The problem is growing in scope and scale. In the US, the Department of Homeland Security has reportedly been investigating cases of suspected security flaws in medical devices and hospital equipment.But this is not slowing the growth of IoT in the enterprise. Machine-to-machine (M2M) sensor technology is infiltrating the retail, manufacturing and logistics industries. ‘Smart' machines such as coffee makers are increasingly likely to plug into the corporate network - and this is on top of the connected devices brought to work by employees.
Meanwhile, IoT poses a very real threat to the consumer in the form of automated cars as well as smart meters in the home, which could be compromised by hackers to devastating effect.Experts predict the security problems associated with IoT will soon begin to surge. According to analyst Gartner, there will be nearly 26 billion IoT devices by 2020. The firm says this will lead to over 20 percent of enterprises having digital security services devoted to protecting business initiatives using IoT devices and services by the end of 2017.
Problems associated with IoT can be complex: the technology requires a new understanding of how devices must be secured. It is said that infrastructure is IoT's weak point, due to the wireless networks that enable communication between devices, which could be exploited by hackers as a point-of-entry to the corporate network.
"If you have a
– Jon Collins, GigaOm research analyst
The effort needed by would-be attackers is small. This was recently proven by consultancy Context Information Security, which was able to easily compromise five commercially available IP-connected products. By taking advantage of poor authentication running through smart lightbulbs, an IP camera, network attached storage and a wireless printer, the firm was able to gain access to wireless router passwords and encryption keys, taking control of the devices.“You don't actually have to be proactive about it,” says Jon Collins, GigaOm research analyst. “If you have a billion devices in the world and a tiny amount are insecure, you only have to infect that tiny proportion: you can throw your dodgy code out and see if it sticks.”
Business riskTo make matters worse, many organisations are unaware of the number of devices residing on their networks, says John Skipper, data privacy expert at PA Consulting Group. He warns: “Network audits in large organisations are revealing hundreds of connected devices which the IT department is completely unaware of, and these are effectively bypassing the organisation's formal security controls.”
IoT means more devices available on the network and therefore, more potential attacks, agrees Björn Johansson, consultant at Sentor. “It's gone from the unknown devices being printers, to conference systems, smart TVs, and coffee machines.”He says the risk centres around the information that these devices could contain. For example, says Johansson, conference systems might reveal information about visitors which could be exploited by attackers.
IoT devices also allow the perpetrator to remain anonymous, says Dave Larson, CTO at Corero. “If you are a bad guy and you can gain control over 1 million IoT devices, you can quickly instrument them and there is no way to track you as the attacker - you are anonymous.”