In-depth

IoT privacy and security concerns

We take a look at what's needed to really secure internet-connected devices

A secure network depicted by connected padlocks

There is a famous hacking story that’s become something of an urban legend in the cyber security industry - about a casino that had its IT network infiltrated via an internet-connected fish tank. It’s said that the tank's IoT thermometer was used to access the casino’s entire system and extract data on its clientele.

It's a rather extreme example of what could happen, but serves to highlight an important point - if you connect a device to the internet, regardless of how innocuous it might seem, it can be turned into an open door for cyber criminals.

The rapid increase of the Internet of Things (IoT) includes smartphone-controlled coffee machine, office lights linked to Wi-Fi and even connected fish tanks. But each new thing seems to come with a hackable flaw or a route into a user’s wider network. This has led to calls for security to be made part of the design - ‘secure by design’ - and for stronger passwords rather than easy default options.

Another issue is privacy, particularly with devices that have audio and recording capabilities. Your Amazon Echo can do many amazing things, but ‘Alexa’ can also be ‘woken’ by mistake. There have been a number of reports where the device has ‘listened’ to its users without their knowledge; in one US court, a recording from an Alexa-based device was used in a homicide case. There are also concerns around Amazon employees listening to Alexa recordings to improve the quality of the service.

While the hacking stories keep surfacing - with some even becoming legend - there is no sign that the IoT industry is slowing down. More and more everyday things are getting internet access and its business use is also going up. So what can you do to keep your internet ecosystem safe?

A clear and present threat

It would be foolish to think that internet-connected thermostats or other smart devices do not pose a security threat for organisations, particularly at a time where employees are predominantly working from home. The shift to mass remote working has meant that the average “office” is now full of more internet-connected devices than ever, from AI-powered smart speakers and video doorbells to phone-controlled light bulbs and robot vacuums.

With employees using their home Wi-Fi network to log onto work devices and carry out vulnerable devices, having IoT devices on the same network could be putting corporate networks at risk.

That's largely because there has been a lack of security-first thinking when developing IoT products. Take Mirai for example, a malware that used vulnerable internet-connected devices, such as IP cameras and home routers, to create a botnet that launched a DDoS attack against DNS provider Dyn. This caused large swathes of the internet, including Amazon, Slack and Visa, become unavailable across Europe and North America in October 2016.

These IoT-based threats have increased since, and research from Dutch software firm Irdeto found that these attacks cost UK businesses £244,000 on average in 2018.

Daft defaults

Most IoT vendors don't put security at the front and centre of development. Unfortunately, a lot of vendors and the technology industry pass the blame onto users for not making enough efforts to secure devices by changing passwords from their defaults. Sometimes the manufacturers get the security fundamentals seriously wrong by hard-coding easy-to-guess passwords into devices.

Related Resource

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

cost of a data breach report 2020 - whitepaper from IBMDownload now

Admittedly, users don't change default passwords to something more difficult to guess, but why shouldn't manufacturers offer difficult-to-hack, unique default password instead?

Users can all too easily be blamed for not updating systems with the latest patches, but these updates aren't that frequent and only arrive after a device has already been hacked.

IoT devices are made to be easy to use and in a lot of cases, security is developed by those who don't possess any reasonable degree of security knowledge instead of these devices being developed alongside security professionals that understand the consequences of bad security.

Added to that, the IoT industry is in no way standardised or regulated, meaning it's all a bit of a confusing mess for end users. That might change with the government's bid to encourage IoT device makers to take a privacy-by-design approach to building products, something that government might seek to make law if device makers don't heed the advice.

Enterprise attack surface evolution

It's clear something has gone wrong in the tech world when your users become the network perimeter, given the role of blocking threats from infiltrating any further into the network.

IoT devices open up the network to a much wider spread of risk, serving as even more endpoints that need to be secured, while also diluting the resource put aside for the regular, legacy definition of threat protection.

The smart flip-flop

A city skyline connected by networks to represent IoT

Given what you cannot do to prevent IoT device compromise, what's the flip-side? It's not quite as much of a 'length of string' exercise as the almost infinite variety of devices we are talking about might suggest. And talking of which, that 'built by bean counter' accusation we made earlier will, in fact, is already starting to fall away as vendors see the market opportunity in delivering a secure product.

Expect network segmentation and device-to-device authentication (if not any meaningfully strong data encryption) to sit high in IoT device feature lists.

An eye on the future

Whatever the future brings you must not lose sight, or site for that matter, of these devices. You need to know what devices you have, what they connect with and how they do it.

Visibility is key to securing the IoT as far as it touches your enterprise, and these touch-points are where attackers will be probing for weakness to bridge the gap between device and enterprise infrastructure.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
What are SSH keys?
cyber security

What are SSH keys?

7 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021