In-depth

IoT privacy and security concerns

We take a look at what's needed to really secure internet-connected devices

Back in 2018, a US casino got hacked via a fish tank, a story that has become something of an urban legend in the tech industry. The tank had an internet-connected thermometer that was used as an entry point into the casino's entire system to extract data on its clientele. 

It's an extreme case, but it does serve the purpose of highlighting the dangers that the Internet of Things (IoT) presents; if you connect an object to the worldwide web, no matter how innocuous it might be, hackers can turn it into an open door. 

The rise of IoT includes all manner of gadgets, such as smartphone-controlled coffee machine and office lights linked to Wi-Fi. But all of this seems to offer more opportunities to be hacked. This has led to calls for security to be baked into the design of any and all IoT products - 'secure by design' - and for no default passwords. 

Privacy is also an issue with IoT, especially with audio-based devices that can listen in on our daily conversations. The Amazon Echo can do many amazing things, but it can also be 'woken' by mistake. There are a number of stories where 'Alexa' has begun recording by accident; it was once used as evidence in a homicide case. There is also lots of concern around how Alexa is improved, with Amazon employees listening to Alexa recordings to improve the quality of the service

While the hacking stories keep surfacing - with some even becoming legend - there is no sign that the IoT industry is slowing down. More and more everyday things are getting internet access and its business use is also going up. So what can you do to keep your internet ecosystem safe?

A clear and present threat

It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average “office” is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells to phone-controlled light bulbs and robot vacuums.

With employees using their home Wi-Fi network to log onto work devices and carry out vulnerable devices, having IoT devices on the same network could be putting corporate networks at risk.

That's largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack and Visa, become unavailable across Europe and North America in October 2016.

These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.

Daft defaults

Most IoT vendors don't put security at the front and centre of development. Unfortunately, a lot of vendors and the technology industry pass the blame onto users for not making enough efforts to secure devices by changing passwords from their defaults. Sometimes the manufacturers get the security fundamentals seriously wrong by hard-coding easy-to-guess passwords into devices.

Related Resource

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

The Forrester Wave: Top security analytics platforms - whitepaper from IBMDownload now

Admittedly, users don't change default passwords to something more difficult to guess, but why shouldn't manufacturers offer difficult-to-hack, unique default password instead?

Users can all too easily be blamed for not updating systems with the latest patches, but these updates aren't that frequent and only arrive after a device has already been hacked.

IoT devices are made to be easy to use and in a lot of cases, security is developed by those who don't possess any reasonable degree of security knowledge instead of these devices being developed alongside security professionals that understand the consequences of bad security.

Added to that, the IoT industry is in no way standardised or regulated, meaning it's all a bit of a confusing mess for end users. That might change with the government's bid to encourage IoT device makers to take a privacy-by-design approach to building products, something that government might seek to make law if device makers don't heed the advice.

Enterprise attack surface evolution

It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

A city skyline connected by networks to represent IoT

Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, is already starting to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021