While research firm Gartner estimates there will be nearly 26 billion devices connected to the Internet by the year 2020, the Internet of Things (IoT) revolution has already impacted our world in ways many of us never expected. Most of us see examples in our day-to-day lives where we are impacted by the IoT, subtly yet profoundly—home-monitoring systems, personal activity trackers, and driving apps that redirect you to avoid a traffic jam and so forth. However, advantages aside, there are also downsides to living in a world enabled and powered by the IoT—namely security concerns associated with deployment and consumption of these technologies.
IoT risks are not commonly understood
Most of us have grown up in the era of a personal computer where we know that security risks are present unless appropriately managed. However the risks from Internet-enabled appliances, televisions, and refrigerators and the like are not nearly so well understood. In particular, what’s often not thought of is the way that these devices communicate with the outside world and the digital "footprint" they can leave behind—either of us as an individuals or the organisations we work for. In some circumstances, information can be inadvertently exposed through this footprint, and used maliciously. When this information consists of exposed personal, technical or organisational data and is highly confidential, sensitive or proprietary this ‘digital shadow’ can leave individuals and organisations vulnerable to corporate espionage and competitive intelligence.
IoT dangers are present today
IoT risks are a clear and present danger now. We already seeing ample examples of IoT devices that demonstrate some sort of system level failure, which allows them to promote their content online. One example is network-attached storage (NAS) devices and/or consumer routers. We’ve seen documents detailing the security requirements for a UK bank’s ATM network. Additionally, we’ve witnessed technical specification information, strategy documents, and board meeting details from a health insurer. Equally as seriously, we’ve seen documents detailing the activity of every financial services company in the U.S. Due to the intrinsic insecurity demonstrated by NAS devices and consumer routers, it is extremely difficult to say who may have access to the data in question and where it ultimately may end up.
Why is it happening? The reasons are numerous, which adds to the complexity of the problem. All of the following have been factors:
- The administrators/owners/users of the devices simply misconfigured the devices, leaving them in a vulnerable state where their content was made observable by anyone looking for it.
- The devices have been misconfigured and/or insecurely configured by default from the manufacturer (an egregious error on the part of the vendor).
- The devices are inherently insecure and as a result there is no clear "work around" for hardening them.
- The data that these devices promote online can include anything that can be stored on the device itself. Documents, spreadsheets, presentations, databases, PDFs, photographs, music, etc. can all be seen and retrieved from these insecure platforms.
IoT risks will continue to grow
In looking at NAS drivers and routers we have taken just a small subset of one type of device to illustrate the problem, but the IoT is growing at a rate that is almost unimaginable. As a result of this growth, the rapid and successive adoption of newly introduced technologies in the consumer and commercial realms will continue to grow. Furthermore, people will seek to harvest data from these devices and platforms for a variety of reasons, most of which are benign and seek to enhance the overall experience with the technology in question. However, as these new technologies come online the propensity for data to be ‘leaked’ due to misconfiguration, default insecurity, and/or inherently insecure designs will increase. These security weaknesses can also place those who use and subscribe to the services offered by these devices and platforms at risk.
Mitigating the risks
We believe that in order to curtail these conditions several things must take place. First, manufacturers and designers must take ownership for the secure design and manufacturing of their technology. Second, users should take the time to know and understand the technology they are purchasing, and demand that security be provided by default. Through doing so, they should gain a thorough understanding of what a safe configuration is and how to achieve it and hold the manufacturers accountable. Finally, consumers, whether they are individuals or businesses, should be cautious of new technology that promises amazing ends as a result of being integrated into the IoT. They should research accordingly and adopt thoughtfully.
The IoT revolution has the potential to change our society every bit as positively as the original web. However, for it to truly take off as the analysts expect, confidence in security will be key.
About the author
Alastair Paterson is the CEO of Digital Shadows, a provider of Cyber Situational Awareness