There’re no shortage of reasons why people are bullish on the IoT (Internet of Things), which refers to the ability of everyday objects to connect to the Internet and to send and receive data. For starters, the sheer volume of connected devices is astonishing. The number of connected “things” has already surpassed the number of people on the planet. And projections anticipate that figure growing to 21 billion devices by 2020, potentially even ballooning to 100 billion in the years that follow. But what’s really exciting about the IoT is the wide-ranging benefits it affords to industries as broad as healthcare, manufacturing, transportation and government, which is deploying IoT solutions that impact critical national infrastructure, consumers and citizens.
But the important IoT benefits provided by widely available cloud-connected devices capable of intelligent behavior are tempered by dangers. Each of these devices is a potential entry point for a network attack by insiders, hackers or criminals. And those threats aren’t idle either. According to a study from HP Security Research, 70 percent of the most commonly used IoT devices have significant security vulnerabilities.
Last January, the Federal Trade Commission (FTC) released a detailed report on the security and privacy risks the IoT posed to American consumers. In the report, the FTC singled out weaknesses that, if exploited, could cause serious harm to consumers, from enabling unauthorized access and misuse of personal information to facilitating attacks on other systems.
Traditional Devices Open the Door to Your Data
A lack of security in IoT devices, like in desktop computers and traditional mobile devices, opens the door for intruders to access and potentially misuse personal information that’s collected and transmitted. As a result, connecting more of these devices in additional – and more remote – locations creates new, and heightens existing, security risks, because every single one of those devices – and sensors – could represent a vulnerability. Strong encryption, in general, is difficult on small, low-powered devices, which exacerbates the intrinsic problem of wide availability and distribution of the IoT, i.e., that any network of devices could be the weak link, rendering the whole network susceptible to hackers.
The Rush to Produce New Products
Part of the exposure arises from the fact that too often, in the rush to bring new products to market, privacy and security features are only tacked on after the fact, rather than baked into the device at the outset. Upgrades to security protocols also need to be disseminated to all devices within a feasible timeframe. With the proliferation of devices, manufacturers need to establish and manage trusted relationships between devices over their entire lifecycle. And these need to be done in an explicit way so as to reduce the possibility of attacks against vulnerable systems.
The sheer breadth of IoT devices also highlights the need for consensus over standards: standards for applications and standards for security systems. Right now, security in the IoT is a jumble.
Security Issues and Employees
Moreover, security risks are also arising in the enterprise, as employees bring IoT devices, like Fitbits, smartwatches and other wearables, within the company firewall. It’s similar to the challenge posed by Bring Your Own Device (BYOD), which is already flummoxing organizations. For context: 47 percent of the industrial organizations that use, or plan to use, the IoT had previously experienced security breaches in their industrial applications.
Smart Devices Making Smart Decisions
Although machines have been talking to and interacting with other machines in a business context for decades, the rise of smart adaptive devices, which, as the name suggests, make their own smart decisions, as well as pass data to other devices, is rather new. And the proliferation of those devices poses serious security challenges for organizations. If poorly considered and executed, IoT deployments can lead to hackers waging cyberwar on businesses and launching Distributed Denial of Service (DDoS) attacks on enterprise infrastructure. Businesses can guard against these kinds of attacks by properly maintaining and patching their servers, as well as educating their user base and enforcing policies on connecting devices to corporate networks, given the likelihood of increased traffic on corporate systems coming from connected sensors in the IoT.
What About the Data Created by the IoT?
The possibility of attacks goes well beyond network vulnerabilities. Ultimately, the IoT is leading to a drastic influx in collected and actionable data, whether companies are actively investing in new IoT solutions or passively hosting wearables within the firewall. The data from these devices, if not secured properly both internally and externally, can be exploited to interrupt business continuity or be used in social engineering. So when planning to deploy IoT software at a business, security officials should anticipate the possible consequences. Also, how does the logging and collecting of this data as it traverses your network impact local data privacy laws?
Educating Your Team – Protecting Your Company
On the whole, IT departments seem unprepared to handle the varied challenges posed by the IoT. In a Cisco-sponsored study, 78% of surveyed IT security professionals admitted to either being unsure of their capabilities or believing they lacked the visibility and management required to secure new kinds of network-connected devices.
Moreover, exposed application programming interfaces (APIs) also present a serious threat to businesses using IoT devices. Hackers can take advantage of companies whose API features are undocumented, uncontrolled or being rolled. And IoT software can also give itself too many permissions, leaving software vulnerable to attackers, who can leverage or automate it.
Investing heavily in the IoT can also introduce potential privacy repercussions, as data that’s created needs to be stored in compliance with national privacy laws and regulations. Businesses should be aware of who they’re gathering data from, where those individuals are located and where that data is being stored.
In short: Despite its clear benefits to businesses, consumers and governments alike, the IoT is built on nascent technology and presents various susceptibilities of which users should be mindful. For the IoT to reach its full potential, it must be built on a foundation of trust and data integrity – which means securing the multiple points of vulnerability.
Keith Waldorf is vice president of engineering for iPass. iPass is a global provider of mobile connectivity, offering always-on Wi-Fi access on any mobile device. iPass has 50 million hotspots in more than 100 countries, at airports, hotels, train stations, convention centers, outdoor venues, inflight, and more.