The Internet of Things is exciting, but watch out for security vulnerabilities
UBIQUITOUS broadband connections, highly efficient power sources, and the need to gather data on just about anything – these have given rise to the Internet of Things (IoT), in which everyday objects communicate with each other to provide a smarter user experience. These can involve any object or device, big or small, that tracks the movement of items and sends data from a wide array of sensors.
Analysts expect the IoT ecosystem to grow rapidly, especially in enterprise. Gartner estimates 6.4 billion connected devices this year, up 30 percent from the previous year. By 2020, an expected 50 billion devices will be connected with each other, exchanging data, information and messages between them and with the decision-makers who rely on the data.
IoT primarily improves business operations by providing constant and real-time access to data, which can help improve logistics and the decision-making process. Beyond business, IoT can also drastically improve the way people interact with objects in our environment. In Asia Pacific, for example, Accenture is using IoT to manage forestry and agriculture systems with the use of drones.
IoT does not come without its drawbacks, however. With more and more devices connected, there is an increased risk of malicious entities using unprotected or under-protected devices as attack vectors. For example, in late 2015, security company Incapsula shared how one client was experiencing an HTTP flooding attack – a type of Denial of Service (DoS) attack – that ran from hacked CCTVs.
“Further investigation of the offending IPs showed that they belonged to CCTV cameras, all accessible via their default login credentials,” wrote Igal Zeifman, senior manager at Incapsula.
The culprit: about 900 CCTV cameras situated around the globe. These devices were still using the original login credentials, as the owners did not change passwords. All the compromised systems were running embedded Linux with BusyBox – which combines smaller versions of common Unix utilities, also commonly installed in rooted Android devices.
According to IHS Markit, there were at least 245 million CCTV cameras as of 2014 – around 68 percent are located in Asia. This does not include systems installed by unqualified individuals, which means there are probably more cameras that don’t have proper security precautions. Risks involving CCTV devices also represent but a drop in the sea, as billions of devices are expected to flood the market in the coming years.
Increased vigilance is necessary
With these growing risks, enterprises should be more vigilant against such unseen attacks. Networks of ‘zombie’ computers are already a common and successful way of taking down systems of scale through distributed attacks. An even larger network of nodes might be more difficult to trace and block.
The Open Web Application Security Project (OWASP) shares 16 key principles of IoT security, most of which involve assuming that connected devices are inherently vulnerable to attacks, and edge components are likely to fall into hostile hands. According to OWASP, the key in ensuring security is to:
- strip down access and feature sets
- incorporate multi-factor authentication
- design systems for scale
In addition, enterprises should expect attacks from autonomous and automated sources. Systems should be protected against external attacks (such as CCTV devices) as well as internal ones.
— Fortinet (@Fortinet) August 18, 2016
Enterprises that utilize connected devices should learn from Incapsula’s client – change the default access details to your devices.
“Anti-virus and security software are important considerations and often neglected,” Bobby Jimenez, Cloud and Enterprise solutions expert and CTO of a global clean energy company, tells Tech Wire Asia. “A lot of CCTV systems are controlled by PCs just like you and I use. If you’re conscious about security software on your personal machine then you should do the same for your CCTV system.”
In addition, installers need to check their router configuration, as most modern router models now have some form of anti-DDoS protection built-in and ready at just a tick of a setting, Jimenez shares.
IoT is expected to be a growth driver across the electronics and semiconductor industries, and enterprises can certainly bank on the benefits of enhanced productivity from the real-time data that connected devices can provide.
However, security risks are potentially a dark cloud that can loom over such gains, and the possibility of a hostile takeover by malicious entities or wayward code should be something everyone is ready to address.