
IoT Product Failures and Security Impacts


Dr. Christopher Pierson, CSO and General Counsel, Viewpost
From our cars to our televisions to locks, cameras, and lights we are immersed in the Internet of Things (IoT) world. Even our crock-pots now have the option of being connected to the Internet, automating dinner at the push of a button! In many ways, IoT devices have enabled convenience, comfort, automation and monitoring, have improved physical security, and have decreased the amount of time spent on menial or repetitive tasks. The explosion of IoT devices this past holiday shopping season was even more evident by the sheer number of cameras, doorbells, and thermostats that were heavily discounted and flying off store shelves.
In fact, a recent study from the Interactive Advertising Bureau found that 62 percent of U.S. consumers own at least one IoT device. Gartner pegs the number of global IoT devices in 2016 at 6.4 billion, rising to nearly 21 billion IoT devices by 2020. The explosion of IoT devices is in part due to their ability to easily connect to home networks—no more opening ports, using static IP addresses, or punching holes in the firewall. IoT devices just work the way “plug and play” was originally envisioned.
It is the ease and ability of an adversary to wield IoT devices in such high numbers that has changed the game for cybercriminals and their unsuspecting targets
IoT is here to stay and its simplicity and convenience are what will truly make our homes “smart” and more efficient.
So what is there to talk about?
With the ease of connecting devices to your network (home and yes, the work environment) consumers are empowered to tackle those do-it-yourself projects and claim success when the blinking light turns green. Each of the products we connect to our networks puts connectivity and operations first over all else— especially cybersecurity.
The tales of misconfigured devices have been captured in the past on webpages showing infants sleeping and other cameras showing private moments. So, what is different in the year 2017?
At the end of 2016, we witnessed multiple Distributed Denial of Service (DDoS) attacks using IoT cameras on Krebs’s website and the DNS provider Dyn that flooded these networks with attacks peaking at 660Gbps and 1Tbps worth of Mirai laden bot-net traffic respectively. It is estimated that 100,000 hijacked cameras and other IoT devices were behind this bot-net army.
It is the ease and ability of an adversary to wield IoT devices in such high numbers that has changed the game for cybercriminals and their unsuspecting targets. It is unlikely we have yet seen the biggest risks from unsecured IoT devices.
IoT Risks in 2017
To date, weaknesses in IoT devices have been used as a part of bot-networks and digital voyeurs. However, the business of cybercrime will rapidly shift in 2017 to other attacks, including:
• Hijacking/Ransomware—taking over IoT devices and then requesting payment to regain access to the device. Regardless of the fact that a hard factory reset may assist returning the device to a known safe state, many consumers will struggle with this.
• Destruction—bricking IoT devices is a sure-fire way to harm the U.S. economy and the entrepreneurial spirit embodied by these companies and products.
• Extortion—devices with microphones and cameras are especially susceptible to leaking information that is of a private nature.
• Extortion—the continuation and escalation of large-scale DDoS attacks using IoT devices.
How do we tackle this insecurity of IoT?
IoT devices have demonstrated the capacity to bring immense value to the forefront of consumers’ lives. Just check out the websites of several leading camera providers and you will see the videos of many burglars who are now behind bars that previously would have victimized countless others but for the camera on the bookshelf or in the window. So, with all this good, how do we tackle insecurity without smothering creativity?
1. Balance operationalizing the product with cybersecurity at the Venture Capital Firm and Board levels.
Security can be a very important differentiator, especially when a product sits in the most private place in our lives—our home. Of great importance is selecting a VC firm and Board who know how to hire the right advisors to ensure security is on the roadmap in a way that does not cause friction and will still allow a company to capture and retain market value. If a webcam was attacked and every one of the $200 devices rendered useless or the lights in a house forced to blink on/ off every second, the goodwill of those companies will be eroded. Selecting business partners who know how to mitigate these risks can improve the overall product and customer experience.
2. Aligning the interests of the product engineers and creators with agile and open-minded privacy and cybersecurity experts.
Simply put, baking security and privacy into a product on the front end is less costly and disruptive than trying to code it on the back end. All too often the interests of engineers and security teams are not aligned with the company’s most important interests—the products/services. This is a failure of leadership and something that can be easily avoided. No one wants their IoT devices letting the world know what they are doing, and we can and should coalesce around this goal of alignment.
3. Making cybersecurity part of everyone’s job—even the engineer’s job
Most engineering programs do not have mandatory components of secure coding or cybersecurity as a part of the basic requirements. While non-engineering talent can help educate coders and designers, it is best to have a baseline level of knowledge on how to code securely, test APIs, secure a web application, and avoid those items that are consistently part of the OWASP Top 10 and SANs Top 20 lists. Where it does not exist, it is up to the leadership to sponsor and grow this talent.
4. Incentives for strong cybersecurity
Sponsoring cybersecurity in IoT devices through incentives, grants, or even subsidizing cybersecurity positions or access to cyber-talent benefits everyone. We can and should make this a priority.
IoT devices add immense value for the consumer, but we need to be careful that we imbed basic cybersecurity protections and controls in each product prior to pushing them into the market.
See Also:
ON THE DECK
Featured Vendors
Seebo: Modeling the Production Line with Machine Learning for Accurate and Actionable Predictive Insights
Seebo: Modeling the Production Line with Machine Learning for Accurate and Actionable Predictive Insights
Smart Connect Technologies, Inc.: Capturing Data from the Edge -Enabling the Industrial Internet of Things (IIoT)
Titan Cloud Software: Fueling Profits in the Petroleum Industry with IoT Device Monitoring, Advanced
Stream Technologies: Disrupting the Connectivity Space with an Industry Leading Connectivity Platfor
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
How Digital Experience Is Of Growing Importance To P&C Insurers And...
What It Truly Means For IT Security To Bea Business Enabler
Digital Transformation 2 Requires a CIO v2.x
Leverage ChatGPT the Right Way through Well-Designed Prompts
Water Strategies for Climate Adaption
Policy is a Key Solution to Stopping Packaging Waste
