IoT Product Failures and Security Impacts
By Dr. Christopher Pierson, CSO and General Counsel, Viewpost
In fact, a recent study from the Interactive Advertising Bureau found that 62 percent of U.S. consumers own at least one IoT device. Gartner pegs the number of global IoT devices in 2016 at 6.4 billion, rising to nearly 21 billion IoT devices by 2020. The explosion of IoT devices is in part due to their ability to easily connect to home networks—no more opening ports, using static IP addresses, or punching holes in the firewall. IoT devices just work the way “plug and play” was originally envisioned.
IoT is here to stay and its simplicity and convenience are what will truly make our homes “smart” and more efficient.
So what is there to talk about?
With the ease of connecting devices to your network (home and yes, the work environment) consumers are empowered to tackle those do-it-yourself projects and claim success when the blinking light turns green. Each of the products we connect to our networks puts connectivity and operations first over all else— especially cybersecurity.
The tales of misconfigured devices have been captured in the past on webpages showing infants sleeping and other cameras showing private moments. So, what is different in the year 2017?
At the end of 2016, we witnessed multiple Distributed Denial of Service (DDoS) attacks using IoT cameras on Krebs’s website and the DNS provider Dyn that flooded these networks with attacks peaking at 660Gbps and 1Tbps worth of Mirai laden bot-net traffic respectively. It is estimated that 100,000 hijacked cameras and other IoT devices were behind this bot-net army.
It is the ease and ability of an adversary to wield IoT devices in such high numbers that has changed the game for cybercriminals and their unsuspecting targets. It is unlikely we have yet seen the biggest risks from unsecured IoT devices.
IoT Risks in 2017
To date, weaknesses in IoT devices have been used as a part of bot-networks and digital voyeurs.
It is the ease and ability of an adversary to wield IoT devices in such high numbers that has changed the game for cybercriminals and their unsuspecting targets
However, the business of cybercrime will rapidly shift in 2017 to other attacks, including:
• Hijacking/Ransomware—taking over IoT devices and then requesting payment to regain access to the device. Regardless of the fact that a hard factory reset may assist returning the device to a known safe state, many consumers will struggle with this.
• Destruction—bricking IoT devices is a sure-fire way to harm the U.S. economy and the entrepreneurial spirit embodied by these companies and products.
• Extortion—devices with microphones and cameras are especially susceptible to leaking information that is of a private nature.
• Extortion—the continuation and escalation of large-scale DDoS attacks using IoT devices.
How do we tackle this insecurity of IoT?
IoT devices have demonstrated the capac¬ity to bring immense value to the fore¬front of consumers’ lives. Just check out the websites of several leading camera providers and you will see the vid¬eos of many burglars who are now behind bars that previ¬ously would have victim¬ized countless others but for the camera on the bookshelf or in the window. So, with all this good, how do we tackle insecurity without smothering creativity?
1. Balance op¬erationalizing the product with cyber¬security at the Ven¬ture Capital Firm and Board levels.
Security can be a very important differentiator, especially when a product sits in the most private place in our lives—our home. Of great importance is selecting a VC firm and Board who know how to hire the right advisors to ensure security is on the roadmap in a way that does not cause friction and will still allow a company to capture and retain market value. If a webcam was attacked and every one of the $200 devices rendered useless or the lights in a house forced to blink on/ off every second, the goodwill of those companies will be eroded. Selecting business partners who know how to mitigate these risks can improve the overall product and customer experience.
2. Aligning the interests of the product engineers and creators with agile and open-minded privacy and cy¬bersecurity experts.
Simply put, baking secu¬rity and privacy into a product on the front end is less costly and disruptive than try¬ing to code it on the back end. All too often the interests of engineers and security teams are not aligned with the company’s most important in¬terests—the prod¬ucts/services. This is a failure of leadership and something that can be easily avoided. No one wants their IoT devices letting the world know what they are doing, and we can and should coalesce around this goal of alignment.
3. Making cybersecurity part of everyone’s job—even the engineer’s job
Most engineering programs do not have mandatory components of secure coding or cybersecurity as a part of the basic requirements. While non-engineering talent can help educate coders and designers, it is best to have a baseline level of knowledge on how to code securely, test APIs, secure a web application, and avoid those items that are consistently part of the OWASP Top 10 and SANs Top 20 lists. Where it does not exist, it is up to the leadership to sponsor and grow this talent.
4. Incentives for strong cybersecurity
Sponsoring cybersecurity in IoT devices through incentives, grants, or even subsidizing cybersecurity positions or access to cyber-talent benefits everyone. We can and should make this a priority.
IoT devices add immense value for the consumer, but we need to be careful that we imbed basic cybersecurity protections and controls in each product prior to pushing them into the market.
The Human Side of the Internet of Things
Sharon Gietl, VP IT and CIO, The Doe Run Company
IoT's Evolution to the Converged Platform of the Future
Aaron Gette, CIO, The Bay Club Company
How Internet of Things (IoT) will Rewire Supply Chains
Chad Lindbloom, CIO, C.H. Robinson
Industrial Scientific Blazes a Trail in IoT
David DiLeo, CIO, Industrial Scientific Corporation