Like any market surrounded by relentless attention and hype, the Internet of Things (IoT) has quickly evolved from an exciting idea to an all-out race to the shelf. This flurry of production has been met with enthusiasm by consumers and businesses eager to automate and connect everything from their HVACs to their vehicles. But at the same time, in the rush to market, manufacturers are often neglecting to secure these devices against cyberattacks.
Because buyers perceive many IoT devices to be “purpose built,” they often believe that the devices are secure. The reality is that IoT devices are generally the same computers and operating systems we use every day, simply repackaged to fit a new delivery form factor. They have the same benefits and drawbacks and are susceptible to traditional vulnerabilities and attacks.
Jeep and Tesla both became IoT security guinea pigs last year, as researchers found ways to hack into the Cherokee’s and Model S’s computers and take control of the vehicles. The team researching the Jeep demonstrated they could remotely control the vehicle in several ways, from changing the music and A/C settings to cutting the car’s transmission mid-drive. The Tesla’s hackers used physical access to the car’s networking cables to achieve root privileges on the car’s infotainment system, allowing them to start and drive the vehicle or shut it off.
Luckily, these researchers shared their findings with the manufacturers so they could release patches. But our recent Dell Security Annual Threat Report predicts manufacturers and users of smart vehicles that don’t feature the proper IoT security measures won’t always be so lucky. With the increase in ransomware activity targeting Android devices in 2015, our report predicts the possibility of ransomware attacks on vehicles, where the driver is unable to exit the vehicle until he or she pays a small ransom. And this is just one of many bizarre ways cybercriminals could profit from the takeover of individual or corporate vehicles.
With connected devices expected to reach 20.8 billion by 2020, according to Gartner, future IoT attacks will continue to model the Jeep and Tesla breaches — they’ll focus on taking control of the device in order to use it in some unintended way. But other hacks will use IoT devices as access points for valuable data, which can be even more profitable.
In 2015, Dell Security partner iPower Technologies discovered the Conficker worm malware hiding on the newly purchased body cameras of a law-enforcement client. In a blog post, the CEO of iPower tells the story:
iPower engineers connected the USB camera to one of our computers. When he did that, multiple security systems on our test environment were alerted to a new threat. It turned out to be a variant of the pervasive Conficker worm and we immediately quarantined it.
In this instance, the hacker’s goal was likely to use the body cameras merely as an attack vector for accessing law enforcement data. Whether the attacker would have used this data for a political or financial agenda is unclear. Users mistakenly assume that IoT devices are not likely initial vectors of attack and that they can trust the IoT device. The iPower discovery demonstrated two things. First, IoT devices are often just repackaged computers and operating systems that are as vulnerable as a home computer. And second, that the manufacturers are not always fully aware of what’s getting onto their systems at the time of production or distribution. It proved the need for diligence in defense for and in defense of the IoT devices we are deploying.
These kinds of vulnerabilities could soon lead to widespread data breaches, as BI Intelligence predicts government will be the second largest adopter of IoT technologies in the coming years.
The top adopter? Businesses, who BI Intelligence says can leverage IoT to lower operating costs, increase productivity and expand their products and target markets. But as our report points out, companies are already the target for an ever-growing number of cyber attacks, with 2.17 trillion IPS attacks and 8.19 billion malware attacks in 2015 alone. So if companies are going to enjoy the benefits of today’s potentially insecure IoT devices, they’ll have to put end-to-end security programs in place.
There are a few ways organizations can do this:
1. Approach security holistically: Ensure data is secured and encrypted from the data center or cloud to the endpoint and everything in between. Look at endpoint security, network security, identity and access management, and more.
2. Research your devices: Understand what your IoT devices do, what data they collect and send and from where, who owns that data, and what vulnerability assessments or certifications the devices have.
3. Audit the network: Level set before installing a device so you can better understand its impact on network traffic. Do an audit to understand what is currently accessing the system and when, what it does when it sees data, and what it communicates to and where. Then reassess your network performance after installing the IoT device and identify any changes on an ongoing basis.
4. Compartmentalize traffic: Employ a no-trust policy for IoT devices, putting them on a separate network segment or virtual LAN (VLAN) so they can’t access or interfere with critical corporate data.
5. Educate your team: As IoT evolves, it will be critical to ensure that your company’s IT, security, and network teams are educated about the latest devices, standards, and issues.
Eventually, we’ll begin to see manufacturers incorporate more security settings directly into their IoT devices, but right now, the onus is on both the user and the company to protect against cyber attacks. That shouldn’t deter interested organizations from using IoT devices but rather guide their strategies and policies going into product selection, implementation, and maintenance.
IoT is one of the largest business opportunities in recent years, and organizations are right to make moves toward a connected, efficient infrastructure. Just don’t let the latest connected device’s rapid introduction to market rush your organization into a costly security mistake.
Patrick Sweeney is VP of Product Management and Marketing of Dell Security.