The connected world is coming sooner than you think. App developers and mobile service providers are already taking advantage of the new era of connected cars, wearable devices, and entire smart homes — all fitting into the notion of the Internet of Things (IoT).
This sudden expansion will boost the economic impact of the IoT as consumers, businesses, city authorities, hospitals, and many other entities find new ways in which to exploit the technology. Yet, they won’t be alone. Hackers will increasingly target this technology and exploit it in a very different way.
This begs the question, what about IoT makes it such a vulnerable target for cyberattacks? Here are three security problems that IoT will create:
IoT device manufacturers do not have the same luxury as their mobile counterparts because IoT devices are typically gathering very sensitive information within a physical world and doing some minimal amount of processing of that information within that device before sending that information to a backend server.
At the same time, consumers demand highly responsive IoT devices. Hence, IoT manufacturers cannot completely shift the processing of sensitive information to a centralised server. Hackers will have much more reliable opportunity to access and steal information from an IoT device compared to a mobile device due to inherent design flaws.
History has taught us that, when security patches are not automatically downloaded and easy to apply by consumers, consumers are less likely to enforce them. There are several different key technical challenges (limited online availability; restrictions on computer power; limited graphical user interface) that will discourage consumers from enforcing security patches on IoT devices. Hackers will be more likely to exploit known vulnerabilities in these IoT devices because consumers will not apply established security patches.
Beyond a shadow of a doubt, hackers will take advantage of these weaknesses in security, given the opportunity. That leaves a lot of cars, alarm systems, locks and so on open to compromise.
The best and only answer is insisting that designers behind IoT software build security into their systems as a core design requirement. Requirements should include adding new security capabilities that prevent a hacker from conducting static/dynamic analysis of IoT software. Furthermore, IoT software should have runtime modification detection capabilities.
It’s also crucial to involve and educate end users about security and build mechanisms into the device that will help them make the right decisions regarding privacy and security. That means including instructions for secure usage — in layman’s terms.
And, this is where end users need to do their part as well. Hackers count on consumers to make their job easy for them by engaging in insecure online behaviour. Everyone always thinks: “Who would want to hack me?” But today, hacking is more business than personal. If an end user chooses to use an IoT device that collects information, they should quiz the vendor on security certifications and policies, pay close attention for firmware upgrades and carefully inspect any email sent by the vendor with a link in it or asking them to download something.
Jonathan Carter is technical director at Arxan Technologies
Are you a security expert? Try our quiz!