Always on, connected devices are everywhere and a large component of our lives. Most commonly, people think of digital tools like Alexa, Google Assistant, Bixbi, and Siri. It has been proven that these examples are watching and listening to everything happening nearby and have been proven easy to compromise. Smart home systems offer a level of convenience that would not have been possible 20 years ago, yet just like email, it is an opening for cybercriminals and Advanced Persistent Threats.
Consumer devices are always a public concern, but there are currently five types of IoT applications:
✔️ Consumer IoT—such as light fixtures, home appliances, and voice assistance for the elderly.
✔️ Commercial IoT—IoT applications in the healthcare and transport industries, such as smart pacemakers, monitoring systems, and vehicle to vehicle communication (V2V).
✔️ The Industrial Internet of Things (IIoT)—includes digital control systems, statistical evaluation, smart agriculture, and big industrial data.
✔️ Infrastructure IoT—enables the connectivity of smart cities through infrastructure sensors, management systems, and user-friendly user apps.
✔️ Military Things (IoMT)—applying IoT technologies in the military field, such as robots for surveillance and human-wearable biometrics for combat.
Keep the list in mind, but let’s focus on consumer and commercial devices. We are automating our lives with IoT devices – lights, home climate control, locks on our homes and offices; the list is ever increasing. Even the (VR) systems that map our rooms with specialized cameras require a social media account to operate. Wearable devices track and sense critical health parameters, including how often we move, heartbeat, sleep patterns, and even sense blood oxygen level (Sp02). All of this data leaks out. Companies that use machine learning (ML) and artificial intelligence (AI) to analyze your likes and dislikes supply data that governments can use to correlate with other significant data sources from users and store information often targeted by cybercriminals for ransomware.
Over the last five years, several cyber researchers have demonstrated multiple times the ease of IoT compromise. Many examples of illicit use of personal data include the Russian voting hacks and data purchases by police departments to circumvent local legal requirements. The data owner knows more about our private lives than our closest friends and relatives. Facebook and Instagram may even understand our psychology and behaviors more than we do ourselves.
These technologies certainly have advantageous and beneficial capabilities. Still, society now realizes that giving away that much insight into our lives is not a way to maintain privacy in modern society. Routinely jokes are making comparisons to George Orwell’s book 1984 but are they really jokes or merely an underlying concern? We are also starting to understand that tech companies utilize data mapping algorithms to categorize individuals, analyze and quantify actions. Such an effort does have unintended consequences for all of society, regardless of country. Try thinking about how data from one type of IoT device collects data correlated with another. This is why users will finally revolt and make vendors take home and consumer Internet of Things (IoT) devices more seriously in 2021. Expect to see the consumer market start to push back against IoT devices that collect personal data heavily and pressure government representatives to regulate these devices’ capabilities to protect user privacy. Several news examples of this include Minneapolis, San Francisco, and Detroit banning the police use of facial recognition.
“If you think that the internet has changed your life, think again. The Internet of Things is about to change it all over again!”
From a corporate perspective, the method to handle exposure largely remains the same.
I feel like the rest of the security industry, and I am always saying this … “an endpoint is an endpoint.” IoT components complicate the security perimeter. The more IoT points you connect to the network, the more attack surface you add to the network, and depending on the device, and physical security can be compromised.
You can leverage Endpoint Detection and Response (EDR) cybersecurity to protect your network. EDR tools monitor endpoints, proactively look for threats, send alerts during security events, and respond when possible. However, this creates more work due to the elimination of false positives.
To prevent IoT devices from introducing vulnerabilities into the network, scan the device before enabling the connection. Performing vulnerability scans for devices and systems continuously can ensure the continued health of the network and its components.
Like any other device on your network, an IoT device needs to be subject to a patch management lifecycle. In many cases, this is going to be a firmware patch. While performing the selection process, make sure the vendor takes device security and management seriously. Make sure you add this to your compliance requirement list.
IoT will inevitably become embedded in every aspect of our corporate and personal lives. From home appliances to healthcare devices, transport technology, industrial networks, and military weapons. IoT technology enables digital transformation. As more industries undergo digitalization, more IoT devices will be installed and connected to networks.
Whether you’re responsible for the security of a network or the security of your device—you should take IoT security seriously.