IoT Vulnerabilities Open Up New Possibilties to Hackers
Internet of Things is a revolution that has suddenly captured our imagination. As a technology, IoT is unique since it has a role to play in consumer, enterprise and industrial worlds. At the consumer level, the adoption of IoT for areas including home monitoring & control, wearable tech, and connected cars has already started. At the enterprise level building management, fleet management, hospital management, retail, telecom, and energy sectors are already adopting it for various benefits.
According to Markets and Markets, the IoT market size is estimated to grow from $157.05 Billion in 2016 to $661.74 Billion by 2021, at a CAGR of 33.3% from 2016 to 2021. All industry verticals are undergoing a huge transformation in a bid to move toward affordable, accessible, and quality services to their customers. New applications and use cases, a result of cutting edge technology innovations, are being developed to address the changing industry needs. IoT, in combination with cloud computing and big data, is creating lucrative opportunities for organizations.
“However, the ubiquitous use of a technology in wide ranging areas brings forth risks that range from significant to catastrophic. Nuclear facilities can be damaged overnight by compromising the IoT infrastructure. We have already seen an early avatar of this in the form of Stuxnet,” explained Vinod Vasudevan, Co-founder and CTO at Paladion. “Similarly, nation state attacks are expected to target IoT used in power grids and other utilities. Smart cities can get paralysed in minutes if the IoT infrastructure that automates the processes here gets compromised. IoT risks are complex since IoT technology stack has many new components including IoT sensors, protocols, gateways, and management platforms.”
Thus, IoT security includes many new risk areas that cybersecurity industry is still learning to resolve including cloud & mobility. As an example, there are many IOT protocols in the market today including Zigbee, CoAP, Advanced Message Queuing Protocol (AMQP), Digital Data service (DDS), and Message Queue Telemetry Transport (MQTT). These protocols are either new or derived for IOT from an earlier version used for generic purposes. As a result, they are vulnerable unless special effort is taken to secure them.
“In addition, IOT management platforms have web interfaces and related protocols enabled. Therefore, they are exposed to common web application attacks. The impact of such web based attacks on IoT management platform is high since it can be used to subvert millions of sensors for a malicious purpose. Imagine impact of power grid sensors taken off the grid with a successful web based attack on the IoT management platform,” added Vasudevan.
There are three key challenges for the future of IoT. This includes ubiquitous data collection, potential for unexpected uses of consumer data, and heightened security risks. Hence, companies need to enhance privacy and build secure IoT devices by adopting a security-focused approach, reducing the amount of data collected by IoT devices, and increasing transparency and providing consumers with a choice to opt-out of data collection.
“Developers of IoT devices have not spent time thinking about how to secure their devices and services from cyberattacks. The small size and limited processing power of many connected devices could inhibit encryption and other robust security measures,” said Vasudevan. “Moreover, some connected devices are low-cost and essentially disposable. If vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers.”
Thus, securing IOT infrastructure requires collaboration between industry, and academia, government for “secure by design” roll out of IOT protocols. Such initiatives are still at nascent stages but have started. “There should be certification of the safety of IoT products and components from central authorities backed by government. This can be treated very similar to car safety and certification that we are all used to. IoT security movement has started but there is still a long way to go. Good news is that we can still do things to enhance the barrier to attacks while we wait for industry to accelerate the act,” concluded Vasudevan.