“Anything that can connect to the internet, will connect to the internet”
That, in essence, is the spirit behind the exponential growth rate of Internet of Things (IoT) worldwide. Going by a recent BI Intelligence report, there will be close to 35 billion ‘connected devices’ in active use by the end of this decade – with business being the biggest sector to use this technology. However, in the rush to come up with new and innovative IoT tools, platforms and gateways – the importance of ensuring proper security standards is often relegated to the background. In 2016, the number of ransomware attacks increased by an alarming 36% (YoY) – with as many as 17 million samples of new malware being detected in the third quarter of the year alone. The time has obviously come to give more attention to the security aspect of IoT – since the consequences of the ‘wrong person having access to the wrong internet resources’ scenario can be serious indeed.
The importance of internet security in general, and the safety protocols of IoT in particular, is not lost on the present-generation business professionals. On average, 3 out of every 4 senior managers/decision makers feel that there will be further spikes in cybersecurity attacks in the next 18-24 months, while nearly 50% business owners list security as among the biggest potential problems in new applications. A large number of IT security experts also opine that the existing standards, policies and protocols are not adequate to cope with the ever-increasing cyber security threats. In here, we will offer some basic tips and pointers for ensuring the security of IoT applications:
- Maintaining an inventory of connected devices - By August 2016, an average North American household had 8-10 connected devices. That number will push towards 50 by 2020. The number of smart IoT business applications is also increasing at a rapid clip. In this scenario, it is vital to keep track of all the tools and gadgets with web-connectivity that are being used (apart from, of course, computers and smartphones). The list of IoT devices being used by any person/group/business should be regularly updated, and all types of media players and microphone/camera mounted gadgets should be included. In addition, the volume and type of data each IoT tool has access to should also be noted. Maintaining a systematic inventory report of IoT applications and their components makes it easier to identify probable sources of vulnerabilities.
- Using updated firmware - The IoT routers/gateways as well as all the connected devices in a network should have the latest security patches and updates. The onus is on the users to regularly check for these updates (from the makers’ websites, for instance) and install the same whenever they become available. If and when possible, this checking procedure can be automated too. New types of malware and hacks are being created practically every day – and unless you are using the latest firmware versions, your IoT network is at a risk.
- The importance of passwords - Passwords are probably the biggest security tool in the hands of the users. Plenty of people make the mistake of selecting the same password for all of their IoT devices – making the task that much easier for professional hackers (if the password of any one system is hacked, the other systems connected to it also become accessible). Hence, it is of immense importance to select separate passwords for each IoT tool. Also, the individual passwords need to be strong enough and not easily guessable. There are several advanced password manager apps currently available, where all the passwords can be stored. Users should never forget to change the factory-set passwords (‘12345’, ‘password’, etc.).
Note: Over 1 billion Yahoo! User accounts were hacked in 2013. The next year, a further 500 million accounts were breached.
4. Staying wary of DDoS attacks - A 2016 NexusGuard report found that, between the first and second quarters of the year – the number of distributed denial-of-service (or, DDoS) shot up by a whopping 83%. In 2016 Q4, reports of DDoS attacks came in from as many as 80 different countries (China had the lead with most attacks, with USA and South Korea taking up the second and third spots respectively). Any business that has a proper website (websites can also be a significant source of revenue) needs to be aware of a potential DDoS attack. The trick here lies in selecting an internet service provider (ISP) that offers robust security against such attacks. If funds are not a point of concern, a internet hosting firm with specialized DDoS mitigation plans can be opted for (their services are often relatively pricey). An attacker might target an entire ISP or any particular user – and your IoT environment should be powerful enough to repel such threats.
5. Encryption is key to security - The volume of confidential, personalized data – right from names and contact information, to bank account/card information and transaction details – being stored on the cloud is increasing with time. During data transmission, nearly 82% of all cloud service providers offer secure data encryption services. While that seems pretty good – a closer look reveals a much more worrisome stat: less than 10% of the stored information is encrypted during rest (i.e., when it is not being transmitted). Not surprisingly, this is the state which attackers tend to target – seriously compromising cloud security as a whole. Before uploading/storing any information on a IoT network, users need to ensure that it would be encrypted properly. It is not easy (at least, it ain’t a quick job!) to decrypt well-encrypted information – and that enhances the security assurances manifold.
6. Consider whether continuous internet-connectivity is required - It would be surprising to note how many IoT devices and gadgets can be disconnected from the network at different times – but users (from business and consumer sectors) do not take the trouble of doing so. Something like a smart thermostat, or a personal smartphone, might need to be connected at all times – but the scene is different (at least it should be) for automated coffee-makers, or smart lighting systems, or audio/video streaming devices (smart TVs, for instance). The longer an IoT device remains connected to the network – the greater is the time a hacker gets to plot an attack on it. Whenever a smart gadget is not being used, it is advisable to disconnect it from the network.
Note: Not all IoT devices need to be connected to the cloud. In any case, over-reliance on the cloud network can increase security risks.
7. Deactivating Universal Plug and Play - Universal Plug and Play (UPnP) is, in theory, a very useful feature. It helps smart devices without any specific configuration settings to ‘discover’ other, similar tools in the network. However, this ‘universal discoverability’ comes with a serious corollary too – since it becomes easier for hackers to find and target IoT devices. Even if a user has no intention of making his/her device(s) visible to everyone, it can be done by certain customized search engines (which locate everything connected to the web). Given these vulnerabilities in the UPnP protocol, it is a good idea to turn the feature off – on the router as well as all connected smart devices.
8. Multiple networks and a ‘Guest Network’ - Instead of using a single router and hoping for the best, IoT security experts generally recommend having multiple routers – particularly when there are several IoT gadget/appliances to be connected. Having several routers automatically ensures segmentation of the network – and that, in turn, diversifies the potential security threats. Even if a network segment (and the devices within it) is compromised, the other parts remain secure. It is also important to create a separate ‘guest network’ with the help of wifi routers. There is no way to predicting which users will want to get on an IoT platform at any time – and to keep the main network safe, unknown visitors should be routed through this ‘guest network’.
Note: Different smart home devices, like printers and surveillance cameras, were used in last October’s Dyn cyber attack – the biggest internet attack of its type. Github, Spotify and Reddit were among the websites affected.
9. Being aware of the risks of BYOD - By the end of this year, 1 out of every 2 companies in North America will support BYOD (Bring Your Own Device) policies. Markets&Markets has estimated that that value of the global BYOD market will go beyond $180 billion this year. While bringing personal devices to office for work-related purposes definitely has its benefits (from lowering the stress on workplace devices to helping employees enjoying a more ‘involved feeling) – doing so is fraught with security risks. A personal smart device is not likely to have the requisite security features and encryption standards – and as such, it can put valuable business information at risk. An individual device with suspect security can be easily targeted to get unauthorized access to company databases. A scary thought, indeed!
Note: As the number of smart devices used for work (company-owned plus personal) increase, keeping track of them on a real-time basis becomes difficult. That is yet another reason to limit the BYOD practices within a business as much as possible.
10. Staying away from unknown wifi connections - Unsecure wifi networks (public wifi networks that are not password protected, for instance) are perfect tools for hackers to spread malware. While the attractions of logging on to such an ‘open network’ can be considerable (saving on mobile data…so, yay!) – such networks can be dangerous from the security perspective. Users should, as a rule of thumb, view all wifi networks without passwords as ‘vulnerable’, and refrain from using them on their handheld devices or any other smart gadgets. Use your own routers and networks – and have strong passwords for them.
11. The time factor - Implementing security parameters on IoT devices is not a ‘one-and-done’ job. Over time, the effectiveness of IoT security depreciates – and users have to continually keep track of the latest technologies and protocols and how they can be used to make the network ‘safer’. Tackling new threats with urgent software updates and patches is all very fine – but the focus should firmly be on following the latest manufacturing models for any smart device or IoT gateway. In other words, the IoT security considerations should follow a ‘bottom-up’ path, with manufacturers being responsible for incorporating updated security features in new tools and gadgets. In the fast moving domain of the World Wide Web, device-makers can no longer afford to just create a smart device and then provide security patches on an ‘as required’ basis.
Note: When a manufacturer exits the market, all the devices created by it stop receiving the necessary software updates. In such cases, it is prudent to replace the concerned devices (which are now unsecure).
12. Minimal personal data and code obfuscation - As the world is getting more and more connected, the amount of personal information out in the wild (often without the owner(s) being aware of it) is increasing. For instance, the GPS system of a smart car can give away its precise parking location details – and when that information falls in the hands of a hacker, car thefts become a very real possibility. The same goes for home automation systems and IoT business tools as well. Users should minimize ‘disclosing’ such information that can be traced back to them. Maintaining a certain level of obscurity on the internet platform is important.
Less than 38% of all organizations worldwide have a proper IoT strategy management policy in place (according to a PwC report). This clearly highlights the fact that there is plenty of catching-up to do for businesses – to minimize the security-threats and hack attacks. The task has to start from training individual users about the types of malware and threats they might face – and how they can work around them. Using VPNs (virtual private networks) to enhance the security of IoT devices is also a good idea. Websites and mobile apps that involve monetary transactions (for example, shopping portals) should have proper Secure Sockets Layer (SSL) support.
IoT will continue to evolve – and unfortunately, cybersecurity threats will grow with it too. It is up to the product manufacturers and end-users to work together and keep such threats at an arm’s length, at all times.