On 21st October 2016 more than 56 types of IoT devices, such as wireless routers, DVRs, IP Phones, webcams, and even heat pumps were conscripted into a malicious army of 20,000 botnets. With DDoS (Distributed Denial of Service) attacks at 1Tbps from these botnets, cybercriminals caused a massive security breach against the Internet Infrastructure provider Dyn that took down Netflix, Reddit, PayPal, Pinterest, CNN, and PlayStation network, while disrupting Internet service across Europe and North America.
With the number of connected IoT devices predicted to supersede Earth’s human population by 2017, such incidents are gradually shifting the outlook towards an IoT ecosystem from being the foundational enabler into the Achilles heel of smart living.
IoT Devices – The potential vs. realities
About 80 percent of IoT devices lack password complexity, 70 percent don’t encrypt communications, while 60 percent have insecure user interfaces, an HP IoT study revealed. In spite of such revelations there is a prevalent - and unrealistic - expectation that somehow IoT technology would leverage the 25 years of its preceding security evolution into a secure ecosystem.
The majority of these devices lack upgradability with security patches sent over the Internet. Adding to this, most of the users don't bother to - or are unable to - change the default passwords of IoT devices. Obscure or non-existent privacy policies of IoT devices leaves sensitive user data at the discretion of IoT companies, while a lack of industry standards means a proliferation of device-specific networks for interoperability.
Major areas of concern
Smart city initiatives are extending the limits of urban infrastructure management, but with insufficient security testing. Over 200,000 traffic control sensors already installed at major world cities were found to be vulnerable by Cybersecurity expert Cesar Cerrudo. Moreover, Vasilis Hiuorios’ police surveillance system hack was repeated this year with 123 out of 187 cameras of Washington MPD being compromised by two malware.
In February 2017 researchers at Georgia Institute of Technology had successfully hacked Ransomware into a simulated water plant. Even in 2015, a German steel mill had suffered physical asset losses due to Stuxnet, a malware designed to attack industrial Programmable Logic Controllers (PLC) that create the core Industrial IoT. Forrester predicts a mass-scale IoT attack impending in 2017, especially in segments like fleet management in transportation, security and surveillance applications in government, inventory and warehouse management apps in retail, and industrial asset management in primary manufacturing.
In a 2014 study, researchers had identified life-threatening security lapses waiting to occur in connected medical devices like insulin pumps, implantable defibrillators, and many more. Furthermore, the security shortcomings in wearables were revealed with a Kaspersky expert hacking into a fitness band and an HP IoT study proved that 90 percent of smartwatch communications are interceptable.
In 2014 itself hackers had used 100,000+ connected consumer devices such as a smart TV or refrigerator to send more than 750,000 malicious emails to businesses and individuals around the world. However, when in 2016 researchers at the University of Michigan hacked into Samsung's SmartThings IoT platform, they not only proved the inadequate security of consumer IoT infrastructure, but also the mass vulnerability of data thefts through devices like baby monitors or teddy bears.
In an automotive hacking experiment in 2015, two hackers had remotely gained control of Chrysler's Jeep Cherokee on the highway and acquired wireless control over the car’s entertainment system, dashboard functions, steering, brakes and transmission. As more of such vulnerabilities are reported for BMW, Skoda Fabia III, Jaguar XFR and Tesla C the popular adoption of driverless cars and fleets gets delayed.
Security by design
In the IoT era, enterprise security is as strong as its weakest link, as it’s no longer safe to simply protect the network or back-end servers. To leverage the benefits of IoT, without risking the consequences of its security threats, business enterprises investing (or even planning) in IoT should address IoT security by design and not as infrastructure adaptation.
IoT security is not just symbiotically related to user safety, it’s sacrosanct. To sustain the consumer and investor attention generated, IoT security calls for a multipronged approach and collaboration amongst device manufacturers, enterprises, and end-users to create industry wide standards, protocols and best practices.