The rise and rise of IoT cyber security issues
25th January 2019
Gartner is predicting that there will be 20 billion global Internet of Things (IoT) devices deployed by 2020. The cyber security of IoT technology remains a major issue for businesses and consumers alike.
The IoT market size in Europe is estimated to reach €242,222 million by the end of this year. The rise in popularity of IoT-connected devices is fuelling security concerns across the globe with smart devices like baby monitors, smart speakers, smart watches and thermostats potentially providing a gateway into home and workplace networks.
What is the Internet of Things (IoT)?
The Internet of Things (IoT) is a network of commercial and consumer devices that contain embedded technology (chip + software) which allows them to communicate and interact over the internet. These devices are usually monitored and controlled remotely. The IoT involves extending internet connectivity beyond standard computers, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb physical everyday objects.
Consumers and firms are worried
The Gemalto State of IoT Security survey confirms that 90% of consumers lack confidence in the security of their IoT devices. 54% of consumers own an average of 4 devices, but only 14% believed they had enough knowledge of the relevant cyber security risks. Nearly half of all business surveyed admitted that they did not use any measures to reduce the risk of cyber attack on the IoT devices used in their organisation.
Poorly tested for cyber security
The manufacturers of IoT devices have until recently released their new products quickly and with little regard to the security of their customers. This is compounded by the use of many different kinds of hardware, OS, application software and communication technologies. Most companies only offer firmware updates just for a short period, only to stop the moment they start working on the next headline-grabbing gadget. Even worse, many manufacturers have chosen to use unsupported legacy Linux operating systems.
The UK Government introduced the Internet of Things (IoT) Security Code of Practice (CoP) for manufacturers and developers in 2018. Although the guidelines have been well received, implementing them will take some time. Of those firms that have committed to implementation, HP and Centrica Hive have said it may be 2021 before they can fully implement the CoP.
Weak default passwords can be brute-forced
These tactics are used by hackers to set up botnets using the Mirai malware which targets domestic IoT devices to deliver massive and disruptive DDoS attacks. These include the Dyn attack in 2016 which created devastating disruption for AirBnB, Netflix, PayPal, Visa, Amazon, The New York Times and Reddit.
IoT malware and ransomware
As the number of IoT connected devices continues to rise, so will the number of malware and ransomware used to exploit them. Traditional ransomware relies on encryption to completely lock users out of different devices and platforms. New ransomware hybrids target IoT devices and focus on limiting or disabling device functionality and stealing the user data at the same time.
Attacking multiple IoT vulnerabilities
More sophisticated botnet attacks are making use of multiple vulnerabilities in different IoT systems. In 2018, the Reaper botnet infected internet-connected webcams, security cameras, and digital video recorders (DVRs). Researchers identified nine known vulnerabilities in related D-Link, Netgear, and AVTech products. In comparison, a Mirai botnet attack would aggressively infect each device by running a list of known usernames and passwords against the device.
Data privacy and security
Data privacy and security continues to be the single most significant issues in today’s interconnected world. Data is continually being harnessed, transmitted, stored and processed by large companies using a wide array of IoT devices, such as smart TVs, speakers and lighting systems, connected printers, HVAC systems, and smart thermostats. IoT technology not only generates a vast amount of personal data but also provides the cyber criminal with an insecure point of weakness that facilitates theft and fraud associated with the data.
OWASP Top 10 IoT security issues
The OWASP Internet of Things Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the IoT. It also enables them to make better security decisions when building, deploying, or assessing IoT technologies. Although a technical document, the OWASP Top Ten list provides an excellent guide to vulnerabilities associated with IoT technologies. The top three issues are weak passwords, insecure network services and insecure ecosystem interfaces.