The Security of Everything
The Internet of Things (IoT), with all its hype and buzz, is much more than a few connected objects. It’s much more than a smart refrigerator sending an email when you’re out of milk or a smart watch telling your phone when you’ve been for a run. The clue is that all these things which are said to be ‘smart’ are in fact connected to the big daddy “internet”. And as for the internet... well, let’s not get started on the security of that. Let’s just say that we all use VPNs and SSL for a reason, right?
Heart of the Swarm
It’s amazing to see how all these static devices, normally so humble, can do much more than they’re supposed to when interconnected. All you would need to do is set up these devices to connect to your home wifi and they are connected to you wherever you go. Imagine a world where your fridge can email Tesco when your groceries are about to go off and at the same time talk to your smart bins to arrange recycling space that will be occupied by the groceries that are going to expire shortly. Or a smart TV that will order you a pizza by voice commands and automatically records your favourite programmes. Actually, TiVo already does that last one. Already you can see how these scenarios are getting ever closer, and in time will change how we interact with the physical world, opening up a magical window to a (hopefully) astonishing world of connected devices.
In a mirror, darkly
Magical, isn’t it? But wait: looking through the same magical window, there is a dark side to this world that we must all consider if we want to stay safe. Just like the internet today, people have malicious intentions and the skill to really spoil all the amazing benefits this new digital world has to offer. In our near future of interconnected devices, our IoT smart systems are able to gather and share huge quantities of sensitive data. This is of course what makes them so useful, but it’s also what makes them such a valuable target to cybercriminals. And most of the time, IoT devices are designed without any security features in mind1.
“What could go wrong?”
If not managed properly, all this has the potential to be a massive security concern. The software IoT devices run could be easily hacked and the data extracted or compromised, causing unexpected alteration of the systems’ behaviour. Just like how a PC, laptop or mobile device could represent a potential attack channel for an adversary, so too could any of these so-called smart devices. In other words, a misconfigured or vulnerable smart fridge or an intelligent TV could just as easily represent a pathway into your personal computer, your personal data or even to your company’s servers and their mission-critical data. Now, visualise someone sitting in some corner of the globe who can hack into these devices and remotely be able to access them. Your fridge would give almost all the data about your diet, including when it was last operated and all the groceries stored in it. This might not sound like much, but reading this data in the right way could tell an attacker than every Tuesday you and your partner go out for dinner. Sounds like the perfect time for a burglary. Or perhaps more sinisterly, that clever TV that listens to your voice commands could be hacked and configured to record almost every conversation you have with your loved ones. Hackers can misuse sensitive information recorded or stored by these devices and can easily make you vulnerable to physical crimes, not to mention the social engineering possibilities. If all the above hasn’t made you go get a glass of water and have a little sit down, then this next one surely will. It was reported in an FBI Investigation in May 2015 that a leading security expert was successfully able to hack into an airborne airplane and gain control of certain systems, including (albeit briefly), the engines. Whilst this isn’t a cause for widespread panic or for everyone to stop flying, the report is a simple example for how vulnerable human life can be when the next age of digital communication is insecure.
Get the balance right
The chance to jump into the fast lane of innovation and get involved with the IoT is an opportunity that is often too good to miss – and this applies to businesses and consumers alike. But as the market size of the IoT devices increases it provides a larger playground for the hackers to steal sensitive information and an expanded surface area to carry out computer-assisted crimes. Owning an IoT product without proper security may soon be like as owning a house that has no locks and open windows. It’s in best interest of, well, everyone, that the enterprises selling and making IoT products educate consumers and their own support staff about the security best practices. This should start with re-enforcing the basics, like changing passwords regularly and keeping the software patched and up to date. Going further, IoT product companies need to have privacy policies in-place that clearly detail the type and volume of data the companies would be collecting on their devices and how it will be stored and who will have access to it.
The silver lining is that the security of IoT products has now become an issue of high concern. In the US it’s even hitting Federal-government level. There is a lot of research being conducted to enhance IoT security through device and smartphone linking. Companies are also working on setting up platforms for consumers to register their smart devices for monitoring security breaches and unauthorised access. We stand at the beginning of (possibly) a very rough journey to secure the much-hyped Internet of Things. What makes it a bigger challenge is the sheer volume of IoT products that are being made available in the market today – a market that already spans consumers, enterprise and industry. So it’s imperative that we place an emphasis on security at every stage of the product development lifecycle. Thus, this applies not just to the product development companies alone but also the enterprises that provide the infrastructure for these devices to connect and the consumers who should together contribute for a secure digital future.
1It's almost as if the tech industry is refusing to learn from its mistakes.