Raymond Kent, Principal, DLR Group, Innovative Technology Design Group
At the writing of this article, the average number of Internet of Things Devices (IoT) a person in the US, owns is currently eight networked devices per person. This is expected to climb to just under 14 by 2022. Chances are you were way off on the actual number if you had to guess. The main reason is that no one knows how many devices are currently connected to the Internet of Things and that number is even harder to predict moving forward as more manufacturers quietly put internet-capable computer chips into more things for a variety of reasons and networks continue to get faster. The current estimate is more than 50 billion IoT devices will be connected by 2020, and the promise of actual 5G networks is around the corner with 10G in the works. Now you might personally think it is fantastic that your refrigerator uploads a shopping list to your smart phone based on it “knowing” what you have and what you are almost out of through a bevy of sensors and connectivity. But, guess who else thinks that is awesome—cybercriminals. To them, it is akin to leaving the front door of your house open with signs saying the expensive stuff is in a shoebox under my bed.
Because this market has hit a fever pitch, not all manufacturers and end-users apply the same rigor to security as one would hope. Most of these players are well-meaning while scrambling not to be left behind. Although, there are the occasional bad actors who intentionally leave holes in their products to be exploited later (for either good or nefarious reasons), or just plain laziness, or lack of knowledge. IoT, however, presents a multi-pronged threat that can open the end-user to a breach that is annoying at least and catastrophic at worst. It also opens manufacturers up to liabilities and bad publicity that can derail a fledgling company or give a good black eye to a larger one.
Quite often, these security holes leave the users networks vulnerable, and a VPN is not necessarily the best way to combat this. These vulnerabilities can be exploited by a bad actor close to the WiFi network using straightforward gear and programs to find a way in and then take control of your IoT gadgets such as your thermostat, smart lighting, or other devices and lock you out turning around a ransom to let you back in. These holes can also be exploited to get behind firewalls and into your important networks taking over computers. Locking down a computer for ransom or even taking them over for a Distributed Denial of Service (DDoS) attack on other websites or providers. We saw how this could wreak havoc when in 2016 when the Domain Name System operated by Dyn was hit like this effectively shutting down Amazon, Twitter, and others.
Part of the challenge lies in the way the data is/isn’t encrypted. Thereby, allowing for those who would do harm to sniff out these openings and gain access. For example, once an opening in a device that can send emails or text messages to a real human is discovered, the data stream that generates that message can be laced with a virus or password capture that then opens the front door to the would-be hackers. This “Man-in-the-middle” approach does not require a person to be in proximity to the WiFi network once the password is obtained.
Why thinking of security is even more critical now and, in the future, is based on where this industry may be headed. Like the Amazon Echo, Google Home, and other Voice Command and Control (VCC) devices have invaded our everyday lives, we will see an explosion of these VCC containers leveraging multiple microservices working across a distributed network that is built into non-obvious devices that are always listening and don’t necessarily have to be a dedicated thing on your counter. As the VCC platforms continue to get smarter, reaching SkyNet proportions, cloud-based architecture and services can catastrophically propagate unknowingly vicious attacks on a global scale.
Think of shutting down entire cities via IoT devices.
Additionally, we are now seeing the first products built on a smart contract blockchain technology currently being implemented in financial and other markets to allow autonomous distributed transactions. Security concerns could shut these markets down. This will be coupled with the need for new wireless distribution technologies to carry this and other IoT device’s data, including Small-burst packets, dense set connections, or over a long distance. Already we are looking at LoRaWAN, 3GPP NB and ATT’s LTE-M to carry the load along with other mesh-network technologies. If you remember the days of the Heartbleed or Crypt viruses that exposed and used the open-source vulnerabilities of networks, then you have some sense of this.
Current markets and those with the largest predicted growth include transportation, security and surveillance, asset management, retail, inventory control, and sustainability products. Hackers will continue to exploit IoT technology to gain mass notoriety and cause the most amount of damage not just turn your refrigerator off to spoil your pot roast.
The biggest concern is the newest categories of IoT devices that work at a micro-scale and have to reach to the greater network. These new devices and categories will come faster, in my opinion, then upgrades or replacements to existing products that benefit from second and third-generation security enhancements.
IoT, in theory, makes life easier and more convenient, but to do that, we willingly give up privacy. The 2018 Facebook debacle put this front and center as Cambridge Analytica showed how easy it is to get information on you and your habits through your devices that you eagerly set up to allow them to do so. Cybercriminals leaving ransomware on computers or spreading viruses through emails have made most people more security conscious for a good reason. As a result, we have seen a dramatic rise in the use of VPNs, password managers, end other encryption technology on both corporate and personal computers, but the gaping hole is still your IoT devices. They are not infallible and often are not capable of the types of protections afforded on your PC (or Mac). For example, that smart fridge of yours may get hacked, and at best gets its internal temperature raised. Your milk spoils and at worst becomes a back door into your network that can install a key logger or other maleficence without you even realizing it.
The march towards Smart Homes and Businesses is ongoing and ever-growing, and we pay for it with our loss of privacy. Additionally, this does not stop at the front door. IoT devices that are mobile such as fitness trackers, medical devices and implants, smartwatches, and even your vehicle all track data and then can sync to your network when within range bringing outside threats right into your environment. Some of these devices do have privacy settings but are not invincible to hacking. Recently a particular self-driving vehicle was hacked while in operation, fortunately only disabling the vehicle to a stop at a relatively slow speed.
For some perspective, there are three main privacy concerns involving IoT:
1.The amount of potential data points is staggering. The recent Federal Trade Commission report, Privacy & Security in a Connected World, outlined that fewer than 10,000 households can create 150 million data points in a single day and each of these data points is a potential entry for cybercriminals.
2. Private (corporate or personal) information becoming your unwanted public profile. This information can be bought and sold (Cambridge Analytica) and used without your knowledge or apparent consent to sway your opinion, other’s opinions of you or your company, effect decisions by companies you do business with such as insurance brokers or suppliers, or could even be used to affect stock value or credit ratings.
3. Privacy is not what you think it means anymore. The devices can always be listening for human speech (Amazon Alexa) or even electronic information such as occupancy (security systems)
It can be especially true related to smart energy management devices such as water and gas meters, lighting controls, audiovisual system, and HVAC controls that are always on the network, ready to go. All is not hopeless, though, and there are strategies to combat unwanted intrusion but does require active participation. Many smart devices do have opt-out waivers when setting up the device that must actively be selected that can prevent unwanted advertising and marketing material either from being sent directly from the manufacturer or by them selling your information to third parties. And this can be useful for more benign things, but for the rest of it, a stronger approach is required and needs to be followed through on, for example:
1. Have separate networks that are dedicated to IoT devices from your core home or business network where personal or business-related sensitive material is located. Make sure this is an encrypted network for both wired and wireless. Use hardware and software to do this.
2. Use a secure password generator for each device so that no two devices have the same password. Use a combination of letters (upper and lower case), numbers, and symbols if allowed. Make it the maximum length allowable.
3. Change your network password every 30 days and leverage robust firewalls, virus detection, and ad-blocking/tracking software.
4. Use a dumber version of a device (non-IoT) if you are still concerned
Blockchain technology may be the saving grace and is showing quite a bit of promise here. And, since IoT is a $300 Billion a year business and growing ($520B by 2021), the Government, manufacturers, and consumers are immersed and involved. The Facebook/Cambridge Analytica incident among several other high profile ones just brought the security side of it front and center.