The most effective point at which IoT security should be addressed is reportedly an operating system on which the same codebase and practices as the standard enterprise security measures can be applied, a new study has claimed.
In September 2016, the world witnessed its largest ever IoT security botnet attack through Mirai, a string of malicious code which, through the co-opting of vulnerable devices, brought down a swathe of internet service providers (ISPs) and online services affecting businesses and consumers alike.
The root cause was traced to devices using factory set default usernames and passwords.
According to a study conducted by Canonical, it doesn’t take a great deal of imagination to see the potential outcomes of such attacks.
More recently, the WannaCry ransomware worm was responsible for a number of high profile exploits of outdated, unpatched Windows XP desktop systems – including several used by the NHS – resulting in a number of high profile ransomware demands.
So, how long before IoT security is exploited in similar ways?
- In 2016, more than 23,000 news stories were published concerning the threat of IoT security
- One in five (21%) of IoT professionals surveyed by Canonical believe IoT security issues have been overly ‘hyped up’ by the media
- However, 79% disagree, believing that the media has either portrayed an ‘accurate’ picture of IoT security issues, or that they had actually been underplayed, and would be ‘much worse than they think’
The “genie is out of the bottle” as far as IoT security is concerned. As hackers get ever more interested by poorly protected IoT devices, it seems likely we’ll see more such attacks take place, with malicious agents utilising swarms of IoT devices to compromise commercial entities.
Tackling IoT security effectively, and thereby minimising risks, is therefore critical in establishing a clear business case for IoT among enterprises.
What are the risks?
The potential risks to businesses from poor IoT security are considerable. It’s impossible to provide a comprehensive list, and exactly what those risks are depend on whether the business in question is an IoT device manufacturer or a company using IoT as part of its business to drive operational savings or offer additional services.
On the whole, IoT device manufacturers face the prospect of heavy fines, legal action, and brand damage if their devices don’t meet acceptable security standards.
In early 2017, for example, the US Federal Trade Commission sued Taiwanese network infrastructure firm D-Link for failing to secure its devices against the Mirai IoT botnet attack.
While the proposed fine reached as high as $16,000 per device, more than a quarter (26%) of IoT professionals surveyed claimed that they would have liked to have seen an even higher fine introduced.
However, it’s businesses using third-party IoT devices and services that arguably stand to be the real ‘victims’ of IoT security violations. Like manufacturers, they might face fines, legal action and brand damage, but also data loss/theft and industrial espionage, denial of service leading to revenue loss, access to their private audio-visual feeds and violation of staff privacy, etc.
The risks associated with incursions into critical business systems, as enabled by IoT devices, hold the potential to be catastrophic for IoT adopters.
Offsetting IoT security issues
What can be done to mitigate the risks to businesses from IoT devices?
- Maintain an accurate audit of all of the IoT devices as they are installed
- Vendors and users must ensure simple best-practice, such as secure passwording, is in place on devices
- Enterprise IT departments should ensure their on premise IoT devices have appropriate access permissions set up
- Updating of devices should be regular, seamless and, if possible, automatic
- Mitigate against the potential failure of the vendor company
- Ensure IoT devices run an IoT OS that is built from the ground-up for security