A survey from UK-based firm Databarracks has found that only 27% of organisations polled feel able to protect themselves against IoT threats.
Based on the findings, its managing director Peter Groucutt has said that organisations must now factor IoT into their continuity planning.
“The IoT device market is still relatively immature and somewhat of a Wild West,” said Groucutt. “According to industry experts, by 2020 there will be over 50 billion connected devices. Understandably, manufacturers are racing to capitalise on the opportunity, but unfortunately, many are doing so at the expense of basic security measures.
“Organisations need to be aware of these risks, even if they do not use any IoT devices – the growing number of connected devices globally means there is an increased risk of DDoS attacks through IoT botnets – but our data suggests firms are ignoring these threats,” added Groucutt. “Research from our annual Data Health Check survey revealed that only 13% of businesses saw IoT threats as a major concern. Additionally, just over a quarter of organisations (27%) had set policies in place designed to protect against IoT threats.”
According to Groucutt, organisations incorporating IoT devices into their IT infrastructure should not rely on existing policies for evaluating the security of devices, instead develop new ones. Questions such as what protocol the device uses; can the IoT network be isolated from our other systems; is it connecting directly back to the data centre or to a hub – either in the cloud (hosted externally) or to an Edge server that you manage; how do we login and authenticate; can we integrate with our existing authentication products, and finally, what O/S is used and do we have competency; should be considered.
This week’s big news had to do with a heat map published back in November by a fitness tracking application called Strava. A 20-year-old in Australian noticed that the running data from U.S. military personnel indicated where clandestine bases were in Syria. His insights percolated through security analysts on Twitter, and then to the U.S. Department of Defense.
Now the DOD is re-evaluating its policies around wearables and mobile phones, and will likely look at the social media habits of its soldiers as well. What happened with Strava is nothing new, exactly. On a smaller scale, hackers and spies have used public social media profiles to get all kinds of information on targets.
But there are two things that are different about the Strava case—and worth noting. The first is the scale of it. The second is how two types of data were combined to create new insights. Strava helpfully showed data from more than a billion activities which, when combined with the map, created a clear picture for those who knew what they were looking for, and disclosed more than Strava intended.
Inadvertently disclosing new information will be the new challenge of our age as we connect ourselves and our things to the internet. Each of us will leave ever-larger digital footprints, which can be combined in various ways to provide new information, all of which will be searchable to anyone with an internet connection and an interest.
Short of hiding in a bunker, wrapping your phone in foil, and ditching social media, what is a person — or a concerned employer — to do? The short answer is we don’t know. Even fully grasping the problem is tough. There are several aspects to it.
Most importantly, there’s an increasing amount of data about individuals online that’s fairly easy to get. Then there’s an increasing amount of data about that data, so-called metadata, that’s also easy to find (or subpoena). For example, if your tweets are data, then the location data attached to them are metadata. And this data can now be combined in new ways. In this week’s podcast, privacy analyst Chiara Rustici called this a “toxic combination.”
Finally, once data is out there, it can be reused, repurposed, and reformulated to help draw new conclusions and meanings that were never intended. Imagine if that permanent record your teachers threatened you with back in school were real. In this new era it effectively is.
That’s just the data challenge. There’s also an economic challenge. Data is incredibly cheap. Which means getting data and metadata and creating these toxic combinations is also incredibly cheap. It’s also seen as incredibly valuable to corporations, which is why everything from your toothbrush maker to your coffeepot is trying to snag as much information as it can.
Data may be cheap to get and hold economic value, but it’s also expensive and difficult to secure, which means bad actors can get a hold of your social security number and credit cards with what feels like relative ease. And yet, when data breaches happen the individual is left to pay the inevitable costs as they try to restore their credit, deal with financial fallout, or recover embarrassing secrets.
There’s a link from Strava’s disclosure of military secrets to revenge porn, and it runs through the internet and its ability to make getting information easier than ever. And it relies on our increasing ability to digitize anything from our running routes to our photos.
We’re intellectually aware of all this, but whenever it comes time to do something about it, we throw up our collective hands and keep snapping our naked pics. There are few existing weapons to solve this problem, so let’s take a look at what they are and where they fall short.
Opt-ins and transparency: Many of our apps and devices come with a variety of privacy settings that can range from simple — share or do not share — to byzantine. Strava’s were apparently byzantine, which didn’t help folks that wanted to stay off the heat map. But good privacy settings can only go so far. They don’t stop hackers from accessing data and they also don’t stop toxic combinations of data.
Differential Privacy: Apple made this privacy concept famous. Essentially all data collected gets anonymized and injected with random noise to make it hard to recombine it and determine to whom the data refers. This is good for individuals, but it requires technical overhead and that the company do it correctly. Apple’s talked a good game, but researchers looking at its implementation say it left a lot to be desired. The other challenge is that you can still glean a lot of information from anonymized data. Note that none of the Strava folks were identified.
Collect only what you need: This idea is simple. If you are making a device or app, don’t collect more data than you need. For example, the Skybell doorbell doesn’t keep a user’s Wi-Fi credentials after getting set up on the network because it’s not information the company needs. Most other connected devices don’t share that view, however, which led to LIFX bulbs leaking a bunch of Wi-Fi credentials a few years back. Whoops.
This is a tough issue because in many cases companies collect all this extra data in case they might need it someday. And thanks to improvements in machine learning, they may not be wrong. Applying machine learning to random data sets can yield new insights that could improve the service.
Regulations: All of the above are voluntary things that companies can do as a step toward protecting user privacy, or letting users have more say in how their data is used. But the strongest tools to protect privacy will come from regulatory pressure. This year, the world is about to get a massive amount of regulatory pressure in the form of the General Data Protection Regulation. This regulation was passed by the EU in 2016 and goes into effect in May. It acts as a safeguard for data. It enshrines some of the above items, such as needing a reason to collect a piece of data and providing transparency, but it also goes a lot further.
For example, it allows an individual to ask what a company knows about them, forces the company to correct wrong information, and requires the company to dump the user’s data upon request. It also prohibits profiling on the basis of data. These are only some of the regulation’s provisions, but in my conversation with Rustici, it became clear that the GDPR is so forward-looking that from a technical standpoint, we don’t have ways to actually implement some of these provisions yet.
For example, the ability to retract your permission to use data sounds good, but once that data is sold to a third party or combined to create new insights, how can that data be controlled? How can the new knowledge go away?
So while privacy is a huge challenge and one that we’re still wrapping our arms around, we also need to build tools to track each piece of data about us. Maybe even each piece of metadata. Then we need ways to claw that data back. All of this has to be scalable, which leads me to look to something like the blockchain as a way to track data.
We also need to develop a far more sophisticated understanding of what is known about us and how that knowledge can be applied. Which means that companies creating fun blog posts or heat maps based on a wide array of anonymized data should carefully consider how that information could be used.
We keep saying that data is the new oil, but oil is not a wholly harmless substance. We need to accept that data isn’t, either.
With so many consumers buying internet-connected devices these days, hackers are focusing on gaining access to homes and networks via these products more and more. In fact, in September the BlueBorneBluetooth vulnerability allowed hackers to infiltrate around five billion gadgets simply by using a Bluetooth connection, recent news shows that issues can still arise just from this one virus. Armis Security announced last month that an estimated 20 million Google Home and Amazon Echo devices were vulnerable to attack due to the BlueBorne issue.
While the two tech giants released patches to fix this problem very quickly on their respective devices, the news only goes to show that you need to buy devices with top security protocols in place, as well as know how to keep your gadgets secure once you get them home. Read on for some key ways you can go about protecting your home and information today.
Choose Trusted Brands and Change Security Settings
For starters, think about security when you first go to buy a smart-home system. It pays to buy trusted brands which have a reputation for taking security seriously and making their products less at risk of hacking attacks.
Next, once you bring home devices, as you set them up make sure you change the default settings on each. The information guides which come with products contain instructions on how to do this, but most people don’t read or follow the guidelines, and leave their devices vulnerable as a result. The issue is, hackers can easily look up online, or elsewhere, the details on which usernames and passwords manufacturers use when they create products, and then use this information to gain access to gadgets and networks.
It is a good idea to change the default ID name that is set up on internet-enabled items too. Again, hackers know that most manufacturers ship goods out with the same identification details for each device under their brand name. If cybercriminals run a scan in your area to look for a way to get into your network, they could see the name of your device popping up.
When this happens, they’ll realize straight away that you’re using that particular brand in your home, and will guess you probably haven’t changed any other settings either. This will make them think you’re lax on security, which may compel them to hack into your devices over someone else’s.
Secure Your Wi-Fi
Smart-home products always use the internet to complete their functions. As such, another key strategy you should take to protect your information is to secure your Wi-Fi so hackers can’t use an unsecured wireless network to gain access.
Rather than leaving your Wi-Fi open for anyone to use, protect it with a comprehensive username and password that no one would be able to guess. Your password should be between eight and 12 characters in length and made up of a mixture of symbols, letters (both upper and lower case), and numbers. Avoid making the username or the code related to your own name, or that of any information about you that hackers could find online, such as the name of your business, pets, children, or partner; your birthdate, address, and email.
Install Security Software
Next, keep in mind that hackers often try to gain access to smart-home devices via the apps you use to control these devices, which you would have downloaded to your computer, smartphone, and/or tablet. To stay safe then, always install professional security software on your devices.
Choose a product that provides protection from malware, spam, spyware, viruses, ransomware, and the like. In addition, it is helpful to have firewalls running on your devices too. These act as another line of defense against hackers, particularly when it comes to internet-based programs.
Run Regular Updates
Lastly, you will keep your smart-home products safer if you regularly update the different software you use. For example, whenever there is an update available for one of your smart-home products, run it straight away so security holes which have opened up because you purchased the product, or since it was manufactured, get plugged.
As well, update the security software, firewalls, apps, browsers, plug-ins, and operating systems on your computers so you always have the latest editions running. Passwords need to be changed every two to three months too if you want to give yourself optimum protection. It is also wise to use different codes for different smart-home products and computers, so that if one does happen to be compromised, they won’t all be vulnerable to attack.
Although all the here-above mentionned tips may seem obvious to many of us, we know for sure that very few people, even among the “experienced” users of tech devices, do rigorously follow those security “best practices”. It is one thing to know and another thing to do! But considering the expanding number of cyberthreats, it is really time now for all of us to get serious about the security of our connected devices and take the time needed to properly lock the doors of our smart homes…
Five actions to protect your devices from becoming bots:
Create and use strong passwords for all your devices. Do not use the default. This is especially important for smart devices, routers, and other devices with which you may not interact directly.
Update your devices! Software is often patched to remove known vulnerabilities, greatly strengthening your defenses.
Monitor your devices. If a device is acting strangely, investigate it. One example is bounced email messages. If email messages are not reaching their destination, your device could be infected and sending spam as a part of a botnet.
Run anti-virus scans and use other security tools to find and remove malicious software.
Be careful to avoid infecting your devices. Avoid opening suspicious emails, attachments, or risky websites. Some anti-malware services include website security checks.
Want to do even more? Create a device white list for your router. With a white list, only the devices with approved MAC addresses are be able to use your network. For other advanced tips on how to better protect your home network, and the devices on it, see the Tom’s Guide article How to Secure Your (Easily Hackable) Smart Home.
A global study of agritech businesses by Inmarsat has revealed that fewer than one in four are confident in their ability to counter IoT-related security threats.
A study of 100 large agritech companies from satellite communications company Inmarsat has found that while they are taking steps to deal with IoT security threats, they remain far from confident in their ability to deal with these threats – with potentially grim implications for the farmers that they serve. The findings are outlined in Inmarsat’s The Future of IoT in Enterprise – 2017 report.
More than half (52 percent) of respondents say they have invested in new security technologies to take into account IoT. But 45 percent admit that their process to counter cyber attacks could be stronger. Almost one in four (23 percent), meanwhile, said that they would need to make heavy investments in their security capabilities if they were to be sure their customers could safely exploit IoT.
When the survey looked in more detail at the areas that were particularly in need of work, the Inmarsat study found that only 42 per cent of agritech companies had given special consideration to network security in the development of their IoT solutions.
The study also found there is a significant need for skills within the sector as over half (55%) of those in the research reported that they needed additional security skills.
These are serious issues for modern farmers, since technologies like IoT can potentially help them in many ways, according to Chris Harry-Thomas, director of sector development agriculture at Inmarsat Enterprise.
“IoT technologies are being leveraged to automate irrigation and fertilisation systems on farms, to add new precision to operations and reduce waste, and to automate farming machinery, reducing the need for manual intervention,” he said. “However, a more technology-dependent and connected farm is a more vulnerable one, without the necessary security protocols.”
“These threats are not trivial. Whereas an industrial-scale cyber attack in any industry can do significant harm to a business’s bottom line, such an attack in the agricultural sector could see whole crops decimated and have severe consequences for the quality of life of entire populations. It’s therefore critical that agritech businesses can take the necessary measures to counter these risks, and it’s clear from our research that there is a significant amount of room for improvement in this area.”