Back in the 1990s, there was a very popular trend in sci-fi movies: everyday objects taking control and trying to eliminate humans. In those days, one could see such a pattern in almost every blockbuster, with killer-toasters, killer-cars, or some others dangerous devices trying to do harm to innocent people. Back then this was a kind of entertainment, that most people never conceived of as an actual threat.
But, apparently, it is now a threat more real than ever. While more and more devices are connected online, or at least have the option to access the internet, experts are raising a red flag: that all should be concerned about a potential safety threat which is at the doorstep.
Security Is Key In IoT
From smart thermostats to connected cameras, medical implants or industrial controllers, a huge number of devices have been shown to be hackable – with the potential to cause serious damage to people’s lives in economic, domestic, or even physical terms. Most market experts can agree on one common way of dealing with this issue: there should be some rules and laws to follow in order to ensure users a degree of safety and comfort in enjoying the advantages of technology.
The technology craze and the rush to better and faster devices have caused some serious flaws in security. There are a number of issues which can be eliminated at the early stages of production, and more and more companies understand that cyber-security is a matter which should be embedded into the design stage. Now is the perfect time to develop and ensure proper technical risk assessment: to ensure that devices, code, data, and infrastructure are all sufficiently protected. Companies and customers need to fully understand the risks, and not to over-dramatise, not to dismiss security in the Internet of Things (IoT) industry as too difficult to tackle. The key is understanding the risks and putting in place appropriate mitigation.
In order to do so, companies need to develop their security departments and invest in training to educate employees, as well as ensure that proper security experts are involved in the design process from the very beginning. A great example of corporate responsibility in terms of IoT security is Microsoft, which has put together a checklist of IoT best practices, or IoT security essentials. According to Microsoft, IoT hardware manufacturers and integrators must:
- Specify hardware to minimum requirements, such that a device is not capable of doing more than it needs to;
- Ensure that all hardware is tamper-proof, with no internal or external USB ports, for instance;
- Build equipment should be built around secure hardware such as the Trusted Platform Module (TPM);
- Ensure that there is a secure path for firmware upgrades.
IoT solution developers, meanwhile, must:
- Follow secure software development methodology;
- Ensure that any open-source software used has an active community addressing any security issues that arise;
- Integrate with care: check all interfaces of components for security flaws, paying particular attention to superfluous functionalities that may be available via an API layer.
IoT solution deployers must:
- Ensure all deployed hardware is tamper-proof – particularly when left unsupervised or in public spaces;
- Keep authentication keys safe after the deployment. Any compromised keys can be used by a malicious device to masquerade as existing devices.
Finally, IoT solution operators must:
- Keep the system up to date with the latest operating systems and drivers;
- Protect against malicious activity by securing device operating systems with the latest anti-malware capabilities;
- Audit the IoT infrastructure often for security-related issues;
- Physically protects the infrastructure from malicious access;
- Protect cloud authentication credentials by changing passwords frequently, and not logging on from public machines.
Bodies such as the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) are doing a lot of work in the area, but there is still no universal, certifiable standard for IoT security.
Recent IoT Hacks
There is still some way to go, however, before IoT is fully secured, as can be seen by a few examples from its recent history:
- 2010: Stuxnet vibrated centrifuges in an Iran nuclear plant
- 2011: A hacker took wireless control of insulin pumps
- 2014: Hackers commandeered hundreds of webcams and baby monitors
- 2015: Researchers remotely took over and crashed a Cherokee jeep
- 2015: Flight controls on a plane were hacked via its in-flight entertainment system
- 2016: Smart thermostats were hacked in order to host ransomware