ciseco's Hodkinson.

"The risk to life of having proprietary security systems is that people don't have the resource to test them in the real world against three billion people."

The 12.1 million smart utility meter deployment project, which will see 53 million connected devices installed in homes and businesses across the UK between 2015 and 2020, could also put households at greater risk of attack in several ways.

Firstly, there is the fact the meters will be monitoring people's electricity consumption, which as in Hodkinson's fridge example from earlier is information that could be of interest to burglars.

"On a larger scale, however, there is a threat whereby smart meters that are connected to smart grids could be attacked leading to complete failure of the system," explains Curran.

"It is an ideal attack vector for rogue nations or terrorist organisations as once the electricity is cut-off, then pretty much every aspect of life in that region is affected."

While it might sound almost fanciful, smart meter attacks are a very real and credible threat, stresses Curran.

"We do know the Chinese authorities have done extensive reconnaissance of Western energy networks, so it is very possible that a nation state might launch such an attack during a time of international tension," he claims.

"If an attacker were to compromise such a critical infrastructure and send commands to multiple meters to stop or modify charging, then the public backlash would be significant. Because when people are left without power, people die."

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022