As hacks increase in scope and intensity, businesses and governments need to take them seriously or risk great peril.
Picture this: It’s December 24th, and you’re headed anti-clockwise out of London on the M25 at 6:00pm. Coming towards your exit, you think you’ve almost reached the home straight without hitting traffic – could it be a Christmas miracle? But as you approach Junction 12, the vehicles ahead of you grind to a halt. The street lights guiding the way blink off. Ahead of you is a scene of chaos. Resulting from the sudden shutdown of traffic lights, cars and lorries have collided. Traffic queues mount. Irritated drivers beep their horns. You turn on the radio only to realise that the incident isn’t isolated, but has happened at numerous motorway junctions across the UK.
What may have sounded far-fetched just a few years ago could potentially take place in the not-too-distant future. The expanding IoT is incorporating more public services and critical infrastructure, and without the introduction of adequate security measures these systems will be vulnerable to intrusion, easily manipulated and potentially disabled.
IoT and cyber security hacks have been big news in the last year: TalkTalk, Tesco Bank, Three Mobile and Dailymotion have been targeted in the past few months alone, and the trend looks set to continue into 2017. Each hack has exposed the inadequate approaches taken by these high-profile companies. According to the government, two thirds of large UK businesses were hit by a cyber breach or attack in the past year.
Those recent cyber security hacks have resulted in financial and reputational damage, as well as the loss of personal and corporate data. As we enter the era of IoT, however, it is no longer just data at risk, but the running of public services and infrastructure, and the health and safety of British citizens.
The future is not all doom and gloom. Despite the government’s worrying statement on cyber breaches, it also stated that the most common attacks could have been prevented by following the Cyber Essentials scheme. Securing the IoT will take a multi-pronged approach by all parties involved, and adequate security measures, digital trust and collaboration will all help avoid ‘M25’ scenarios in the future.
Back to basics
Before we get to the stage of advanced IoT security, there is something far more basic which should not be overlooked: passwords. According to research from Verizon, 63% of data breaches involved weak, default or stolen passwords, and stories of such breaches have been covered extensively by the media: LinkedIn, Dropbox, O2, and in recent times the National Lottery, are just some of the major names that have suffered password-related breaches. Despite widespread media coverage and awareness being raised of the nature of these attacks, the password remains the most common method of authentication today and is the lowest common denominator in all of these attacks.
Phishing emails which request fake password resets are one route of entry for hackers, in addition to weak passwords and the re-use of passwords for multiple accounts. Even tech aficionado Mark Zuckerberg was revealed to have lax security when his Twitter, Instagram, Pinterest and LinkedIn accounts were hacked in June. The reason? The same simple password, ‘dadada’, was used across multiple accounts.
As Zuckerberg has shown, even the most technologically savvy among us still find it difficult to remember login details for our vast array of online accounts. It is down to the platforms and organisations therefore, to reject password authentication and adopt secure alternatives. They are available, they are easy to implement, and offer much higher levels of security. For example, a service provider could ask an end-user to confirm they are in possession of their own smartphone by requesting they take a photo of a bar code and submit it before moving on to the next level of authentication. Adding the need for a biometric reading like a fingerprint scan would further increase the robustness of the security method.
A new era of hacking
Gartner has predicted that the number of connected devices will reach 20.8 billion by 2020, 13.8 billion of which will be in the consumer sector. In this saturated, competitive environment, many companies consider security as an afterthought rather than a priority, in their rush to launch devices to the market.
This year has seen a number of high profile distributed denial of service (DDoS) attacks, which have been caused by hackers gaining access to a network via unsecured connected devices like smart cameras and printers. The largest of these targeted internet performance management company Dyn, which resulted in disrupted connections to sites like Twitter and Netflix for users on the US East Coast. The company subsequently stated that the attack involved a record-breaking 1.2Tbps of traffic and targeted 100,000 malicious endpoints.
When devices reach the hands of consumers many users will fail to reset the device’s default password, leaving it vulnerable to hackers. Strict security should instead be introduced at the point of manufacture, by making use of a device’s Trusted Execution Environment (TEE). The TEE is an area embedded in many connected devices which establishes a secure ‘fort’, protecting application data within its ‘walls’ from outside intrusion and manipulation. The majority of connected devices have a chip of some shape or size which offers the ideal location to embed secure credentials. Chip manufacturers are perfectly placed to utilise the TEE to ensure devices are secure before they even leave the factory and enter the hands of consumers and businesses.
Building digital trust in a connected era
Chip manufacturers are just one part of the IoT ecosystem and are therefore just one of the many players whose effort is required to create a secure future. Smart devices connect a consumer to the internet, and share data and information between numerous organisations, platforms, and cloud services. Wearables are a prime example of this, as devices like fitness trackers send personal health data to online monitoring services, to personal email accounts and to other devices like the user’s smartphone. CCS Insight predicted that 411 million smart wearable devices worth $34 billion will be sold in 2020. Industry collaboration is therefore needed from all of those involved to gain and maintain trust from end-users, as well as ensuring trust between devices and services, to secure this thriving market.
As the IoT expands beyond personal gadgets to public infrastructure and services, the threats are even greater. As with the Kings Cross scenario, a hacked IoT ecosystem could pose a significant threat to public safety, and as the healthcare industry embraces IoT, personal health also. Just this month potential security flaws were identified in 10 models of pacemakers used in the UK, meaning hackers could disable the pacemakers directly, run down the battery, or apply electric shocks.
Fortunately, there have been no reports of such activity, and similarly, the M25 is yet to grind to a halt as a result of a hack. However, these examples should be viewed as cautionary tales, which underline the sobering thought that until governments and businesses start to take security seriously, the next hack could have very different consequences, putting citizens’ virtual and physical safety at risk.
Source: IT Pro Portal