IoT Product Failures and Security Impacts
From our cars to our televisions to locks, cameras, and lights we are immersed in the Internet of Things (IoT) world. Even our crock-pots now have the option of being connected to the Internet, automating dinner at the push of a button! In many ways, IoT devices have enabled convenience, comfort, automation and monitoring, have improved physical security, and have decreased the amount of time spent on menial or repetitive tasks. The explosion of IoT devices this past holiday shopping season was even more evident by the sheer number of cameras, doorbells, and thermostats that were heavily discounted and flying off store shelves.
In fact, a recent study from the Interactive Advertising Bureau found that 62 percent of U.S. consumers own at least one IoT device. Gartner pegs the number of global IoT devices in 2016 at 6.4 billion, rising to nearly 21 billion IoT devices by 2020. The explosion of IoT devices is in part due to their ability to easily connect to home networks—no more opening ports, using static IP addresses, or punching holes in the firewall. IoT devices just work the way “plug and play” was originally envisioned.
It is the ease and ability of an adversary to wield IoT devices in such high numbers that has changed the game for cybercriminals and their unsuspecting targets
IoT is here to stay and its simplicity and convenience are what will truly make our homes “smart” and more efficient.
So what is there to talk about?
With the ease of connecting devices to your network (home and yes, the work environment) consumers are empowered to tackle those do-it-yourself projects and claim success when the blinking light turns green. Each of the products we connect to our networks puts connectivity and operations first over all else— especially cybersecurity.
The tales of misconfigured devices have been captured in the past on webpages showing infants sleeping and other cameras showing private moments. So, what is different in the year 2017?
At the end of 2016, we witnessed multiple Distributed Denial of Service (DDoS) attacks using IoT cameras on Krebs’s website and the DNS provider Dyn that flooded these networks with attacks peaking at 660Gbps and 1Tbps worth of Mirai laden bot-net traffic respectively. It is estimated that 100,000 hijacked cameras and other IoT devices were behind this bot-net army.
It is the ease and ability of an adversary to wield IoT devices in such high numbers that has changed the game for cybercriminals and their unsuspecting targets. It is unlikely we have yet seen the biggest risks from unsecured IoT devices.
IoT Risks in 2017
To date, weaknesses in IoT devices have been used as a part of bot-networks and digital voyeurs. However, the business of cybercrime will rapidly shift in 2017 to other attacks, including:
• Hijacking/Ransomware—taking over IoT devices and then requesting payment to regain access to the device. Regardless of the fact that a hard factory reset may assist returning the device to a known safe state, many consumers will struggle with this.
• Destruction—bricking IoT devices is a sure-fire way to harm the U.S. economy and the entrepreneurial spirit embodied by these companies and products.
• Extortion—devices with microphones and cameras are especially susceptible to leaking information that is of a private nature.
• Extortion—the continuation and escalation of large-scale DDoS attacks using IoT devices.
How do we tackle this insecurity of IoT?
IoT devices have demonstrated the capacity to bring immense value to the forefront of consumers’ lives. Just check out the websites of several leading camera providers and you will see the videos of many burglars who are now behind bars that previously would have victimized countless others but for the camera on the bookshelf or in the window. So, with all this good, how do we tackle insecurity without smothering creativity?
1. Balance operationalizing the product with cybersecurity at the Venture Capital Firm and Board levels.
Security can be a very important differentiator, especially when a product sits in the most private place in our lives—our home. Of great importance is selecting a VC firm and Board who know how to hire the right advisors to ensure security is on the roadmap in a way that does not cause friction and will still allow a company to capture and retain market value. If a webcam was attacked and every one of the $200 devices rendered useless or the lights in a house forced to blink on/ off every second, the goodwill of those companies will be eroded. Selecting business partners who know how to mitigate these risks can improve the overall product and customer experience.
2. Aligning the interests of the product engineers and creators with agile and open-minded privacy and cybersecurity experts.
Simply put, baking security and privacy into a product on the front end is less costly and disruptive than trying to code it on the back end. All too often the interests of engineers and security teams are not aligned with the company’s most important interests—the products/services. This is a failure of leadership and something that can be easily avoided. No one wants their IoT devices letting the world know what they are doing, and we can and should coalesce around this goal of alignment.
3. Making cybersecurity part of everyone’s job—even the engineer’s job
Most engineering programs do not have mandatory components of secure coding or cybersecurity as a part of the basic requirements. While non-engineering talent can help educate coders and designers, it is best to have a baseline level of knowledge on how to code securely, test APIs, secure a web application, and avoid those items that are consistently part of the OWASP Top 10 and SANs Top 20 lists. Where it does not exist, it is up to the leadership to sponsor and grow this talent.
4. Incentives for strong cybersecurity
Sponsoring cybersecurity in IoT devices through incentives, grants, or even subsidizing cybersecurity positions or access to cyber-talent benefits everyone. We can and should make this a priority.
IoT devices add immense value for the consumer, but we need to be careful that we imbed basic cybersecurity protections and controls in each product prior to pushing them into the market.