Internet of Things – Security: What, Why and How

By definition Internet of Things (IoT) is: A proposed development of the internet in which everyday objects have network connectivity, allowing them to send and receive data.

Telephones, automobiles, refrigerators and seemingly anything that can host a computer chip are quickly becoming part of the Internet of Things (IoT) – a concept that the US Federal Trade Commission (FTC) defined in a report as “the ability of everyday objects to connect to the internet and to send and receive data.”

The internet is everywhere and the IoT is a trend that will continue to grow exponentially for the next couple of years.

Everything once disconnected are now wired and interconnected.While these interconnected devices have made life easier, they’ve also created new space for hackers. IoT devices are increasingly gaining access to the most sensitive personal data like social security numbers and banking information, making it a hyper vulnerable space.

Research firm IDC predicts that there will be over 28 billion IoT devices installed by 2020, while fellow analyst Gartner forecasts that 4.9 billion connected things will be in use in 2015, up to 30 per cent more from 2014, and that it will reach 25 billion by 2020. But this expansion in connectivity brings new security threats.

As the number of connected IoT devices constantly increase, so does the security concern. A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when compared to multiple IoT devices in an interconnected home or business ecosystem.

Knowing what IoT devices can/will have access to, it’s important to understand their security risks:

• On a personal level, IoT threatens security of devices which perform a critical function (e.g. locking a door, activating a smoke alarm, controlling a power outlet) and ones that impact privacy (e.g. video cameras).
• The security issue involving IoT is not with the device itself, but how and where the device is used.
• Lack of updates will be IoT’s achilles heel. An ineffective or non-existent plan for deploying security updates will be the single largest impediment to security for the Internet of Things.
• Owners of the IoT device will lose on the privacy front. Their private data will be monitored and sold without their knowledge.
• Vulnerable Internet-enabled applications/devices will be attacked and compromised. These compromised devices will then be used to compromise other connected devices.
• The rise of the IoT sparked concerns about the badly configured gadgets which might provide a backdoor for hackers looking to break into corporate networks.

The below are a summary of recommendations from various sources like “The Federal Trade Commission (FTC)” for companies developing IoT devices:

• Build security into devices at the outset, rather than as an afterthought in the design process.
• Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.
• Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers.
• When a security risk is identified, consider a ‘defence-in-depth’ strategy whereby multiple layers of security may be used to defend against a particular risk.
• Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network.
• Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
• Consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely.
• Data minimization addresses two key privacy risks:

• First, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and
• Second, that consumer data will be used in ways contrary to consumers’ expectations.

• Carry out a security review of all devices and components to detect vulnerabilities.
• Apply security standards that all devices need to live-up to before production.
• Make security a cornerstone of the production life-cycle.