The Internet of Things presents challenges for consumers and industry
August 2017 | EXPERT BRIEFING | RISK MANAGEMENT
The Internet of Things (IoT) is the term for the many smart devices that are increasingly populating our homes and businesses. Refrigerators, televisions, smartphones, thermostats and virtual assistants using artificial intelligence like Amazon Echo or Google Home make life easier but they also offer dangerous opportunities for data or network breach.
The last six months have seen the IoT take centre stage in both consumer products, like virtual assistants, and also for use in destructive cyber attacks.
In October 2016, as-yet unidentified hackers created an army out of unsecured devices attached to the internet. This ‘botnet’, composed of webcams, baby monitors, printers and other devices infected with a virus called Mirai, launched the largest distributed denial of service (DDoS) attack carried out to date. The DDoS attack was directed at Dyn, an internet infrastructure provider, and resulted in loss of connectivity to a large number of prominent websites along the east coast of the US and elsewhere, including CNN, Reddit, The Wall Street Journal, the New York Times, Amazon and others.
Many of the devices used in the botnet attack were older, without upgradeable security, or passwords that owners could not change. In other cases, some consumers and businesses did not bother to change factory-assigned passwords, making it easier to infect the devices and remotely control them.
While the DDoS received considerable attention, and one manufacturer agreed to update the security strength of devices going forward, not much really changed. Although consumers and business IT is routinely counselled to update security and change passwords, it will take the next big DDoS attack to determine the effectiveness of these efforts.
WikiLeaks strikes again
In March, WikiLeaks, a website that gathers and discloses generally sensitive information onto the internet, released what is described as the largest leak of Central Intelligence Agency (CIA) documents in history.
In more than 7000 web pages and almost 1000 attachments, this collection of documents describes the computer tools and codes the CIA used for spying and intruding on WiFi networks, Skype conversations and smart televisions, even when the device appeared to be turned off.
By using a combination of freely available and proprietary tools developed by US spy agencies, the CIA, and others, hackers are now able to gain valuable information and use collected data to infiltrate the IoT more deeply.
Unlike the leak of documents by former NSA contractor Edward Snowden to the Guardian, it is not known who leaked the documents or even why. While WikiLeaks has claimed the documents had been circulating among former CIA contractors, media reports seem to suggest the finger is pointed toward nation-state hackers.
As Bob Ayers, a security analyst and retired US intelligence officer notes in an AP story, “There is a long-term campaign by the Russians to damage the US and the intelligence community. It is too early to tell if this is another part of that – although it fits that pattern. I think the biggest concern is that we are in a new kind of fight with Russia and we are losing. The damage from lost tools can be repaired. The damage to reputation takes longer.”
The IoT: danger ahead
While some of the sensationalist claims made by WikiLeaks on release of the documents did not hold true, the incident adds to overall concern about the direction of the IoT. As voice control of devices in residential and corporate settings becomes more common, there is no way of knowing whether the microphones have become a two-way street that provides valuable information to those listening in. Although a device might be clean one day, it may have been infiltrated the next.
In addition to the loss of sensitive data, the IoT, as seen in the Dyn attack, can become a powerful weapon. By 2020, Deloitte suggests that 30 billion devices will be connected to the internet. The European Commission aims to take advantage of growth potential across the board by adopting a digital single market that includes connecting devices, reducing taxation burdens and speeding digital access to Europeans.
Encompassing the IoT and network security, the EU adopted the NIS Security Directive, which went into effect in August 2016. EU countries have 21 months to integrate the security directive into their overall protocols for national cyber security.
Used for convenience, to boost productivity and as a cyber weapon, the IoT offers a lot of opportunity to different types of interests. Without policy or IoT regulation in the US, it is only a matter of time until the next illegal use of the IoT comes to light.
Cheryl L Tyler is the president and CEO of CLT3 Consulting, LLC. She can be contacted on +1 (240) 481 7756 or by email: firstname.lastname@example.org.
© Financier Worldwide
Cheryl L Tyler
CLT3 Consulting, LLC