The Internet of Things (IoT) is a blanket term applied to physical objects that have wireless connective capabilities. And its use is growing. While businesses and consumers have been eager to reap the benefits of IoT devices, the security of these devices have been less than an afterthought. Gartner predicts that by 2020, over half of “major new business processes and systems will incorporate some element of the Internet of Things” and 20 percent of annual security budgets will be attributed to IoT security compromises, up from under 1% in 2015.
More and more often, we’re seeing security breaches related to IoT. Wired called 2015 the year the Internet of Things got hacked. We’ve provided an overview of the consumer, industrial and manufacturing, and healthcare industry with its specific IoT vulnerabilities.
From fitness wearables tracking heart rate, steps, and sleep, to smart fridges and smart toothbrushes, to even wifi-enabled Barbies, just about any consumer product can be equipped with wireless capabilities. Unfortunately, news of hacked devices are coming in week after week. It was reported in October of last year that hackers could hack into FitBit devices through Bluetooth, risking potential malware injections once the devices synced back to computers and mobile devices. A Samsung SmartFridge failed to validate SSL credentials, potentially exposing sensitive information such as Gmail login credentials to would-be hackers and further systemic vulnerabilities were discovered by researchers from the University of Michigan.
Many consumer-based IoT devices have capabilities that allow them to communicate over a wide range network protocols such as HTTP, Telnet, SMB, and FTP. Because their functionality is intended to be specific and minimal, the same can be said about their security. Hackers can intercept communication attempts and connect with the IoT devices directly, giving them access to the connected network and allowing them to obtain sensitive information.
Industrial & Manufacturing
The Industrial Internet of Things (IIoT) aims to improve operational efficiency, automate processes, provide real-time monitoring, and enable remote access capabilities. Whereas consumer IoT is a feature-first technology, IIoT is focused on empowering the industry through connective capabilities, industrial control systems, and device-to-network access. Accenture’s conservative estimates place spending on IIoT to reach $500 billion by 2020.
While cybersecurity attacks are much less frequent, the consequences can be devastating and often involve national security. Attacks targeting industrial control systems (ICS), which control industrial plants, buildings, and infrastructures, can bring down entire cities. The ICS-CERT, part of the DHS, reported that US ICSs were attacked at least 245 times between October 2013 and 2014 and hackers were able to identify network switches as the weak link in thousands of ICSs. Just recently, viruses were found in a German Nuclear Plant, leading to 1k computers being checked and cleaned up.
Risks in this industry are especially dangerous as many of the systems and devices are provided by third-party vendors. This makes continuously monitoring and assessing the security postures of these systems and companies a difficult endeavor. Worse still, because these industries involve massive infrastructures that affect entire districts, updating cybersecurity is a slow-moving process and approached reluctantly.
The Internet of Things has brought immense benefits to the healthcare industry, providing data capturing, monitoring, and analyzing capabilities, increasing efficiency, saving lives, and vastly improved patient care. As we noted with a previous blog post, the healthcare industry has hefty cybersecurity concerns and IoT security concerns are also expecting to grow, as the market that is expected to grow to $110 billion by 2020.
Smart medical devices can be hacked to force malfunction, be used improperly, or to provide private patient information. Hackers with access to these devices can cause serious havoc and potentially put victim’s lives at risk. The ICS-CERT has already issued advisories on existing medical devices such as the Hospira LifeCare PCA Infusion System, noting vulnerabilities that can be exploited remotely. Device manufacturers need to keep security in mind but the onus cannot be solely on the manufacturers. Healthcare facilities must also ensure that any device with wireless capabilities is secure and not providing unwarranted access to their networks outside of their intended functions.
Maintaining IoT Security
The Internet of Things has brought unprecedented innovation to a number of industries for both business and consumers. To keep up with increasing demand, IoT-enabled devices are created and produced quickly without security in mind. And because adopting IoT means adopting a large number of network-connected devices, the risk of one IoT device failing to be secured is ever higher.
Security professionals should be taking IoT security incidents as an inevitability rather than a possibility and be diligent. In the same way mobile devices and computers are tracked, it’s important to always be aware of your IoT device inventory, understand how they’re connecting to your network, and ensure they only have access to necessary information. This way, if a malicious actor does exploit an IoT-enabled device, their access is limited and they won’t have the capability of wreaking havoc within your network.