There's an apocryphal tale that has sprung up around the Internet of Things where a man shows off all his internet-connected devices to a friend. He even had a front door that could be controlled via the AI voice assistant on his smartphone. What the man didn't realise was that not only he could open the front door with just his voice, so could his friend. Or indeed anyone else! This is the law of unintended consequences.
In the race to build IoT devices, very little attention has been paid to the security aspects of such devices. In some ways, this is understandable; these devices have to be really cheap to be deployed in the thousands, and sometimes in the millions. That means these devices have very little space for an operating system and the minimal amount of application code to perform all their functions. Whether by design or ignorance, security has been an afterthought, if a thought at all, to IoT manufacturers.
Botnet attacks are becoming more frequent as cyber-criminals see vulnerable IoT devices as the low-hanging fruit to be used and abused for their nefarious purposes. They can be a security backdoor. For example, a Wi-Fi connected doorbell is "not interesting" in itself, but if it stores the Wi-Fi password in cleartext a hacker can use that to access all the household connected devices, alarm systems computers etc. The Mirai botnet is probably the most notorious malware of late to exploit vulnerabilities in IoT devices, such as webcams, routers, digital video recorders and other connected devices.
It has led to Consumer Reports, an influential US non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, to announce it is to start considering cyber-security and privacy safeguards when scoring IoT products.
While pressure put upon manufacturers to improve the security of their devices can only help matters, it may only go so far. Device ranking will not guarantee that devices become un-hackable. It is reasonable to assume that while investment in device security will increase, some devices will remain with vulnerabilities and continue to offer a backdoor for hackers to control a device and turn it into part of a botnet that can take part in a massive DDoS attack or be used to infect increasingly mobile devices, with malware. This not only affects consumers, it also affects communications service providers.
As well as this, research from Allot Communications found that a significant number of subscribers (26 percent) turn to their mobile operator when facing a malware incident on their mobile phone, even when the operator is not the one providing the security service. This finding indicates that mobile users perceive the service provider as the one that can provide the solution when they face security problems. In that same survey 61 percent of the respondents said they will likely buy security services from their service provider.
Protecting access and validating data on a device-by-device basis is not a sufficient solution or indeed a practical one. Most devices are closed systems and don`t allow the installation of security client software or any other software after shipping from the factory. Even if some devices allow that, this approach requires investment and scalability, and continuous maintenance is needed to ensure devices are controlled.
A more reasonable approach is a comprehensive network-based security solution delivered from the CSP's network, that unifies all security functions needed to control any device (whether an IoT device or mobile handset) and provides a simple, scalable way to protect the network with an ever-increasing number of connected devices.
Protecting users against rogue IoT devices needs a solution that is layered and centred around a network-based security system and delivered by a capable operator. Just as every smartphone and computer have vulnerabilities, so will IoT devices and protecting these requires an additional layer of security in the network.
Mobile users' demand for security together with the special limitations in protecting IoT device highlight a big opportunity for service providers to be pro-active and offer mobile protection from their network.
By offering such a service, they can become the one-stop-shop that delivers, drives and protects the digital experience and stops everyday devices from becoming a threat.
Contributed by Moshe Elias, director of products, security solutions, Allot Communications
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.