Looking back over the last 12 months, it’s been a fascinating year in cybersecurity. The increased use of connected devices, and the overall involvement of IoT in cybersecurity – or should I say lack thereof – has been the result of some interesting news in the industry.
IoT devices have been embraced rapidly by both the consumer market and enterprises over the last year or so. With that demand comes a heightened responsibility for manufacturers to ensure that security is built in during the development phase, with appropriate security controls in place for processing, storing and transitioning end user data, whether remotely or locally.
Mechanisms need to be in place so updates can be easily deployed when available, while ensuring devices are fully protected with the mandatory changing of default passwords, for example.
While nothing in the last year has come close to the impact of the Mirai botnet of 2016 or the sheer size of the Gafgyt botnet in 2017 (knock on wood), there have been some key developments in IoT and cybersecurity in 2018.
For example, in February, we saw Meltdown and Spectre start to affect CPU hardware, forcing a redesign of the kernel software at the core of all key operating systems. It also was discovered that patching the hole was having an increasingly negative affect on a machine’s performance, leaving users without a solution.
Meltdown became the more serious exploit of the two, as it strongly affected Intel processors due to the aggressive way they handle speculative execution. Spectre’s impact focused more on handheld devices, such as tablets and mobiles.
It also was revealed in May that more Spectre-esque flaws had been discovered within Intel processors. Intel reported that some Spectre bugs were not fixable in older architectures, prompting some consumers to cease use of their devices.
Another key development saw a strain of the Mirai botnet appear on devices earlier this year. The original source code for Mirai was still openly available, however the new version appeared online titled Okiru Mirai. Questions about the security of any device were raised, and companies scrambled to reassure users that they were protected as they patched any holes that were found. Many claimed it had the potential to launch the biggest DDoS attack in history.
Growing concerns around IoT security has become more of a priority with governments this year, too. In the United States, California became the first state to pass an IoT bill forcing manufacturers to ensure reasonable security on their devices. Meanwhile the British government announced new measures to protect the security of connected devices within the home.
This is a step in the right direction, as households are expected to have 15 connected devices each by 2020, and tougher security restrictions on these devices means better online safety for customers.
The fallout from the 2017 CloudPets hack demonstrates actions that should be taken when vulnerabilities of connected devices within the home are exposed. Earlier this year, Amazon, Target and eBay removed toys from online stories due to risk of hacking once news that the millions of voice recordings from the toys were being stored online and easily accessed by attackers. Yet, one quick search on Shodan shows thousands of unsecure IoT devices still active.
IoT is still in its security infancy and the array of new (debatably useful) connected devices available, such as the smart toaster that prints the weather on your bread, creates a larger attack surface to defend, which when compromised could grant an attacker access to sensitive and valuable data. Physical security of these devices is also often overlooked; whether it’s a smaller device that can be stolen, or a device left unattended that can be targeted, businesses from every industry need to take control of their own security, understanding the risks associated with connecting more and more devices to the network. Devices need to be maintained and monitored, moving away from the current ‘set-it and forget it’ mentality. In addition, understanding how and what data a device collects, stores and communicates is crucial to securing sensitive data.
Ideally, over time, consumers can user their buying power more wisely, but this will require a lot more education, regulatory standards and approval marks on packaging and online sales sites, so buyers can be assured that devices have been properly designed and tested for security compliance.
Its developments and discoveries such as these that have shaped our awareness of IoT devices, the potential threats they pose, and what we can be doing more of to protect ourselves, our homes and our businesses. Many people are ignorant to the threats facing these devices, and in today’s environment any device connected to a network can be hacked.
With websites like Shodan – the search engine exposing vulnerable online devices – targets are unlikely to go under the radar. The general public, purchasing these devices for added convenience or novelty, are also unlikely to be aware of what to look out for, such as the many instances of people not changing the default passwords on their devices. In other cases, people have been completely unaware the device is even connected to the internet.
We need to increase awareness around these issues, and realistically we need to combine specific security approaches with legislative restrictions if we want to ensure that these devices – and our information – are secure.