Internet of Things and The Security
When IoT devices are everywhere, the security headaches just get worse
Billions more everyday items are set to be connected to the
internet in the next few years, especially as chips get cheaper and cheaper to
produce - and crucially, small enough to fit into even the smallest product.
Potentially, any standard household item could become
connected to the internet, even if there's no reason for the manufacturers to
do so.
Eventually that processors needed to power an IoT device will
become effectively free, making it possible to turn anything into an
internet-enabled device.
"The price of turning a dumb device into a smart device
will be 10 cents," says Mikko Hyppönen, chief research officer at
F-Secure.
However, it's unlikely that consumer will be the one who
gains the biggest benefits from every device their homes collecting data; it's
those who build them who will reap the greatest rewards - alongside government
surveillance services.
"It's going to be so cheap that vendors will put the
chip in any device, even if the benefits are only very small. But those
benefits won't be benefits to you, the consumer, they'll be benefits for the
manufacturers because they want to collect analytics," says Hyppönen,
speaking at Cloud Expo Europe.
For example, a kitchen appliance manufacturer might collect
data and use it for everything from seeing how often the product breaks to
working out where customers live and altering their advertising accordingly in
an effort to boost sales - and the user might not even know this is happening,
if devices have their own 5G connection and wouldn't even need access to a home
Wi-Fi network.
"The IoT devices of the future won't go online to
benefit you - you won't even know that it's an IoT device," says Hyppönen.
"And you won't be able to avoid this, you won't be able
to buy devices which aren't IoT devices, you won't be able to restrict access
to the internet because they won't be going online through your Wi-Fi. We can't
avoid it, it's going to happen."
Indeed, it's already started, with devices you wouldn't
expect to need an internet connection - including children's toys - being
discovered to have gaping cybersecurity vulnerabilities.
These scenarios, says Darren Thomson, CTO & vice
president of technology services at Symantec, are occurring because those in
the technology industry are thinking about whether they could connect things to
the internet, but aren't thinking about whether they should.
"Could I attach my dog to the internet? Could I automate
the process of ordering a taxi on my mobile phone? We're obsessed with ‘could
we’ problems. That's how we live our lives and careers, we invent things and we
solve problems. We're good at 'Could we'," he said, also speaking at Cloud
Expo Europe.
No matter the reason why things are being connected to the
internet, Thomson agrees with Hyppönen about what the end goal is: data
collection.
"The connectivity of those devices is impressive and
important. But what's more important is how that's coming to bare across
various markets. Every single sector on the planet is in a race to digitise, to
connect things. And very importantly, to collect data from those things,"
he says.
However, various incidents have demonstrated how the Internet
of Things is ripe with security vulnerabilities as vendors put profit and speed
to market before anything else, with cybersecurity very low down the list of
priorities.
Retrofitting updates via the use of patches might work for a
PC, a laptop or even a smartphone, but there are huge swathes of devices - and
even whole internet-connected industrial or urban facilities - for which being
shutdown in order to install and update is impossible.
"The security industry to date is predicated on the
benefit of the retrofit. IT has designed insecure systems then we've secured
them. That's kind of OK in a world where a device can have some downtime,"
says Thomson.
"But a car, a building, a city, a pipeline, a nuclear
power facility can't tolerate downtime. So if we don't build security and
privacy in to our designs from the very first whiteboard, we're going to leave
ourselves with a problem."
Not only that, but as IoT devices become more and more
common, people will start to ignore them
"The reality of the human mind is as we embed things, we
tend to forget about them, we get complacent about them. Many of you are
probably wearing a smart device on your wrist to monitor your behavior and
exercise routines. But no doubt two weeks after you started wearing it, you
forgot it was there," he says.
"The danger from a psychological perspective is that
people forget about that technology and forget about the risks associated with
it and our own personal mitigation of that risk."
Even now, consumers are too blasé about connected devices,
keen to jump on the latest technological trends failing to realize the
associated security risks. Then even if they do, they remain unclear on how to
secure the IoT devices -- that is, if there is the option of securing it in the
first place.
"Nobody reads the manual, especially to page 85 where it
says how to change the default credentials, or page 90 where it says how to set
up user accounts and restrict access to the admin interface, or page 100 where
it says how to segment your network," says Hyppönen.
He likens it to the "exact same problem we had in the
80s" when people wouldn't even bother to set a time on their video
recorder as it involved picking up the manual, so it'd end up always flashing
12:00.
It's therefore important for the Internet of Things
cybersecurity loopholes to be shut sooner rather than later so as to avoid
nightmare scenarios where hackers could exploit vulnerabilities to attack
anything from pacemakers and other medical devices, to connected cars to even
entire industrial facilities.
But are IoT device
manufacturers going to do this anytime soon? Probably not.
"The manufacturers of IoT devices are unlikely to fix this
by themselves. They're unlikely to start investing more money in their IoT
devices for security because money is the most important thing in home
appliances," says Hyppönen
"When you buy a washing machine, price is the most
important selling point. Nobody's asking, 'does it have a firewall or intrusion
prevention systems?' Cybersecurity isn't a selling point for a washing machine,
so why would manufacturers invest money in it?" he adds.
It might eventually be regulation which has to fix this
problem; as Hyppönen points out, device safety is already regulated. "When
you buy a washing machine, it must not short circuit and catch fire, we
regulate that. Maybe we should regulate security too," he says.
Post a Comment