2017 is likely to be the year the Internet of Things gets into full swing.
After all, in 2015, Gartner, Inc. forecast that 6.4 billion devices would be in use worldwide in 2016.
Yet many vendors continue to produce products that have next to no defence against cyber-attacks. In some cases, there is absolutely nothing to stop these devices being hijacked or hacked.
Internet of Things (IoT) devices still remain the weak point of a network. Hackers can use them as a gateway into the network as a whole. Fears have arisen that the devices can be hijacked and attached to a botnet.
The Internet of Things in the home
The home technology sector has already picked up on the IoT. Smart fridges, energy meters and home lighting systems make running a home more efficient.
And in theory, software improves the compatibility and communication between IoT devices. The ZigBee wireless standard allows users to set up home automation, with devices turning lights and heating on, or checking home security cameras.
But their vendors pay little attention to security risks. Why would they? The vendors need to keep costs down to appeal to the home user market. So less financial margin means less of an incentive to spend more on security.
So in some cases, third-parties can detect network keys between devices. An attacker can join and compromise the whole network. That’s a lot of personal information lying vulnerable. And as more devices join the IoT, more data is open to theft by hackers.
Securing the devices isn’t always easy. Devices only need a minimum number of security features to be certified for home use. And the vendors don’t always allow customers to install additional security software.
So unless a user changes the default settings, the home network becomes compromised the moment an IoT device joins it.
But why would a criminal want to hack into a smart fridge?
Well besides gaining access to your home network, a hacker might want to use your fridge for more than storing food items.
Hackers can infect IoT devices with malware. Those devices join a zombie network without you ever knowing about it.
Zombie networks can be mobilised to perform distributed denial of service (DDoS) attacks. The network directs useless data at a DNS server. The server can’t cope with the influx of junk requests, so it overloads, denying requests for information.
In October 2016, a massive DDoS attack took down the Dyn DNS server. Twitter, Spotify, Soundcloud and even Amazon were all affected.
In future, a whole army of zombie devices could be recruited from the Internet of Things. Symantec’s security researchers have already warned that modems, routers, CCTV systems and even industrial control systems are being recruited as we speak.
Will we ever catch up with security?
Despite the threats, home IoT users can protect themselves against IoT malware. Symantec advises users to replace passwords with stronger options to prevent attacks using default settings. And they can regularly check for firmware updates from the manufacturer.
But securing an IoT device is not always that easy. Vendors don’t make it simple to change settings. And without making configuration more accessible for the end user, most people won’t change the defaults.
As the prices fall, more people will buy these devices. That scales up the security problem. Unless changes are made, more IoT devices are likely to be recruited to botnets.
The Federal Trade Commission is so concerned about the potential security risks that they’ve even started the IoT Home Inspector Challenge. Anyone can submit ideas for tools to solve the problems around the IoT. There’s even a cash prize of $25,000 for the best technical solution.
Security for the IoT isn’t an easy problem to solve. IoT has 10-20 times more endpoints than IT devices. And they’re often spread across a range of sites, so they lie beyond the security of perimeter-based solutions.
They often don’t have the battery power or the memory to perform anything complicated. Traditional security tools can be too complex to be used for IoT devices.
And then there’s the corporate network to contend with.
ForeScout and Splunk teamed up to create a new IoT security solution. ForeScout already help companies to detect IoT devices. While Splunk use logging tools to provide security visibility. Together, they hope they can spot IoT issues before they become troublesome.
But why would IoT devices be connected to a corporate network? It could simply be issues surrounding BYOD. If so, those devices can either be disconnected, or their security settings reviewed.
After all, corporations won’t want anything from their network being used in a DDoS attack. And they’ll need stronger security for anything within their perimeter.
But even if we close the security door and hold back DDoS attacks, there’s a secondary problem we need to face.
In other words, are IoT devices being connected to corporate networks as a deliberate intrusion attempt? The ForeScout and Splunk solution will be invaluable if this is the case. But it hints at a much larger, and darker, problem.
Personal data, or corporate information, is more valuable than ever. The nature of cybercrime has escalated accordingly. DDoS attacks are on the rise, as is the spread of malware such as ransomware. It’s estimated that victims of the CryptoWall ransomware suffered around $325 million in damages. Neither corporations nor home users can afford that.
Is the internet as we know it dead?
It’s unlikely. But it will need to change.
Now there are many benefits to a more connected society. Splunk’s CTO, Snehal Antani, suggested that smarter cities, better crisis planning and higher mobile phone usage could only be a good thing.
And with large scale incidents on the rise, he can only be right.
But it comes at a cost. It might not just be cybercriminals that want to recruit your smart kettle to a botnet. Less ethical marketers might want access to your data to hone their ad campaigns.
Worse than that, you’ll be transmitting data about all of your movements. It’s no longer about Google saving your searches, or Facebook screening your online behaviour to serve more targeted ads. Everything you do will be available to the nearest attacker.
With no specific laws in place to guard privacy, and hazy regulations around the security implications IoT, we’re back on a technological frontier – only the outlaws currently have more bullets than the lawmen.