Internet of Things: A Pandora's Box of Security Concerns

Imagine a world where an office thermostat could capture your CEO’s keystrokes, the staff fridge could sniff for company passwords, or even where the airbag of your sales rep’s car can be deployed remotely. Welcome to the brave and undeniably scary world of the Internet of Things (IoT) for enterprise.

The Internet of Things is the idea that any object could be connected to a network or the Internet. It’s a somewhat nebulous concept to try and grasp at first, but it will become commonplace in a few years. The applications of this are staggeringly wide-ranging: an example could be a network of light switches that communicate to - and be controlled by - a company network or sensors that measure soil quality on a farm. IoT can be implemented on an industrial scale for projects such as energy optimization at a chemical plant, or for monitoring the health of energy-generating wind turbines.

The potential for businesses to take advantage of this new technology is undeniably exciting. In this age of self-quantification and companies that are obsessed with big data, it’s not a stretch to think that firms will start adapting these devices to optimize and simplify their businesses.

Just how quickly are you going to see these devices?

Research firm Gartner predicted that by 2020, 26 billion connected devices will be installed. CISCO forecast even greater adoption and said there would be 50 billion connected objects or devices by 2020. Remember: an IoT device could be something as simple as a sensor that does one job.

Bruce Schneier, leading security expert and CTO of Resilient Systems, wrote an excellent essay detailing the vulnerabilities for IoT. In it, he compares the potential for vulnerabilities in connected devices to vulnerability of PC’s in the mid 90s. That was a time when companies were secretive about holes in their software, slow to release patches for them, and when they found difficulty in having users use the aforementioned patches.

Now he says the situation is much worse given the state of security of network routers:

“This time the problem is much worse, because the world is different: all of these devices are connected to the Internet. The computers in our routers and modems are much more powerful than the PCs of the mid-1990s, and the Internet of Things will put computers into all sorts of consumer devices. The industries producing these devices are even less capable of fixing the problem than the PC and software industries were.”

If that’s not scary enough, Security strategist Joshua Corman talked about this in a late 2013 TEDx talk called “Swimming with sharks - security in the internet of things.” In it, he lays out the grim reality that exploiting technology has never been easier and doesn’t require much technical knowledge. In one scary scenario, he describes the potential of an IoT-connected car having its airbags deployed via a remote connection while its on the road.

https://www.youtube.com/watch?v=rZ6xoAtdF3o

The problem with IoT is juggling the balance of a company’s security with convenience and costs. For example, the previously mentioned smart light switch network might save the company some money on its utility bills. Let’s say that the network can send a warning to your phone when it’s been left on, keep you informed on your power usage, and be remotely controlled from your phone. If this could save a company 10 percent on a utility bill, it might too good for a cost-conscious CEO to turn down.

In the coming months you’re going to be bombarded by (even more) advertisements and hype regarding the Internet of Things. At this point, it might be good to wait a moment and see how everything shakes out and develop a policy and strategy for how your company is going to connect to all these different devices.

It’s easy (especially when covering cybersecurity) to get caught up in the scaremongering when it comes to IoT, but in this case there’s some reason to take these concerns seriously. In this case, it will probably be up to the consumer or businesses to lobby manufacturers of these devices to properly protect and patch them.

Schneier wrote that: “We have to put pressure on embedded system vendors to design their systems better. We need open-source driver software-no more binary blobs!-so third-party vendors and ISPs can provide security tools and software updates for as long as the device is in use. We need automatic update mechanisms to ensure they get installed.”