Analysing the five major aspects of poor Internet of Things security

The security market for the Internet of Things (IoT) will reach $ 37 billion by 2021, according to the analysts at MarketsandMarkets.com. Because there is growing demand for cyber security, there is a lot of money spent to ensure it.

At the start of 2017, experts predicted that gaping holes in IoT would lead to the destruction of critical infrastructure, the growth of competitive intelligence, and the theft of intellectual property. It was also predicted that an increase in DDoS attacks would paralyze the Dyn DNS system and, with it, many important web domains.

With that in mind, it’s worth looking at five major aspects of the lamentable state of IoT security, stemming from explosive growth, scale, vulnerability, capacity, and availability of devices.

The first aspect

Gartner says 8.4 billion connected ‘things’ will be in use in 2017. Today, at least six million new IoT devices appear on the network every day, which means the constant appearance of new vulnerabilities. For example, last year at DefCon, researchers found 47 new vulnerabilities in 23 IoT devices by 21 manufacturers.

Given that one device usually has several holes, the situation is deplorable. The vulnerability of IoT devices is caused by several factors: the lack of sufficient experience by manufacturers to ensure reliable protection of their products, modest computing and disk capacities that limit the range of available security mechanisms, complicated software update procedures, and the lack of user attention to threats caused by IoT devices.

The second aspect

IoT devices are a very attractive, powerful, and ubiquitous environment for intruders. The growing number of easily compromised consumer devices increases the probability, frequency, and severity of attacks including attacks on corporate data, businesses, equipment, employees, and consumers. For an attacker, it’s easy to get control over entire networks, starting with the compromise of one of the many vulnerable consumer IoT devices.

A vivid example is the popular NEST thermostat. In 2015, TrapX Security engineers connected to the mini-USB port of the thermostat and conducted a man in the middle (MITM) attack, during which a special application scrambled the ARP address of the network gateway. Hackers use MITM attacks to gain control over systems on one or both ends of the communications channel, including corporate networks.

This hole is just one of many examples of how seemingly innocent IoT devices can cause the compromise of entire networks and organisations, thefts, and possibly even disruptions of current processes. By gaining control over the IoT network at home or in the organisation, hackers can not only steal data but endanger life, health, and property.

The third aspect

IoT is the gateway to huge amounts of personal user information that helps hackers in the selection of targets and vectors of attacks. It becomes easier for them to choose passwords used in key companies, government, military, political, and public organisations.

User data is collected on the Internet of Things to help companies conduct targeted marketing by creating a digital representation of all user preferences and features. Attackers steal and combine data from different sources to reveal the interests and habits of people so that they can pick up passwords and answers to secret questions. In some cases, people use the same passwords for corporate networks.

The fourth aspect

Increasing the availability of SCADA and the management of industrial systems through IoT makes possible widespread devastating attacks. When industrial control systems based on IoT are connected to the Internet, it becomes challenging to protect against attacks on the national infrastructure – utilities, power systems, and so on.

As an example of such a scenario, one can recall the recent attack on European energy facilities, which resulted in tens of thousands of people without electricity. In this case, the object of the attack was the control system of this critical infrastructure, which led to its failure.

The fifth aspect

The widespread and – for the most part – open IoT allows hackers to conduct simultaneous attacks on any agency, service or enterprise, as shown in the movie Die Hard 4. Hackers can create and use large botnets that simultaneously jam various infrastructures with DDoS attacks. Imagine what would happen if 10%-15% of the devices in a country are used for a DDoS attack against one of the world’s financial centres?

According to the previously mentioned Gartner forecast, by 2020 there will be 20.8 billion IoT devices. To protect this equipment, companies must first assess the risks, implement the security procedures developed for each device, and train staff. DS/IPS security technologies should also guard the potential for the malicious behaviour of IoT devices. When a company uses consumer devices like the same NEST thermostat, it must also introduce second generation firewalls that allow the device to connect only to certain IP addresses. The emergence of vulnerable devices in homes is an important reason for educating employees about these risks.

You can protect yourself with additional authentication – for example, two-factor authentication. Companies themselves must adapt to changing password requirements. This requires professionals who are aware of the risks of the new technology, and the constant updating of the software and hardware infrastructure (without introducing new risks).

It is difficult to secure SCADA and industrial legacy control systems because such systems tend to be closed to the basis mechanisms for ensuring cyber security. At a minimum, companies must isolate them in their networks and tightly monitor and regulate access to them. Industrial control systems have high availability requirements. This means that non-critical updates are not allowed. In an ideal world, such systems must be isolated from the Internet.

Conclusion

IoT protection from DDoS attacks includes ensuring the security of devices. This approach is consistent with the standard security model, implying zero confidence in minimum privileges. Organisations can be protected from hackers using IoT botnets, hardening security in networks containing IoT devices. But for this, it is necessary to carefully test the available tools and see how effectively they protect. With the help of new technologies, it can be possible to detect intruders.

What to do from here? Maintaining security of the Internet of Things is not without difficulties, but it is not hopeless either. However, it is worth taking the following steps:

  • Regulators should fine companies that sell equipment with security problems until they recall and make corrections to their products
  • Legislators must introduce laws requiring periodic restoration of IoT software to its original state. This will periodically get rid of the malware used to penetrate the network
  • Finally, new hardware should use a limited range of IPv6 addresses, so for those who are under attack by botnets, it is easier to force their provider to reject all packets originating from IoT devices.

iottechnews.com: Latest from the homepage

The road as a ‘social space’: Analysing the challenges of autonomous vehicle integration

(c)iStock.com/Chesky_W

The future of mobility has become a major topic of discussion in the automotive world. Introductions including the Internet of Things, autonomous vehicles, ride sharing and new synergies between car manufacturers and technology players are all changing the transportation ecosystem as we know it.  

One thing in particular I think we can all agree on is that autonomous vehicles (AVs) are coming.

Every day new pilot schemes bring AVs closer to the road and into the public mind-set, and research has estimated that by 2035, 85 million autonomous-capable vehicles will be sold annually around the world.

However, the speed at which AVs arrive and the impact with which they arrive will be an unknown factor for drivers and pedestrians alike. Ultimately it is these groups’ acceptance that will be critical to their success.

At Goodyear, we recently conducted research across Europe that underscores the importance of understanding the public’s attitudes towards this new technology. Conducted in partnership with the London School of Economics, the study investigated how drivers in 11 European countries felt about the prospect of sharing the road with driverless cars.

Whilst 39% of the drivers surveyed were found to be hesitant about the introduction of autonomous vehicles – something which is common amongst new innovation breakthroughs – there were a significant number who embraced it. Nearly a third (29%) of respondents, including 28% of those from the UK, said that they would be comfortable driving alongside AVs.

Possibly even more interesting is the importance that perception seems to play in people’s attitudes towards driverless cars. In the focus groups conducted as part of the study, some participants saw AVs as no longer being a traditional car, but more as a mobility service, and as such they were then more easily able to see the potential lifestyle benefits that AVs could bring with them.

One particularly intriguing possibility suggested was that of sending an AV down to the bakery on Saturday morning to collect warm bread rolls. And with human drivers no longer in the equation, they were also able to consider the potential of AVs to weed out the bad behaviour of other road-users, as they generally expected AVs to be ‘well-behaved’ and abide by the rules of the road.

Indeed, our research showed that safety remains an important consideration in the public views on the development of AVs. 41% of survey respondents agreed that “most accidents are caused by human error, so autonomous vehicles would be safer”. A further 44% felt that AVs might even be better than human drivers, as “machines don’t have emotions”.

Yet, there are still concerns at the prospect of AVs. For many of our survey respondents these related to the willingness to give up control, to the reliability of AV technology and to AVs’ ability to integrate in the “social space” that is the road. However, when considering that 60 percent of respondents don’t feel they know enough about how AVs work, it is to be hoped that greater familiarity will address some of these concerns.

AVs are not simply another new technology. They are a technology that is gradually emerging into an intensely social space. The key to success will be a two-way exchange based on an understanding of the complex attitudes that define the public’s view of AVs and how they should fit in on the road.

After all, we shouldn’t forget that some driverless elements are already seen in our day to day lives – from driverless trams to cruise control and parking assist, these innovations have been embraced due to a widespread understanding of the technology behind them and the backing of early adopters.

As the role of the driver will steadily evolve, the partially and fully autonomous vehicles of the future will need to learn to cope with the millions of possible unknowns we face in every day driving scenarios to safely navigate their surroundings.

And as the only link to the road, tyres can further enhance the safety and maneuverability of self-driving cars. Our next-generation technologies fully embrace the demands of autonomous driving, and our Eagle-360 concept tyre, unveiled at last year’s Geneva Motor Show, is just one example. Its spherical shape allows it to move in all directions, greatly improving a vehicle’s ability to avoid sudden obstacles and reducing sliding whilst also making parking much more efficient. Combining this technology with integrated sensors which monitor driving and weather conditions in real time, the tire can provide crucial information to the car to enhance braking, handling and efficiency.

Amongst the public testing and innovation launches, the coming years will be an interesting period, not only for those in the automotive industry itself, but for the everyday driver. However, one thing is clear – the introduction of AVs will very much depend on understanding the public’s feelings of how they should fit into the social space that is the road.

We can’t wait to see what happens next. 

iottechnews.com: Latest from the homepage