AdaptiveMobile recently predicted that up to 80% of connected devices currently deployed do not have adequate security measures in place, with four in five devices on the market vulnerable to malicious or inadvertent attacks and data breaches. As the level of connectivity between devices continues to grow, a new model using a ‘big security’ approach of harnessing big data, telemetry and security algorithms is going to be needed to effectively protect the billions of devices connected through the Internet of Things (IoT).
Gartner’s research report, Predict 2016: Security Solution, discusses how the “security market will continue to evolve alongside new requirements from the Internet of Things, cloud computing and sophisticated targeted attacks…” Gartner estimates that a new architectural model will evolve, alongside such demands, in which security technology and services will be made available at the device and network layer, characterising the emergence of security solutions made within endpoints, gateways and IoT platform providers.”
AdaptiveMobile’s CTO, Ciaran Bradley, explained: “A new security architecture is required to deal with the increasing connectivity of devices belonging to the Internet of Things. There will be billions of devices connected through IoT – many unable to run traditional endpoint security – and there is no definitive ruling on who has responsibility to enforce this security and who is liable when a vulnerability is exploited. We need to be able to detect threats at scale – using a combination of lightweight telemetry and anomaly detection to give early indicators of compromise – and then enforce protection at scale. Not only are consumer devices at risk but automotive and industrial categories need to ensure security is a critical consideration – we do not believe this will be solved through current approaches to security, particularly when it comes to legacy systems.”
Given the increasing number of connected devices on the market, the frequency at which IoT vulnerabilities are being exploited and the pressure to keep costs of commercial devices low, manufacturers need to make security a priority.
To find out more about the risks we asked Luis Corrons, Technical Director of PandaLabs about the technology and the areas of concern for those offering security with IoT devices:
Why is the rapid growth of home networked systems a security concern?
Many IP enabled devices are advances to existing products, to increase convenience or functionality through connecting them to the Internet. These devices maybe perfectly safe on their own, need additional safeguards to be considered relating to their network connection and resulting capabilities, that were not taken into account in their original design.
What would be the worst case scenario for an unsecured IoT device?
Having any IP enabled device accessible by cybercriminals gives them a toe-hold into the network.
One scenario is if IP enabled CCTV cameras, which are designed to protect organisations’ physical assets, can be compromised allowing hackers to see and hear what is going on in order to plan criminal activities.
These IP devices can also create holes in the IT network allowing hackers to tunnel their way into enterprise servers in order to deliver viruses or steal valuable information.
Would you say that the use of professional IP CCTV cameras etc. poses less of a threat?
It is true that in general professional equipment is capable of greater security than its consumer equivalent; we cannot blindly trust it just because it is professional. Even within the IT world there are instances of professional equipment suffering from security flaws.
What advice would you give to installers when fitting IP systems to reduce the potential security risks?
We would recommend familiarity with equipment from a reputable supplier and ensure that any communication settings allowing access to the device from a web interface are secured with strong credentials and at least SSL encryption to protect it from attack.
- When installing any IP enabled devices change any default manufacturer credentials, as they are often standardised making them easy to guess.
- Always check to see if there is an updated version of the device software available, as often security bugs are discovered after the manufacture process.
- Any additional security options such as communications encryption or two factor authentication should be enabled.
We recommend these steps are also followed whenever servicing IP enabled devices.
We have seen stories in the media of systems being less secure than they should be. Has this surprised you given all we’ve known about network security for years?
The fact that IP enabled devices are not as secure as they could be does not come as a surprise.
There are a lot of companies who excel at device engineering, but do not consider security early enough in the development process. Often added on as almost an afterthought this is why we find the device security is not brilliant – the biggest risk is if the supplier does not even realise their devices are at risk.
When something is going to be connected to the network there are a number of additional scenarios that need to be taken into account. What measures are in place to block / detect unauthorized remote access to the device? What could happen if they succeed?
Any predictions for the future?
We have already seen examples of hackers taking remote control of a car’s software enabling them to control everything from the air-conditioning to the steering and brakes – all while the vehicle is moving.
While 2016 probably won’t be the year of the Internet of Things, as more and more devices connect to the Internet we will see many examples of innovative attacks carried out on these new devices.