IoT devices not secured by design

Internet of Things devices are not originally built to be robust against attacks, resulting in vulnerabilities that can lead to severe repercussions if left unchecked, such as data that's being collected and acted upon in Singapore's smart nation plan.
Written by Eileen Yu, Senior Contributing Editor

Because they're not originally manufactured with security in mind, Internet of Things (IoT) devices are especially vulnerable to potential attacks. If left unaddressed, the projected mass adoption of IoT can result in repercussions for the common folk.

IDC expects more than 28 billion IoT devices to be installed by 2020, while Gartner puts this figure at 4.9 billion in 2015, with 25 billion connected devices by 2020.

With the projected increase in connectivity, however, comes the anticipated growth in malicious attacks and breaches--and in the IoT realm, the vulnerabilities are gaping.

According to a HP study, 70 percent of IoT devices are vulnerable to security attacks, where 80 percent of such devices lack passwords of sufficient complexity. The research tested up to 25 areas of vulnerabilities such as weak passwords and cross-site scripting across various IoT devices including televisions, webcams, and home security alarms.

Matthew Shriner, director of solutions consulting for HP Asia-Pacific Japan and EMEA, said organizations looking to embed IoT technologies in their products are starting to realize security needs to be added to the mix.

He pointed to reports about how hackers were able to penetrate automobiles and remotely control the vehicle, and noted that manufacturers of such systems may be experts in their fields but not in IT security. These companies now recognize they need such expertise, Shriner said.

Most IoT devices have systems that were not originally designed to be connected and not robust against attacks, concurred Bryce Boland, Asia-Pacific vice president and CTO of FireEye. The convenience of IoT devices comes with a lot of security threats, he said, the most significant of which is the lack of security on such devices.

"Since many devices were originally designed without connectivity in mind, they do not have the right security controls in place to counter threats. By default, these devices come from a lower point of security and are entering a world filled with very sophisticated adversaries," Boland explained. "It is very risky to connect things to the internet [where] even systems that were designed for that generally have a lot of vulnerabilities."

Shriner added that as more devices are connected, hackers have more avenues to breach homes and collect information to monitor behavioral patterns. For instance, they can gain access to the airconditioning system and find out when it is turned off to determine when the owner is away from home.

Vulnerabilities in cars also present serious physical problems to drivers, so there is increased need to ensure hackers are unable to breach such vehicles, he said.

And while automation is often touted as a benefit in the deployment of IoT, it also presents challenges with regard to authentication and the associated risks.

Boland said: "That is the sort of risk you are taking when you do not have a person involved to validate the information you are receiving from your data sensors is correct. When the data being used to make decisions could be tampered with maliciously, you run the risk of attackers causing physical damage with the click of a mouse."

Heightened security needed in Singapore's smart nation plan

With Singapore deploying thousands of sensors in its smart nation push, it is then critical the data is collected and transmitted securely as well as adequately protected to ensure the information isn't tampered with.

Boland stressed the need for this as higher risks are involved when actions are taken based on the information that's being gathered. "For example, if you have enabled not just a sensor to tell you what the water pressure level is, but an actuator to change the water pressure level according to the information you have received, you've got a feedback route.

"If someone hacks into that feedback route and alters it, either to influence what you believe the water pressure level is or to disengage a safety protocol on that device, you could have a big problem on your hands," he warned.

Shriner added that connection in smart grids and related devices, such as smart meters, should be secured and monitored for suspicious activities.

Editorial standards