Have you really thought about IoT security?
You’ll no doubt have seen, heard and read lots about the IoT in recent months. You’ve probably even used it in some form: possibly via your smart heating thermostat, lighting system, fridge or other internet-connected home appliance. Or maybe you’ve come across it at work, perhaps on a manufacturing line where connected sensors and intelligent data analytics enable the production process to self-optimise in real time.
The market is being flooded with ready-to-go IoT products, as well as chips, boards and other components designed to be embedded in the connected world. But the rush to get things on sale quickly, coupled with buyers’ enthusiasm for connecting up their homes and workplaces, means security is often being overlooked. And this is leaving devices, systems or even whole networks exposed to miscreants.
Let’s look at a few of the ways an IoT device or network can be vulnerable, and the possible impacts.
Is your data transmitted securely?
First off, by their very nature, most IoT devices are sending data over the internet. If this data isn’t encrypted, someone could intercept and read it.
Now a hacker knowing how warm your house is may not seem like the most serious problem you could have, but this information could reveal the times when your property is unoccupied, making it a target for break-ins. In a business context, what happens if the data you’re transmitting contains commercially sensitive or safety-critical information? If this falls into the wrong hands, the consequences could be extremely severe.
The challenge is that unless you set up your own network snooping tools to intercept and check the traffic, it’s very difficult to know whether the data your device is transmitting is secured.
Could your device get hijacked?
Covertly reading data is one thing, but potentially more serious is if someone can take control of your IoT device. This could be done by attackers exploiting weaknesses in the firmware, or by uploading their own, malicious firmware, perhaps by briefly physically connecting to the device when the owner isn’t looking. This latter process is easier than you might think, because despite the variety of IoT devices out there, many actually use the same components at their hearts. This means the individual elements – and how to flash them – are well-understood.
If a device is compromised in this way, the impact could be anything from someone turning your lights on and off, to hackers making a piece of industrial equipment do something that puts lives at risk.
Is there more to your device than you think?
Then there’s the question of what the device is actually doing. Are you sure that smart light switch is only a light switch, and that it doesn’t also contain sensors that are snooping on your life or work?
It was recently revealed, for example, that Google’s Nest Guard home security device contained a microphone that wasn’t listed in the tech spec, meaning most people who’d bought the kit won’t have been aware of its presence. While Because without physically tearing the kit apart and/or monitoring the data it’s sending back over the internet, it’s extremely hard to know for sure whether a device is only doing what it claims to be doing.
Creating a back door into a secure network
Perhaps the biggest security risk of all, particularly from an enterprise perspective, is when you connect a potentially insecure IoT device to your otherwise secure corporate network. This creates an opening that can let miscreants in. Suddenly, your computers, servers and storage on that network can become exposed to someone who’s taken control of the IoT device.
So how do you embrace the IoT without compromising security?
These examples show the breadth of possible attack routes and some of the complexities of dealing with them. So what can individuals and organisations do to harness the benefits of the IoT, without opening themselves and their businesses up to unacceptable risks?
The first question to ask is whether the device really needs to connect to the public internet. If you’re setting up a security camera system, for example, do the images really need to be viewable over the web, or could you keep the whole thing on an internal network?
If your kit does need to connect to the web, then set it up its own network that’s completely separated from your computers, servers, storage and anything else important to you or your organisation. Next, configure your firewall to restrict what individual IoT devices can access, and block insecure web requests. This may mean certain devices won’t work – but if that’s the case, they’re probably ones you don’t want on your network anyway.
Lastly, monitor traffic coming from your IoT devices. If you see something unusual – such as high volumes of data from a device that should nominally be sending very little, or a sudden spike, it could be you’ve got a rogue bit of kit, or one that’s been compromised.
Watch the film from the event here.