What security & privacy risks does the Internet of Things present?

Published by on October 27, 2015 in Information Security

With the advent of the world wide web, everything changed.

We may not have sensed it at the time, especially as the internet as we know it took several years to take off, not to mention a whole load of additional development, but we certainly know it now.

From education to entertainment, communication to work, the net has made everyone’s’ lives easier, richer and, dare I say it, faster.

But what next?

With the majority of people in the developed world being connected to the web through their PCs, and an increasing number of people also connected via smartphones and tablets, what else can be added to the web to increase its functionality and bring convenience to the lives of everyone who uses it?

The answer, it seems, is the connection of ever more devices. And that doesn’t mean more computers, more phones or more tablets. No, the goal now is to connect other devices in this age dubbed the Internet of Things (IoT).

IoT

The Internet of Things

So what is the Internet of Things?

Interestingly, it isn’t anything new. Or at least it isn’t as new as you may think it is.

I’m not sure anyone knows when the concept was first mooted – I can imagine there are probably some old black and white movies depicting interconnected devices – but it certainly attracted serious consideration as far back as 1989 when John Romkey and Simon Hackett connected a Sunbeam Deluxe Automatic Radiant Control Toaster to the Internet during that year’s Interop internet networking conference.

Since that first slice of bread was toasted via a remotely-given command to switch the power on, the core aim of the IoT has remained the same: to connect a multitude of devices to the internet, have them communicate with each other, talk to applications and then relay pertinent information back to us.

A classic example of this, albeit one that seems fairly pointless, would be the smart fridge that could monitor everything stored in it and match that data up with our consumption habits, thereby allowing it to send us a text when we run out of fresh orange. The even smarter fridge could of course scan the use by dates on the bottles and cartons within it, alerting us when a perishable product was about to cross the point of safe human consumption.

Naturally, an expensive fridge, however smart, would be of limited use, especially given the ease with which a sane human could do the job themselves, but one area that has caught the attention of the public, especially in energy-expensive, cooler climes such as the UK, is in the control of household heating systems.

For many people, the switch to externally controllable heating systems will be inexpensive as the UK government is pushing energy companies to install smart meters in every home. Depending on the functionality of the installed meter, the home owner may be able to use an app on their smartphone to switch the heating on a short while before arriving home, rather than leaving it switched on all day, or have a combination of thermostat control that’s also linked to a sensor that can sense how sunny it is outside. Better yet, some may say, the smartest of meters can also determine when no-one is home, via motion sensing cameras (the title of this article does mention privacy concerns!) or the absence of the owner’s smartphone in the immediate vicinity, making it an ideal solution for anyone who has ever gone on holiday for a fortnight and forgotten to turn the gas off.

Of course there are many other IoT devices in the marketplace already, of which the following are just a few of the more obvious examples –

  1. Automated devices that can remotely or automatically adjust lighting or air conditioning systems
  2. A vast array of security systems including alarms, WiFi cameras and baby monitors
  3. Wireless medical devices, such as heart monitors, pacemakers and insulin dispensers
  4. Heating controls such as thermostats
  5. Wearable devices including watches and fitness bands
  6. Smart appliances such as refrigerators and TV sets
  7. Office equipment including printers
  8. Entertainment devices to control music or television from a mobile device

– but that’s not to say that they are all confined to the home.

Not only do we now have smart cars (well, I say smart, but that may not be entirely true…), we also have smart cities too with the traffic lights to aid them on their way as they engage in their own traffic management routines based on real-time data assessments, and smart industries that connect assembly lines that can monitor, control and adjust manufacturing processes from start to finish.

What’s the universal appeal of all these devices and scenarios?

Convenience plays a big part but efficiency is the ultimate aim.

By minimising food wastage from your refrigerator, by turning your heating off when you are not there, by monitoring crop growth and adjusting lighting, water levels or feeding remotely, the IoT should bring massive time, energy and financial savings to the human race.

But, as Peter Parker may have said, with great efficiency comes great responsibility.

Only where IoT is concerned, there doesn’t appear to be too much evidence of anyone stepping up to that responsibility challenge.

Security and privacy concerns

And that is a problem.

For all its benefits, the Internet of Things comes with a whole heap of issues, from security to privacy.

As I’m sure you’ve already guessed, connecting anything to the internet introduces an element of risk, and that’s the same whether we’re talking about a computer or a fitness tracker.

So what are the concerns?

There are many of course but some specific examples would be:

  • Fitness trackers sharing information with insecure servers or third parties, either explicitly or via obscure permissions granted via generally unread terms and conditions. Imagine what an insurance company could do with that data
  • Devices dedicated to improving health or sustaining life being hacked remotely. Such a risk is real and a concept originally put forward by the late Barnaby Jack was taken so seriously that the wireless component of Dick Chaney’s pacemaker was disabled over concerns it could be remotely hacked
  • Hijacking of IoT devices to deliver malware, spam and DDoS attacks. Think this is far-fetched? Think again
  • Hacking of CCTV and webcams to secretly spy on victims, either to gain intelligence (prior to a robbery, perhaps?) or for far more nefarious purposes, i.e. taking control of a baby monitor
  • Taking control of garage doors and similar to gain access to property, even with something as innocent-looking as a kid’s toy
  • Monitoring a resident’s gas and lighting usage to assess the owner’s habits or even determine when they are away from home

As you can see, the risks are many, and the above are just a tiny number of all the possibilities, but all is not lost.

Not completely anyway.

While the burgeoning IoT industry as a whole appears to value innovation over security at this time, some companies have recognised the need for change.

Take, for instance, the International Standards Organization (ISO). It has set up a working group to assess how the existing ISO 27000 family of security standards may be adapted to service the security needs created by the Internet of Things.

There are also several vendor alliances forming to address the topic of IoT security. While each has its own specific purpose and area of interest, it is encouraging to see groups including the Thread Group, the Open Interconnect Consortium, the AllSeen Alliance and the Industrial Internet Consortium apply their expertise to initiatives such as data encryption.

Mitigation strategies

So how can you reduce the risks posed by IoT devices within your own home or workplace?

Here are a few tips:

  • Stop and think: does that device you are looking at even need to be connected to the internet in the first place?
  • Research the manufacturer before you buy – does it have a good track record when it comes to security?
  • If you can, place all of your IoT devices on a separate, protected network
  • Disable Universal Plug and Play (UPnP) on all of IoT devices (actually, make that all of your devices) to prevent them from automatically connecting to other devices across the internet
  • As with any device, install all new security patches as soon as they become available
  • Change the default names and passwords (make them complicated and hard to guess) for all your IoT devices and only connect them to a fully secured router that has also benefited from a change in default login details

Which leads me on to one important question: how do you view the Internet of Things? Does it excite or scare you? Leave a comment below and let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *