At the same time that consumers and manufacturers are getting excited about the potential opportunities, capabilities, and revenue that the Internet of Things (IoT) enhanced devices can offer, many are already starting to understand the frightening lack of essential security functionality and the potentially overwhelming opportunities for exploitation.
The IoT is only in its infancy and yet there have already been an alarming diversity of exploits that have rocked our consciousness including hacking into personal medical devices, automobiles, home security devices or highly publicized access to industrial systems controlling basic infrastructure like power.
What makes a device part of the IoT is that it is a physical object, is connected to and interacts with a network of some type and can transmit data that it is collecting. These networks can be embedded systems for a business network, a personal area network (PAN) interacting through RFID or even a more public network. The important issue is that IoT devices transmit data from themselves to a collecting agent or system and that is where the sensitive information can be vulnerable to exploitation.
The worrisome part of the future of IoT is that manufacturers are being pushed to release products as soon as they can so they don’t fall behind competitors. Historically, that means that important security issues haven’t been properly planned for or tested, which means they can be ripe for a whole new wave of viruses and other malware, denial of service attempts and most critically, an attacker taking unauthorized control of the devices.
IoT device manufacturers are going to need to perform “red team” analysis to help determine how the devices can be abused in unforeseen ways and what the consequences could be. One of the worries about the future of the IoT is that many of the manufactures that are now working to develop IoT devices haven’t had to think about network security for previous versions of their products (e.g., home appliances, personal medical devices).
To try and stay ahead of the potential exploits and inappropriate access to sensitive data, the manufactures are going to have to deal with the same tried and true security areas that other devices like firewalls, routers, handhelds, tablets, laptops and other network based systems have had to deal with:
- Encryption of sensitive data at rest and in transit
- Privacy and confidentiality with regards to security standards
- Maintaining updates
- Monitoring the physical security of IoT devices
- Secure administration
Brad Johnson is Vice President of SystemExperts Corporation and has been a leader of the company since 1995. He has participated in seminal industry initiatives including the Open Software Foundation (OSF), X/Open, the IETF, and has published many articles on open systems, Internet security, security architecture, ethical hacking and web application security.