The Internet of Things (IoT) is playing a key role in our daily life without us even realizing it
So, what is IoT after all?
Let’s put it in an easy way: IoT is the network of physical devices, vehicles, home appliances, and other items which can connect and exchange data. Cars, CCTV cameras, kitchen appliances, lighting, and even heart monitors can all be connected through IoT
We can think of many devices in our homes designed to make our life much easier and comfortable. What do you think of having your coffee machine preparing your favorite cappuccino in the morning when the alarm rings at 7:30 AM? Or turning on the heating in your home before you even open the front door through your smartphone? Life’s good!Unfortunately, extensive usage of these data exchange processes poses an increased security risk due to an ever-rising number of entry points for potential attackers. Within this article, we have collected common cybersecurity risks which we believe are important to consider in the realm of IoT
Vulnerability: “A weakness in a system or its design that allows an intruder to execute commands, access unauthorized data, and/or conduct denial-of-service attacks” (Køien, 2015)
IoT is subject to the following key vulnerabilities:
- Weaknesses in system hardware/software
- Weaknesses in policies and procedures used in the systems
- Weaknesses stemming from the users themselves
Threats: “Action that takes advantage of security weaknesses in a system and has a negative impact on it.” (Køien, 2015)
Originally, threats are derived from two different essences: natural and human. Our focus is on human-related threats, such as:
- Identification: association of name, address, nickname, or any kind of data that identifies a person
- Localization and Tracking: the threat of generating a person’s location without his/her permission. Examples could be GPS hacking and through internet traffic
- Profiling: the collection of information about interests, hobbies, and demographics
- Privacy-violating interaction and presentation: Collection of private information through a public channel open for the market
- Lifecycle transitions: usage of private photos and videos on smart gadgets, such as old phones and laptops
Key Security Issues combined with solutions
1. Insecure software
Insecure software is closely connected to the application and availability of regular security updates. There are three crucial factors to consider: users, the flexibility of the software, and the updates themselves. Users must be cognizant to regularly refresh their software systems to run on the latest security technologies while the software systems need to be agile to incorporate such updates. Additionally, the update must be developed to not cause any new security issues which were previously not possible
Heard about patches and their effect?
Patches are probably one of the most important cybersecurity deterrents that the regular tech-clients need, up there with solutions like anti-virus programs. Patches keep hackers from further exploiting newly revealed security flaws
2. Poor Physical Security
Weaknesses of this kind could be encountered when an attacker connects to a device with an easy access to the external data storage and any data collected on this device. To firmly secure data, it is important to limit the administrative access and to limit the access to the physical device.A common vulnerability is legacy devices. Legacy devices are old or out of date devices whose hardware cannot be updated to match current security standards. These devices are vulnerable to attacks. Most clients/customers don’t understand the risks that the absence of security may cause. A single infected device (termed as “Zombie”) can cause a failure of security of the whole system
3. Insecure Web Interface
Insecure web interfaces could result in a data leak or an attack which leads to theft of critical data. Weak default credentials are a primary reason for the occurrence of this threat. These threats can be prevented by following some basic and are easy actions:
- Change default credentials and configurations after the initial setup
- Ensuring that recovery passwords are not providing the attacker with sensitive information valid for an active account
- Set up a firewall to isolate and authenticate outside connection
4. Insufficient authentication/authorization
Poor authentication mechanisms enable attackers to access higher levels and make it easier for them to access critical data. An example would be a lack of complexity in the password. Ensuring that the password is strong enough, can diffuse attacks and protect your information.Another way to deal with the risk of insufficient authentication is by using layered authentication (also known as multi-factor authentication). Layered authentication can restrict attackers at a different level and can also be used as an indication of a breach in security. By using multi-factor authentication, the attackers will have to break through more than one layer of authentication before accessing the data
5. Privacy vulnerabilities
What exactly is personal data?
“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (European Commission, 2012)
Personal data is collected usually when one subscribes to a service or sets up a device. The data that is collected is stored for an unspecified period of time. The security of this collected data is no longer in the hands of the person whose data it is but in the hands of the service provider or device manufacturer. This means that this data can be easily accessed if these companies are attacked and may lead to negative consequences for the consumer if the information gets into the wrong hands. To protect your information, ensure the collected data is only critical to the performance of the device and protect data with encryption. Paying close attention to how your data is handled and how long it is stored will enable greater transparency on how the data is being used and handled
Regulations should be created to protect private data of consumers. An example is the General Data Protection Regulation (GDPR), which was designed and ratified in order to protect the fundamental right to privacy for every EU resident and will be implemented in May 2018
6. Human Error
Human error led to the leakage of sensitive details of thousands of people worldwide through exposure to data in AWS S3 buckets. Unprotected servers can cause great damage by leaking critical personal information as passport information and social security numbers related documents to the internet. The problem usually is due to a misconfiguration due to human error which leaves the data open to the public
Phishing scams which obtain information through emails also occur due to human error and especially due to a lack of understanding of the risks involved in providing details to an unknown source or person. Though phishing has been around for a long time now, when related to IoT, a single vulnerability which could be caused by the information obtained through phishing can derail an entire IoT ecosystem.Therefore, it is a priority that the awareness of the risks which occur due to such actions is raised
Conclusion
IoT applications hold a game-changing potential to make our lives easier and more convenient. Unfortunately, if the security problems are not addressed, the applications could lead to plenty of problems which exceeds the actual value of adopting IoT applications and devices