One of the largest growing technology sectors is the Internet of Things sector. This includes devices we see on the market today that add technology and innovation to existing devices using the power of the internet. In this article, I want to articulate the massive scope the Internet of Things includes, the challenges these devices bring, why some of these devices are not a good idea and how you can improve the security of the ones you choose to use.
The Attack Surface is... ...
The volume of devices included in the Internet of Things market are exponentially growing from Google Home, Nest, Smart Refrigerators,. Smart Watches, Drones, Smart Pressure Cookers, Bike Handles, Lights, Bathroom Scales, Blenders, Toasters and even a smart plate. These devices can provide efficiency upgrades over their non smart counterparts and provide some analytics to help the every day person accomplish tasks more successfully. Others allow for some very cool interactions, be it the ability to tell your Google home to play music to having your fridge remind you that you need milk. With this technology and innovation, there is a massive Cyber Security component to these devices. I want to provide some context regarding this topic as the sheer scale here is hard to fathom.
The Internet of Things footprint is already massive. It is estimated that there are roughly 20 Billion IoT Devices on the market today. By 2025, that estimate is headed north of 75 Billion devices, accounting for over 8 devices for every man, woman and child on planet Earth. By 2025, 25% of the entire world's data footprint, zettabytes upon zettabytes of data will come from real time accumulation from IoT devices. For Reference, a 1 Zettabyte is 1 Billion Terabytes or 1 Trillion Gigs. This is an incomprehensible attack surface with a monster volume of data to protect.
This is the first major problem we have. Managing devices of this magnitude, ones that are primarily marketed towards home users and not businesses will be very, very difficult. Devices generally have vulnerabilities discovered every day. Attempting to keep the average end user updated for their smart blender or their Google Nest is likely going to fall on deaf ears.
The second major concern we have is that the volume of IoT devices in existence that have internet connectivity provide malicious actors who wish to create a botnet a huge potential candidate pool. If you can find a hotel or a nursing home full of smart TVs, cameras, etc, then you can make quite a massive botnet. We referenced what a botnet is before but for review, a botnet is a massive collection of computers that a malicious actor controls. These can be used for anything that the endpoints can achieve but the most common actions for botnets are malware distribution and Denial of Service attacks.
The third issue we have with IoT Devices are that many of them, particularly early ones, had very very little regard to cyber security. They use cheap, simple protocols, default passwords, sometimes with no ability to change them and poorly coded applications. This is a major concern as it makes the barrier for malicious actors to compromise those devices trivial.
And the final major concern we have with IoT devices, and perhaps the most critical, is the sheer volume of data they provide and the lack of encryption or other safeguards that IoT devices provide to that data. As we mentioned earlier, IoT devices are going to exponentially increase the world's data footprint in terms of real time data, be it video of your refrigerator to what searches you are performing on your Google home to the average temperature your smart thermostat is set to during the month of January. Data is a resource that is just beginning to be tapped into and the IoT era is going to be a huge player in the data collection of that era.
Securing these devices has become a larger concern for the manufacturers. Many are providing better security measures within their products for consumer protection, legal and even marketing reasons. But to secure a large group of devices as a whole is a larger challenge. Most come from different vendors, may have different coding standards, different security postures and so forth. The best guide we have so far actually comes from the Department of Homeland Security and their Science and Technology Directive. This includes detecting, authenticating and updating devices used. These guidelines articulate permissions for use within government sectors, place rules upon code changes and place hard guidelines for device vulnerabilities, use cases, non deprecated protocol usage and encryption standards. Another security measure we can take from an enterprise perspective is digital signatures for each device so there are no concerns with rogue or compromised devices being added to the network.
For the home user, it is about due diligence. I would recommend buying only devices that you truly feel you will gain some tangible advantage using and one that you feel safe sharing whatever data you input towards it. For example, I do not own any home assistance module in my house. No Google Home, Amazon Alexa or other device that provides voice commands to execute tasks. If these devices have the ability to listen to input when you choose to activate it, then it is not unlikely that the parent company can activate this as they choose and I don't feel comfortable using one. An article that provides some context for this can be read here:
Other folks may be perfectly fine with using these devices and never think twice about it. But, they may object to a webcam being live in your house which may include your doorbell or your fridge. You might be successful with a smart scale but someone else wants no part of their weight being public domain for a company to market diet plans to them. Keep an eye on the devices you buy in terms of passwords. Change the default passwords of any device you buy, be it an IoT device or your home wifi router, and keep your wireless network as secure as you can. The volume of IoT devices that you use is up to you. Remember, just because you can doesn't mean you should.
What IoT devices do you use? Are there ones you shun due to security concerns? What devices are you interested in seeing for future use? Let me know in the comments below!
Comments