By: Matthias Schorer, Lead Business Development Manager- IoT, EMEA at VMware
For those who are interested in the Internet of Things (IoT) and IT security, I recommend an insightful article from Fortune magazine, titled “Who to Blame for the Attack on the Internet.” The author, Jeff John Roberts, describes a worrying trend of DDoS attacks initiated from compromised IoT devices—Internet-connected cameras, printers, and so on—to launch an attack on a critical part of the Internet, the domain name server (DNS) infrastructure.
Cyber criminals have set their sights on networked devices such as televisions, refrigerators, and baby cameras. We hear every day about the increasing number of hacker attacks, but this is an entirely new problem. It’s been created by the incredibly high number of inadequately protected IoT systems flooding the market.
In December 2016, Juniper Research estimated the number of connected IoT devices would exceed 46 billion in 2021, a 200% increase from 2016. Juniper said growth would be driven in large part by a reduction in the unit cost of hardware, and forecast sensor prices dropping to an average of $1.
Low cost and low security go hand in hand, and these vulnerable devices can easily be found by anyone bent on mischief thanks to Shodan, the search engine for the Internet of Things. In 2013, it was described as the scariest search engine on the Internet because it enabled almost any device connected to the Internet to be interrogated and its vulnerabilities exposed.
At the RSA conference in February, researchers Numaan Huq and Stephen Hilt from Trend Micro revealed how they had used Shodan to discover more than 178 mn IoT devices vulnerable to hackers in the ten largest U.S. cities. These included devices used to control business operations, traffic management, power generation, and manufacturing. Exploitation of such a vulnerability to launch an attack on a nuclear power plant’s cooling system does not bear thinking about!
Severe Security Vulnerabilities
Certainly, many of the first manufacturers responded (and had to respond) to these severe vulnerabilities in their systems. And a good thing they did, as the issues needed to be addressed urgently. The report in Fortune shows quite clearly that the issue of IoT security needs to be taken to an entirely new level and professionalized. This means that all devices connected to the Internet must provide their users with the same level of security. The Internet of Things comprises a complex mix of technological components (data center, cloud, network, software, and hardware)—every one of which must be highly secure.
Taking Up the Arms
In a digital network where millions of IoT devices communicate over the Internet, security has to be built throughout the system, with the things, edge, network and applications. Essential IoT security practices include:
1. Encrypting devices: The smallest unit, the microchip, has to be intelligently encrypted—using a separate key for each device. This is the only reasonable way to repel hacker attacks aimed at stealing access credentials.
2. Providing security updates: Utilize a platform that provides the ability to install software updates on IoT devices, including security patches. This has not been a common practice for consumer products, and we are now paying dearly. If you consider that firewalls and antivirus programs on your home notebook run full time to prevent attacks, the lack of similar protection in the IoT world is an absurd and highly dangerous situation.
3. Integrating intelligent gateways: User data should be transmitted from the end device to an intelligent gateway—encrypted, of course. IoT urgently requires monitoring of enormous data streams and more intelligent defense mechanisms such as deep packet inspection.
4. Strengthening cloud security: Last but not least, an essential component of IoT security is security in the cloud. Customers need to know the personal data their home IoT devices send to the cloud is under the best of care.
Providers of highly networked everyday technology must be sensitive to the issues of IT security, data protection, and data sovereignty. “Safety first” is therefore a must in the age of IoT—so that the Internet of Things, and the great ideas behind it, doesn’t degenerate into the Internet of Thieves.