3 key security challenges for the Internet of Things

By on Oct 29, 2014

What challenges pose the biggest threat to the Internet of Things?

The Internet of Things (IoT) is already starting to give rise to real-world applications, from connected homes and cars to health monitoring and smart utility meters.

Analyst Gartner predicts there will be 26 billion IoT devices – excluding PCs, tablets and smart phones – by 2020. That’s a 30-fold increase from 900 million in 2009.

I was at an event in Munich just last month where a presenter spoke about how it took the decade up to 2005 for the deployment of the first billion internet-connected sensors. The latest billion sensors were implemented during 2013 alone and we are well on our way the first trillion. The pace of this growth is relentless.

But there has been one thing missing from many of the IoT discussions to date – trust. The IoT represents an entirely different level of scale and complexity when it comes to the application of the foundations for this trust, namely security and privacy.

Already we are seeing hacks – proof-of-concept and in the wild – on IoT applications, such as smart TVs and cash machines to malware infected high-risk pregnancy monitors at a Boston hospital in the US. And in its latest internet threat assessment report the European crime agency Europol warns that the IoT creates new types of risks and threats not only in consumer applications but also in critical infrastructure control systems.

It goes on to say: “We can expect to see (more) targeted attacks on existing and emerging infrastructures, including new forms of blackmailing and extortion schemes (e.g. ransomware for smart cars or smart homes), data theft, physical injury and possible death, and new types of botnets.”

Here are three key IoT security challenges I foresee:

1. A trillion points of vulnerability

Every single device and sensor in the IoT represents a potential risk. How confident can an organisation be that each of these devices have the controls in place to preserve the confidentiality of the data collected and the integrity of the data sent.

Researchers at the French technology institute Eurecom downloaded some 32,000 firmware images from potential IoT device manufacturers and discovered 38 vulnerabilities across 123 productsincluding poor encryption and backdoors that could allow unauthorised access. And one weak link could open up access to hundreds of thousands of devices on a network with potentially serious consequences.

2. Trust and data integrity

Corporate systems will be bombarded by data from all manner of connected sensors in the IoT. But how sure can an organisation be that the data has not been compromised or interfered with?

Take the example of utility companies automatically collecting readings from customer smart meters. Researchers have already demonstrated that smart meters widely used in Spain, for example, can be hacked to under-report energy use. They were able to spoof messages being sent from the meter to the utility company and send false data. In recent years we have been able to go to a high street store and buy anti-virus protection on a disc or download it straight to our PC. But in the IoT that security capability doesn’t exist in many of the devices that will suddenly become connected.

Security must be built into the design of these devices and systems to create trust in both the hardware and integrity of the data.

3. Data collection, protection and privacy

The vision for the IoT is to make our everyday lives easier and boost the efficiency and productivity of businesses and employees. The data collected will help us make smarter decisions. But this will also have an impact on privacy expectations. If data collected by connected devices is compromised it will undermine trust in the IoT. We are already seeing consumers place higher expectations on businesses and governments to safeguard their personal information.

And beyond that, what about the security that protects the critical national infrastructure (CNI), such as oil fields and air traffic control? With everything connected, the IoT smashes the separation between the CNI and the consumer world. Everyday household items could potentially be exploited by cybercriminals to gain access to the CNI.

Businesses need start now to identify the risk level for their current exposure to the IoT and where it is going in the future and also think about the privacy and security implications associated with the volume and type of data the IoT will generate.

It truly is a brave new world that promises many exciting opportunities. Trust is the foundation of the IoT and that needs to be underpinned by security and privacy. And it’s a conversation we all need to start having now if we are to reap the benefits of the connected world.

About the Author

Raj Samani

Raj Samani is Chief Scientist and Fellow for the Enterprise business. He has assisted multiple law enforcement agencies in cybercrime cases and is a special advisor to the European Cybercrime Centre in The Hague. Samani has been recognized for his contribution to the computer security industry through numerous awards, including the Infosecurity Europe hall of ...

Read more posts from Raj Samani

Subscribe to McAfee Securing Tomorrow Blogs