[BreachExchange] Why Data Security Needs To Be A Priority For The Internet Of Things
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Nov 17 19:09:24 EST 2016
http://www.digitalistmag.com/iot/2016/11/16/data-security-
priority-for-internet-of-things-04670725
Estimates vary about how many “things” will be connected to the Internet by
2020, but the more conservative sources put that figure at around 26
billion, double the 13 billion figure connected in 2015, according to IoT
Daily.
>From energy grids and haulage firms to warehouses and financial systems,
every industry is going to be getting in on the act, and CEOs of both large
and small operations are going to be rightly excited about the efficiency
savings and increased capacity this “smart revolution” will bring.
Regardless of the actual numbers involved, the IoT is coming, and there
will be a huge amount of extra data zipping about on the Internet. Now the
question needs to be asked: How secure is the Internet of Things actually
going to be?
What price is your data?
Whether it’s answering an online survey in return for free Wi-Fi access or
permitting your browsing history to be recorded so that relevant ads can be
served alongside your content, we all know that being connected comes at a
price – and that that price is often our personal data. However, when we
lose sight of the companies behind the things that are sending out bits and
bytes from our homes and businesses, it can become a security blind spot.
We all understand the importance of watertight security when it comes to
logging on to our online bank or accessing the hospital database, but even
an apparently harmless “smart” kettle can expose important network
information, which can then act as the thin end of a wedge, cracking into a
company’s data.
It’s not just the companies that we buy the smart gadgets from that we have
to beware of; it’s also the hacktivists and downright criminals who are
actively scanning for a leaky source of data and improving their techniques
all the time. It’s almost a cliché to say that data security is only as
strong as the weakest link, but, sticking with that analogy, the IoT is
about to add infinitely more links to that chain. As the Internet of Things
is gradually absorbed into our infrastructure – our health services, our
energy grids, our traffic networks, etc. – the risk of a data breach
increases. From intellectual property theft to ransom demands to terrorist
attacks, the risk to society of unsecured data is significant.
Internet protocol dissociation: An imperfect solution
Much has been made of the insufficiency of the current IPv4 identification
and routing standard and the transition that will have to be made to IPv6
or some other protocol in order to cope with the sheer number of online
objects expected to swell the network. Part of the discussion has focused
on maintaining robust IP dissociation practices to ensure an object’s
online identity is delinked from personal or company data. These are
obviously key factors in designing a secure IoT, but more needs to be done
to address security issues that do not require a link to personal data at
all.
A classic example is the vulnerability that allowed two hackers to take
control of a Jeep Cherokee – part of an exposé highlighting weaknesses in
the Uconnect system used by auto manufacturer FCA (Chrysler). Using just a
cellphone and a basic Mac computer, two hackers took control of the
vehicle’s air conditioning, visual display, radio, windshield washers, and
even the engine and brakes, and then released the in-car video footage.
During their research they also realized that they could have targeted any
one of a number of similar vehicles if they wanted to launch a genuine
zero-day attack. For them, any actual personal data connected to the
vehicles’ IP addresses was irrelevant as long as they had rewrite access to
their chips’ firmware. Aside from the real danger of fatalities on the
highways, auto manufacturers should already be having nightmares about
product recalls and class action lawsuits.
The role of the cybersecurity advocate
The Cherokee hack was – according to the hackers involved – designed as a
wake-up call to the auto industry, but it also pointed the way to a
possible solution to the security dilemma. Working with the hackers (under
the euphemism “cybersecurity advocates”), Chrysler sent out a patch and
that particular loophole was closed.
The example above demonstrates that to stay ahead of the game, companies
are going to need to get inside the hackers’ mindset and anticipate
problems before they happen – recruiting proactive expert help rather than
relying on the standard iterative process of IT development.
Standardization vs. fragmentation
As ever more companies race to implement the latest IT operation and
usability solutions, the insufficiency of the overarching IT ecosystem is
becoming apparent. There is often no Apple, Google, or Microsoft
architecture that can provide all of the components necessary. In this
absence of standardization, the IT savvy have created their own private
networks, devising bits of code to link up the various parts where needed.
This kind of fragmented IoT is just what the hackers want, as there will
always be vulnerabilities into which they can hook themselves and try to
siphon off data.
Standardization offers the best hope of shoring up the IoT as well as
ensuring company staff are trained to follow best practices in IT security,
such as creating robust passwords and ensuring the latest patches and
updates are downloaded.
Technological advance and competition go hand in hand with companies
falling over one another to implement improved tech solutions and make
their businesses more efficient and their end users happier. While this
healthy drive towards innovation should be encouraged, it should also be
tempered with a concerted effort by all stakeholders to build a robust and
secure IoT, one that is invulnerable to data leakage. Data theft and
compromised safety are real threats that can harm individuals, businesses,
and civilization itself. There is a real danger, if data security is not
treated as a priority, that those risks will undermine the significant
rewards that are on offer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161117/af6375ec/attachment.html>
More information about the BreachExchange
mailing list