Do you know Watch Dogs? In this popular video game, the main character, a gifted hacker, uses his smartphone to hack and exploit Chicago’s connected infrastructure, including traffic lights and surveillance cameras. The scary world of Watch Dogs presents the behind-the-scenes of smart cities.
These are cities in the making where all the urban systems equipped with software intelligence work together and without human intervention, making cities efficient, ecological, and pleasant to live in. These two faces, the promise of intelligence and automation and the fear of security, are found in all Internet of Things (IoT) applications. And the field is booming.
According to Gartner, 50 billion connected objects and other sensors will be used worldwide by 2025:
You only have to look around to see smart devices proliferate quickly—smartwatches, smart dolls, self-driving cars, thermostats, home automation equipment, and smart TVs. The phenomenon also encompasses companies using surveillance cameras, projectors, RFID readers, industrial systems, and medical equipment.
Though these are isolated cases, there have been unusual stories of hacking connected objects. One was of a billboard being hijacked to broadcast an X-rated movie to passers-by. Another was of a hacked intelligent Barbie doll that was listening to everything the children were saying. Such instances are also becoming more frequent.
The consequences can be severe and wide-ranging. Just think of those hackers who managed to neutralize the brakes of a car. In the business world, too, having vulnerabilities in connected physical devices can have disastrous repercussions. In particular, they can serve as an entry and exit point for the organization’s network or enable someone to take control of an alarm system.
There are many reasons why connected objects are particularly vulnerable. We know that a chain is only as solid as its weakest link. In the IoT network, there are many links: the device itself, the various interfaces with which it communicates or which allow it to be managed, multiple local and remote connections, and so on.
Often cited by specialists, the OWASP project (Open Web Application Security Project) identifies the following as the main vulnerabilities:
• The lack of security of web, cloud, and mobile interfaces and of all network services
• Data confidentiality
• Gaps in encryption and authentication/authorization
• Insecure firmware and insufficient security configuration options
To this complexity, add the lack of expertise of many manufacturers, who provide their products with connectivity without controlling the security of each component. Then there is the current lack of standards on which suppliers can rely.
All of this leads to devices with poor security, as evidenced by a study by HP. By analyzing the security of a dozen popular connected devices intended for individuals, the specialists found that seven of them used network services without encryption (some didn’t even encrypt the download of updates), and eight devices and their application components did not require sufficiently long or complex passwords.
Concern for IT managers
Despite these vulnerabilities, connected devices are also spreading in companies. They are either brought in by employees or deployed by the company to derive business and productivity benefits.
According to a survey carried out by Spice Works, the presence of wearables in organizations is doubling every year. In addition, 61% of companies have connected video equipment, 40% have sensors (badge readers, etc.), and 37% have physical security systems (lockers, barriers, etc.). This doesn’t even include things like temperature sensors and other motion detectors deployed in server rooms.
The security of all of these devices was a concern for the vast majority of IT professionals surveyed by Spice Works. They were particularly concerned about the fact that this equipment provides new access points to the network, but also the insufficient security measures implemented by manufacturers and the lack of standards. These concern all devices: wearables, physical security systems, and video equipment.
It even happens that companies sometimes create the problem. Specialists fear that companies with no set standards will “tinker” with things, making them unsafe. This can happen if they develop, for example, insecure solutions to ensure the interoperability of heterogeneous equipment using different communication protocols and data formats.
Manage a new type of risk
To curb the risks associated with the IoT, IT managers are taking various measures. 40% of them put connected objects “in quarantine” on a separate network. And most companies invest in security solutions, like intrusion detection (IDS) and advanced protection (ATP) systems.
Such steps will boost the security market dedicated to the IoT, which is expected to grow rapidly. However, many feel that efforts to secure the IoT will focus less on vulnerabilities and more on management, analysis, and provisioning of devices and their data.
According to a Deloitte report, it is also appropriate for companies to consider and remedy risks associated not with the objects themselves but with their deployment. The firm recalls that connected objects are often deployed in complex ecosystems in which many players participate, such as in logistics applications with suppliers, carriers, distributors, etc. This complexity has the effect of increasing the attack surface and diluting the responsibility of the various players.
The Deloitte report also recalls that connected objects unleash their full potential when they act and exchange data automatically without human intervention. Such a coupling can turn into a dangerous domino effect if we do not implement interruption and emergency mechanisms.
To illustrate this risk, Deloitte gives the unusual case of this German computer science professor who had fully automated their home. One afternoon, their smart home completely stopped responding. The fault of an isolated defective bulb began to bombard the hub with error messages generating a kind of denial of service attack.
As the Spice Works report concludes, connected objects will continue to spread in businesses, and they are here to stay. While waiting for appropriate security measures to be put in place, remember not to feed them after dark.