In a keynote address at the IoT Security Conference in September 2015, the chief information security officer of the FBI said that IoT breaches could affect end users even more than typical enterprise data breaches. TechTarget quoted FBI CISO Arlette Hart about why IoT technology is outpacing security: “[With technology], cool trumps safe. The capabilities themselves are almost always developed without security in mind. We need to change that [for IoT]." Noting that sensitive personal information is now interconnected with devices such as health monitors, door locks, cars, baby monitors, and household appliances, Hart said that breaches of individual devices could have serious effects on consumers.
The FBI is not the only agency concerned with the information security of personal devices. In January 2015, the Federal Trade Commission (FTC) issued a staff report on the security of consumer devices, noting that the prevalent lack of security can put end-user privacy and, in some cases, physical safety on the line. As more businesses take advantage of the business opportunities presented by these devices, and as more employees bring these devices into the workplace, consumers are not the only ones in jeopardy. In this second part of our series on IoT security, we’ll look at the business risks of personal devices and the steps that businesses can take now to protect themselves. Miss the first part of this series? Find it here.
Billions and billions of risks
Computer Science Zone predicts that the use of wearable personal devices such as fitness bands, smart watches, smart glasses, and smart cameras will grow from around 1 billion to over 5 billion devices by 2020, and that’s not necessarily counting other consumer devices such as baby monitors, smart locks, smart toys, and even smart clothing. While some of the hacking scenarios are far-fetched (unless you’re a paparazzitarget, how likely is it that someone will hack a camera in your child’s smart toy?), other devices pose real security risks.
The FTC report Internet of Things: Privacy and Security in a Connected World outlines a number of very credible scenarios, including the possibility that the devices could be attacked directly, either to steal personal information or to interfere with the device itself. For example, while the information on one average individual might not be worth much financially, information such as the user’s location could be used by thieves to tell when someone is away from home. Direct attacks on devices could also be serious, for example, if hackers interfered with a critical device such as a heart pump or gained access to a home by hacking a smart lock. Computer Business Review recently covered a more light-hearted case in which hackers attacked IoT kitchen devices in the U.K., causing smart toasters to refuse anything but healthy bread and smart freezers to shut down when they detect ice cream.
The more likely, and potentially more damaging scenario is that hackers will compromise personal devices as a way to grab credentials or introduce malware into enterprise networks. Companies that offer service via mobile devices will be vulnerable, as well as organizations where BYOD includes new IoT devices. In a recent Wall Street Journal blog, Matt Loeb, CEO of the Industrial Systems Audit and Control Association (ISACA), pointed out that “Workplaces are becoming more difficult to secure as connected devices like fitness bands and smart watches spread in popularity and make their way to the office on the wrists and in the pockets of employees. [As] these seemingly harmless devices connect to your company’s networks or servers and share and store information, they create more entry points where such information can be compromised. Cybercriminals realize this. Many of your employees probably don’t.”
In her keynote address at IoT Security Conference, FBI CISO Hart also noted that many businesses that offer services through IoT devices collect large amounts of user personal data that can be at risk from insider theft, warning that "Malicious insiders are an internal threat to your infrastructure. The inadvertent insider is one of the biggest causes of compromise. You trust your employees, really? You have 40,000 employees and not one of them is bad?"
Security in small packages
The FTC report makes a number of recommendations for the security of consumer IoT devices. First and foremost is that manufacturers start designing in security, not adding it as an afterthought. An HP study found that as many as 70 percent of IoT devices are vulnerable to attack, and once an insecure device is in consumer’s hands, chances are low that the security issue will be fixed. Writing in Developers, Nermin Hajdarbegovic points out that, “If a vulnerability is discovered on that type of [low-cost] device, it may be difficult to update the software or apply a patch — or even to get news of a fix to consumers. In the rush to bring new products and services to market, many companies are likely to overlook long-term support. It happens all the time, even in the big leagues [enterprise computing], so we always end up with millions of unpatched and insecure computers and mobile devices.”
Businesses that incorporate IoT devices can help motivate device manufacturers by making security a requirement in their selection process, reviewing not only security mechanisms in the device but manufacturers plans to deploy security patches. Businesses also need to make consumers and employees aware of the security and privacy hazards posed by their personal devices. The latest ISACA Risk/Reward Barometer found that 84 percent of IT professionals surveyed believe device manufacturers don’t make users sufficiently aware of the type of information the devices collect, and 73 percent do not believe that current security standards in the IT industry sufficiently address the IoT. The report observes that, “While 65 percent of consumers do have a healthy fear that their IoT device(s) may be hacked, nearly the same amount (64 percent) are confident that they can control the security of these devices — a stark contrast to the paltry 20 percent of IT professionals who share their optimism.”
Whether personal devices are part of your business model or simply (and almost inevitably) among the devices your staff brings to work, include them in your risk assessments and response plans. Pay attention to the new types of devices that people may be bringing to work. IoT consumer goods are proliferating fast, and 49 percent of the respondents in the ISACA survey said their IT department is not even aware of all of its organization’s connected devices. (ISACA also requires that all employee-owned devices to be wirelessly connected through its workplace guest network rather than the internal network, a practice worth emulating.)
In addition to these measures, the FTC recommends that organizations minimize the data they collect from consumer IoT devices, and make sure consumers are informed about the data being collected and how it will be used.
Privacy and security should trump cool
FBI CISO Hart is spot on in noting that cool technology sometimes trumps safety concerns, but we, as privacy and security professionals, need to make sure that cooler heads prevail. IoT technology needs to be selected carefully, and incorporated into the privacy and security plan before it is deployed in the business. Consumers and staff need to be educated about the risks and how to protect themselves. IoT is one more, very large front in the battle against cyber-crime. As Hart said in her keynote: "The threat vectors are increasing and they're pervasive, and they're going to keep on coming. And they're going to accelerate because this is such a rich field. IoT compounds the security challenges that we already have."