October 19, 2018
The Internet of Things is coming to you. Are you prepared?
There are literally billions of devices connected to the internet through special sensors, uploading countless amounts of data to cloud servers for analysis and distribution back to users all over the world. Over 10,000 of these devices connect to a single weather app providing live weather updates all over the US. Thousands of other apps track our steps and travel, reporting them to servers belonging to health insurance companies and tax services counting mileage. IoT devices are everywhere, and they are increasing in number exponentially.
One of the most significant places of growth and predictions of continued growth is in the business and industry sectors. The data they are able to measure is helping them to streamline manufacturing processes, improve labor efficiency, and reduce wasted energy and materials. One of the most productive uses of the Internet of Things for businesses has been managing marketing campaigns. By tracking sales, email ads, social media clicks, and dozens of other data points, business marketers can determine the most beneficial times, places, and means to reach potential customers and clients. There has never been such a time when we have had access to more and better information to make business decisions.
Why is IoT security is incomplete?
There is one downside to this: many of these IoT devices may be subject to cybersecurity breaches. How can this happen?
The problem is that the technology is growing faster than it is being regulated. Most of the time we cheer for new innovations in technology and the opportunities that they bring us, and we turn our noses up at the insistence of regulations that limit our use of that technology. Unfortunately, it is those regulations that often slow the growth of technology down enough for us to develop sufficient safeguard against security breaches. The benefits of this new technology are still outweighing the costs of lagging security measures.
Recent IoT Security Breaches
What is the cost of security breaches? $3.86 million for 2018. That is an increase of 6.4 percent over the previous year.
How could this much money be lost with computer hacks? In October 2016, the largest DDoS attack, made with a botnet called Mirai, was launched against the server Dyn. While these company names may not sound familiar to you, the following clients of that server probably will. Mirai shut down Twitter, Netflix, Reddit, the Guardian, and CNN. This attack started with computers but quickly moved to affect devices with insecure firmware like digital cameras and DVR players through the passwords gained from the initial computer access.
The main issues of vulnerability in this attack were devices that would not update firmware and unsafe password usage. If an Internet of Things device cannot update its firmware, it cannot be protected from any attack conceived after the device was first created. It doesn’t matter if the device is only one day old. Without firmware updates, it is vulnerable to attacks.
Passwords also need to be unique for each IoT device. Shared passwords open the doors to accessing multiple devices, multiplying the amount of information that can be stolen. Have you ever had your Netflix account hacked? It could have come from your computer, your tablet, your phone, or maybe even your smart TV. When you use the same password on all devices, hackers can get to everything at once.
Impact of Security to Companies and to Risk Management
Imagine what could happen if a hacker got into a major business email system, or worse yet, their Sales processing. Years ago, this would only be possible by getting into a large, protected server in a very secure building. The Internet of Things makes this potentially possible to access today through any Point of Sales device or connected cash register. Contact info, sales amounts, and possibly banking information could be gathered once the perpetrator hacks into the system. The cost in lawsuits and reparations would be catastrophic, even with insurance. The biggest cost though would be a loss of trust and reputation with the customer base. Once that kind of information has been stolen, many customers will never do business there again.
Part of the problem with IoT devices is when they are used to log onto unsecured WiFi networks. For our convenience, it is easier if we can walk into public buildings and log onto their free WiFi networks without looking up passwords or filling out web forms for permission. Here again, though, every measure of defense we remove for our own convenience is a defense that is removed from those who would maliciously attack our networks and all the IoT devices connected to it.
It is the mistake of ignorance to believe that if we do not know how to do something ourselves, it cannot be done. Most of these cyber attacks use their own programs and code. They just need the internet as a road system and some unlocked door along the way. Network security will be a constant issue to be battled and brought to the forefront of the Internet of Things, and in the rapid progress of this technology, it will continue to be our safeguard and our stumbling block simultaneously.
Authentication is part of that network security that helps devices identify themselves on a network and show they have proper clearance to join the network. This is one of those holdups for us again. Most of the time, we don’t have an issue authenticating our computers, because we have personal information on them that we do not want to be leaked.
When it comes to authenticating your computer, your tablet, your phone, your smartwatch, your car dashboard, and the dozen other IoT devices you may have with you, it becomes a bit of a headache. When businesses have to authenticate every device with an IoT sensor on it, it can cost them in opening time, which translates into money.
On top of that, many authenticating processes can be duplicated by bots, pretending to be people, so the entire authentication process is slowed down and involves typing letters seen in graphic form or selecting individual pictures out of a set based on instructions. Again, doing this once for a computer is not that big of an issue. Doing it multiple times for multiple devices, some which may not even have visual outputs gets tedious and tricky.
The Internet of Things may be vulnerable to cybersecurity threats, but it can use those same kinds of devices as sensors to detect, monitor, and analyze those threats as well. Security Analytics seeks to grow the security measures of the internet right along with the growing risks developing against it. This has been the Catch-22 because, without the IoT, many of these threats would not exist. However, because the IoT is available, security research and analysis can itself grow faster than ever before.
In 2017, the U.S. Senate introduced a bill that would create a baseline security standards for all of the government’s purchases and use of Internet-connected devices, including routers, security cameras, and any computers. The legislation will also remedy some shortcomings that exist in cybercrime law. This bill was written in direct response to a group of massive cyber attacks that occurred in 2016 which were enabled mostly by poorly-secured Internet of Things devices.
How does this bill work? The IoT Cybersecurity Improvement Act of 2017 works to leverage our government’s market buying power to send a message about the basic level of security that IoT devices sold to Uncle Sam will need to have. In other words, the government wants to be a significant customer of these devices and thereby set a precedent and have a say in the security required by them. For example, this bill would require vendors of any IoT devices purchased by the federal government to make certain the devices are able to be patched when security updates are available. It requires that the devices do not use hard-coded (unchangeable) passwords. It also requires that vendors make sure the devices are free from known cybersecurity vulnerabilities when sold.
The bill was introduced by Senators Daines (R-MT.), Gardner (R-CO.), Warner (D-VA.) and Wyden (D-OR.). It directs the White House Office of Management and Budget (OMB) to create or find alternative network-level security requirements for all devices with data processing and software functionality. It also requires each executive government agency to make and keep an inventory of all Internet-connected devices in use by the agency.
The IoT Cybersecurity Improvement Act would seem to apply to pretty much any device with an Internet connection that can transmit data. Under this proposal, IoT devices have an inclusive definition. They are defined as “a physical object that is capable of connecting to and is in regular connection with the Internet;” and one with “computer processing capabilities that can collect, send or receive data.”
According to this bill’s primary sponsors, the bill already has the support of several significant legislative technology groups, including the CDT(Center for Democracy & Technology), Mozilla, and the Berklett Cybersecurity Project at Harvard University.
It will take more than government legislation to keep cybersecurity current with IoT technology trends, but these are steps in a promising direction. Ultimately, it will require consumer demand for the Internet of Things security to meet their demand for IoT devices. Once that demand is met, IoT businesses will realize that the foundation for growth in the adoption of the Internet of Things will be equal to their commitment to the security of those devices. We are not there yet, but we already experienced the flaws in the IoT system and have raised the bar of cyber security for our connected experiences in the days ahead.