Internet of Things (IoT): Security, Privacy and Safety

Internet of Things (IoT): Security, Privacy and Safety

The Internet of Things (IoT) presents numerous benefits to consumers, and has the potential to change the ways that consumers interact with technology in fundamental ways. In the future, the Internet of Things is likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend. From a security and privacy perspective, the predicted pervasive introduction of sensors and devices into currently intimate spaces – such as the home, the car, and with wearables and ingestible, even the body – poses particular challenges. As physical objects in our everyday lives increasingly detect and share observations about us, consumers will likely continue to want privacy.

The Internet of Things (IoT) is emerging as the third wave in the development of the Internet. The 1990s’ Internet wave connected 1 billion users while the 2000s’ mobile wave connected another 2 billion. The IoT has the potential to connect 10X as many (28 billion) “things” to the Internet by 2020, ranging from bracelets to cars. Breakthroughs in the cost of sensors, processing power and bandwidth to connect devices are enabling ubiquitous connections right now. Smart products like smart watches and thermostats (Nest) are already gaining traction as stated in Goldman Sachs Global Investment Research’s report. The rise of the Internet of Things (IoT) has already sparked concerns about privacy: now security pros are worried that badly configured gadgets might provide a backdoor for hackers looking to break into corporate networks.

IoT devices are poised to become more pervasive in our lives than mobile phones and will have access to the most sensitive personal data such as social security numbers and banking information. As the number of are also exponentially multiplied. A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business. In light of the importance of what IoT devices have access to, it’s important to understand their security risk.

The chair of the Federal Trade Commission warned recently that the small size and limited processing power of many connected devices could limit the use of encryption and other security measures; it may also be difficult to patch flaws in low-cost and essentially disposable IoT devices.

The growth in these connected devices will spike over the next several years, according to numbers accumulated by Cisco Systems. What Cisco officials call the Internet of everything will generate $19 trillion in new revenues for businesses worldwide by 2020, and IDC analysts expect the IoT technology and services market to hit $8.9 trillion by the end of the decade.

However, while it may prove a financial boom for businesses and meet consumers' insatiable desire for more devices, the IoT also will increase the potential attack surface for hackers and other cyber-criminals. More devices online means more devices that need protecting, and IoT systems are not usually designed for cyber-security, said Marc Blackmer, product marketing manager for industry solutions at Cisco. The sophistication of cyber-criminals is increasing, and the data breaches that are becoming increasingly familiar will only continue.

"This is not going to change," Blackmer said. "It's not going to go away. … As long as there's money to be made, it's going to happen."

Internet of Things security is no longer a foggy future issue, as more and more such devices enter the market—and our lives. From self-parking cars to home automation systems to wearable smart devices. Google CEO Eric Schmidt told world leaders at the World Economic Forum in Davos, Switzerland, in January, "There will be so many sensors, so many devices, that you won't even sense it, it will be all around you," he said. "It will be part of your presence all the time."

Issues around mobile security are already a challenge in this era of always connected devices. Think how much greater those challenges will be of a business has, for example, 10 IoT connected devices, and it’s not going to get any easier. As the IoT evolves, there will be billions of connected devices — and each one represents a potential doorway into your IT infrastructure and your company or personal data.

IoT’s Threats

We can list the threats of IoT under three categories; Privacy, Security and Safety. Experts say the security threats of the Internet of Things are broad and potentially even crippling to systems. Since the IoT will have critical infrastructure components, it presents a good target for national and industrial espionage, as well as denial of service and other attacks. Another major area of concern is privacy with the personal information that will potentially reside on networks, also a likely target for cyber criminals.

One thing to keep in mind when evaluating security needs is that the IoT is still very much a work in progress. Many things are connected to the Internet now, and we will see an increase in this and the advent of contextual data sharing and autonomous machine actions based on that information, the IoT is the allocation of a virtual presence to a physical object, as it develops, these virtual presences will begin to interact and exchange contextual information, [and] the devices will make decisions based on this contextual device. This will lead to very physical threats, around national infrastructure, possessions [for example, cars and homes], environment, power, water and food supply, etc.

As a variety of objects become part of an interconnected environment, we have to consider that these devices have lost physical security, as they are going to be located in inhospitable environments, instantly accessible by the individual who is most motivated to tamper with the controls, attackers could potentially intercept, read or change data; they could tamper with control systems and change functionality, all adding to the risk scenarios.

Threats Are Real …

Among the recent examples, one involves researchers who hacked into two cars and wirelessly disabled the brakes, turned the lights off and switched the brakes full on—all beyond the control of the driver. In another case, a luxury yacht was lured off course by researchers hacking the GPS signal that it was using for navigation.

Home control hubs have been found to be vulnerable, allowing attackers to tamper with heating, lighting, power and door locks, other cases involve industrial control systems being hacked via their wireless network and sensors.

We are already seeing hacked TV sets and video cameras [and] child monitors that have raised privacy concerns, and even hacked power meters which to date have been used to steal electric power, adds Paul Henry, a principal at security consulting firm VNet Security LLC in Boynton Beach, Fla., and a senior instructor at the SANS Institute, a cooperative research and education organization in Bethesda, MD."A recent article spoke of a 'hacked light bulb,'" Henry says. "I can imagine a worm that would compromise large numbers of these Internet-connected devices and amass them in to a botnet of some kind. Remember it is not just the value or power of the device that the bad guy wants; it is the bandwidth it can access and use in a DDoS [distributed denial-of-service] attack."

The biggest concern, Henry says, is that the users of IoT devices will not regard the security of the devices they are connecting as being of great concern. "The issue is that the bandwidth of a compromised device can be used to attack a third party," he says. "Imagine a botnet of 100,000,000 IoT devices all making legitimate Web site requests on your corporate Web site at the same time."

Experts say the IoT will likely create unique and in some cases complex security challenges for organizations. As machines become autonomous they are able to interact with other machines and make decisions which impact upon the physical world. We have seen problems with automatic trading software, which can get trapped in a loop causing market drops. The systems may have failsafe built in, but these are coded by humans who are fallible, especially when they are writing code that works at the speed [and] frequency that computer programs can operate.

If a power system were hacked and they turned off the lights in an area of the city. No big deal perhaps for many, but for the thousands of people in the subway stations hundreds of feet underground in pitch darkness, the difference is massive. IoT allows the virtual world to interact with the physical world and that brings big safety issues.

What Can We Do?

While threats will always exist with the IoT as they do with other technology endeavors, it is possible to bolster the security of IoT environments using security tools such as data encryption, strong user authentication, resilient coding and standardized and tested APIs that react in a predictable manner.

Some security tools will need to be applied directly to the connected devices. "The IoT and its cousin BYOD have the same security issues as traditional computers," says Randy Marchany, CISO at VirginiaTechUniversity and the director of Virginia Tech's IT Security Laboratory. "However, IoT devices usually don't have the capability to defend themselves and might have to rely on separate devices such as firewalls [and] intrusion detection/prevention systems. Creating a separate network segment is one option." In fact, the lack of security tools on the devices themselves or a lack of timely security updates on the devices is what could make securing the IoT somewhat more difficult from other types of security initiatives, Marchany says. "Physical security is probably more of an issue, since these devices are usually out in the open or in remote locations and anyone can get physical access to it," Marchany says. "Once someone has physical access to the device, the security concerns rise dramatically."

It doesn't help that vendors providing IoT technologies most likely have not designed security into their devices, Marchany says. "In the long term, IT executives should start requiring the vendors to assert [that] their products aren't vulnerable to common attacks such as those listed in the OWASP [Open Web Application Security Project] Top 10 Web Vulnerabilities," he says. IT and security executives should "require vendors to list the vulnerabilities they know exist on their devices as part of the purchase process.

Security needs to be built in as the foundation of IoT systems, with rigorous validity checks, authentication, data verification, and all the data needs to be encrypted. At the application level, software development organizations need to be better at writing code that is stable, resilient and trustworthy, with better code development standards, training, threat analysis and testing. As systems interact with each other, it's essential to have an agreed interoperability standard, which safe and valid. Without a solid bottom-top structure we will create more threats with every device added to the IoT. What we need is a secure and safe IoT with privacy protected, tough trade off but not impossible.

Author:
Ahmed Banafa
https://www.linkedin.com/pulse/internet-things-iot-security-privacy-safety-ahmed-banafa