The Internet of Things (IoT) is a generic term that encompasses the entire network of devices that, besides its main function or goal, includes networking capabilities that allow it to be controlled, sensed and configured remotely, across an underlying infrastructure like the Internet.
These devices range from extremely low cost and simple sensors that are networked to cover a large physical area, to sophisticated systems that allow vehicles to traverse adverse terrain autonomously.
The demand for connected devices in the Australian market is soaring, with a 55% increase from last year. Device manufacturers are looking to capitalise on this demand, rushing products out to market to gain a competitive advantage, with security often an afterthought.
It’s not just our households at risk either. Due to the increased efficiencies and convenience IoT provides, it is permeating many industries, ranging from healthcare to retail. It could be an employee bringing in an unsecure IoT device and connecting it to the network. It could be a connected air-conditioning unit in the office. Or, worse, it could be a connected healthcare device that enables doctors to monitor a patient’s condition remotely.
We have seen pacemakers, baby monitors, share bikes and a casino aquarium hacked. Literally, any device connected to a network becomes a gateway for hackers and the lax security approach is leaving us vulnerable.
What we find to be the most common vulnerabilities are software defects, bugs and logic flaws. This clearly shows we are rushing devices to market with little thought to how we protect the users.
To address the security flaws, it is important we start bringing a cyber security mindset into the planning and design phase, particularly as more products continue to be connected to the internet.
Companies shouldn’t take the security of products for granted and must continuously test and review the security of new products, through application security reviews and penetration tests. This helps pinpoint specific vulnerabilities and identifies underlying problems before the product comes to market.
Even then, the pervasivenous of IoT can mean devices IT wouldn’t usually look at become threats. There’s already been reports of connected vending machines or air conditioning units being used as back doors into the business network. For this, Red Teaming, the process of conducting a real-life cyber attack from an attackers perspective, can help unveil secret entry points you may have missed.
Today, IoT devices are a hacker’s dream. It’s everywhere, it’s largely unsecure and it’s providing easy access points to conduct malicious activity and access sensitive information, such as medical records, addresses and credit card details. We must take a proactive approach to securing IoT or risk becoming an easy target.