The Internet of Things, or IoT, is appealing for a number of reasons—most notably because it will lead to a significant increase in visibility and control of devices and equipment. Many of the devices, however, contain security vulnerabilities.
The IoT is the network of physical objects that contain embedded technology enabling them to communicate and “sense” or interact with their internal states or the external environment. These physical items—such as machinery—can be connected to the Internet, and they then can communicate information ranging from what the device is and where it’s located, to environmental conditions and operational health. As the number of intelligent devices continues to grow rapidly, it will create a network with information that allows supply chains to assemble and communicate in new ways.
Unfortunately, manufacturers and consumers haven’t taken the same security precautions with these devices that they would normally take with a PC. These vulnerabilities could enable hackers to seize control of devices and—potentially—use the devices as a means to spread malicious spam or launch a cyber-attack capable of disrupting services or shutting down entire networks.
The problem is widespread too. According to new research from HP, 70 percent of the most commonly used IoT devices contain vulnerabilities, including password security, encryption and a general lack of granular user access permissions. HP leveraged its HP Fortify on Demand to scan 10 of the most popular IoT devices, and uncovered an average of 25 vulnerabilities per device. The IoT devices tested—along with their cloud and mobile application components—were from manufacturers of TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers.
The report, “The Internet of Things Security: State of the Union,” notes that the most common and easily addressable security issues include privacy concerns, lack of transport encryption, insecure web interface, and inadequate software protection. I suppose it’s to be expected, but insufficient authorization was another critical lapse. As many as 80 percent of IoT devices tested, including their cloud and mobile components, failed to require passwords of sufficient complexity and length. Indeed, most devices allow passwords such as “1234.”
“While the Internet of Things will connect and unify countless objects and systems, it also presents a significant challenge in fending off the adversary given the expanded attack surface,” says Mike Armistead, vice president and general manager, Fortify, Enterprise Security Products, HP. “With the continued adoption of connected devices, it’s more important than ever to build security into these products from the beginning to disrupt the adversary and avoid exposing consumers to serious threats.”
I was interested to see the takeaways the report’s authors noted, which were:
- Internet of Things security is not one-dimensional.
- IoT Security is not just a consumer problem. Corporations need to be looking at how their ICS and SCADA systems fare when looked at under a similar light.
- The current state of IoT security seems to take all the vulnerabilities from existing spaces, e.g. network security, application security, mobile security, and Internet-connected devices, and combine them into a new (even more insecure) space, which is troubling.
It’s one thing to learn that, as was reported in the LA Times this spring, cybersecurity solution provider Proofpoint tracked a global attack that sent 750,000 malicious emails from more than 100,000 devices—including home Wi-Fi routers, TVs, DVRs and even a refrigerator. But when you begin to think about how SCADA systems, or even public utilities such as water and electric systems, may become vulnerable, the situation takes on a different level of importance.
What are your thoughts on the IoT? Does your company have a plan to address potential vulnerabilities?