A disgruntled job applicant hacks into Maroochydore’s sewerage system, releasing a lethal stink across the town. Political pranksters hack into a Sydney road traffic sign and tweak it to display a less than pleasant missive to the government.
It might sound like fun and games, but as more and more connected objects come onto the market, the rapidly growing ‘Internet of Things’ is bringing significant new security challenges to both consumers and businesses -- and the old anti-virus patch-up job just won’t cut it anymore.
According to Gartner, the IoT will grow to 26 billion installed devices globally by 2020, contributing more than $300 billion in revenue.
That’s an awful lot of connected devices -- meaning an exponential increase in the attack surface for potential threats.
As the internet starts to recover from bouts of Heartbleed-induced panic, one thing is clear: anything connected to an IP address is potentially vulnerable.
“Many of the early attacks that we’ve seen have just been a bit of hijinks and fun, but there’s also a more serious side to it,” says Dean Frye, technical director APAC at cybersecurity firm Sourcefire.
“We’ve got basically a lot of devices being designed very, very quickly for a whole lot of apps -- consumer, industrial and so on -- that are running systems that are not necessarily visible to us, and the attacks are become much, much greater than what we think of when we think about traditional computer security.”
The growing use of automation around critical infrastructure such as electricity and gas grids -- not to mention companies housed in smart buildings that regulate things like air conditioning -- means much more may be at stake than someone hacking into your smart fridge and spoiling your lunch.
IP enabled smart cars, for example, may harbour hidden risks for individuals’ safety, with Tesla recently coming under fire for password vulnerability.
McAfee Asia-Pacific chief technology officer Sean Duca warns that as consumers and enterprises become more dependent on automated devices, a simple denial of service attack could have significant implications.
“The more devices that become IP enabled, the more we depend on them, and any disruption can start to impact on our everyday lives, whether that means consumers or business,” Duca says.
The old security approach doesn’t work
While cybersecurity has always been -- and will remain -- a game of cat and mouse with no silver bullet, the reality is that slapping an anti-virus across a network is just not going to cut it anymore.
“We can’t go through that same process as we’ve been doing for the last 10 or 20 years,” Duca says.
“With anti-virus, we have the ability to go out and install it on a PC or a Mac. But in the concept of IoT these are going to be tiny devices that security can’t be retrofitted to. It’s going to be extremely difficult for us to apply security after the fact.”
The onus then is on device manufacturers to ensure their products are securely designed every step of the way. That may mean locking down a product so that it can only run code for its specific purpose, which would prevent unauthorised code from infiltrating the device -- and potentially other connected systems.
That’s a big expectation when there are currently no industry standards for manufacturers to meet -- and a big problem when consumer awareness is painfully low.
“Humans are the weakest link by a long shot,” says Sourcefire’s Frye. “Consumers still don’t do basic things like managing passwords properly or keeping things up to date. When a consumer goes to buy the latest phone handset or Google Glass or whatever it is, they’re concerned about battery life and screen size -- they’re not necessarily educated enough.”
When you add in consumers’ seemingly insatiable hunger for cheap electronic goods -- and the willingness of countries like China to meet that demand -- the challenge of dealing with the new onslaught of security threats appears almost hopeless.
What can businesses do?
Until standards and solutions are more developed, McAfee’s Duca says the best thing businesses can do to mitigate potential threats -- especially given the growing trend towards BYOD -- is to ensure that they are aware of every single device connected to their network, and know what each one is doing.
This could include monitoring the types of apps that devices are using and the type of data they are sending, and there are plenty of tools readily available to facilitate this.
“We need to go back to the core tenets of security and ultimately you want to have visibility,” says Duca. “Businesses need to be aware of what’s going on.”