HE INTERNET OF VULNERABLE THINGS
By Zach Capers, CFE
Research Specialist, ACFE
While most people understand the importance of security when using personal computers and smartphones, far fewer recognize the perils posed by seemingly innocuous WiFi-enabled coffee makers, networked thermostats, and other smart products from the rapidly expanding Internet of Things (IoT).
The Internet of Things is the emerging environment of everyday objects that use embedded sensors to collect and transmit data through the Internet. IoT technology can be used to solve problems, optimize existing technology, and allow more seamless and personalized user experiences. Examples of useful IoT applications include wearable fitness devices (e.g., Fitbit), home-automation products (e.g., Nest) and smart parking systems. Unfortunately, the development of IoT technology tends to focus on innovative design rather than privacy or security. IoT devices commonly connect to networks using inadequate security and can be impractical to update when vulnerabilities are found.
This is a concern because as the number of potentially vulnerable smart products increases so do the opportunities for fraudsters seeking alternate ways into otherwise secure networks. Furthermore, IoT devices often record huge volumes of sensitive data and personal information that must be protected from misuse and cyber criminals.
Internet of Everything
At this month’s Consumer Electronics Show (CES) in Las Vegas, many of the world’s leading technology companies debuted their latest IoT gadgets, ranging from a $5,000 smart refrigerator to a Bluetooth-enabled pregnancy test. According to a forecast by Gartner, the IoT will include more than 25 billion devices by the year 2020 — potentially five times more than the estimated 5 billion currently in use. Correspondingly, the CEO of electronics giant Samsung has claimed that every single one of their products will connect to the Internet by 2020, " whether it is an air purifier or an oven." The outlook is for a world where almost anything has the potential to be connected.
The IoT even has its own search engine, Shodan, which allows users to search for Internet-connected devices. The service can be used as a marketing research tool to determine how and where IoT products are being used, and to identify any associated network vulnerabilities. However, many have accused Shodan of being a tool for hackers by simplifying the process of locating susceptible entry points to networks that host such things as security cameras, routers and traffic lights.
Lack of IoT Standards
The explosive growth in the volume and variety of IoT devices has thus far exceeded the industry’s development of cohesive security standards, or a government’s ability to effectively regulate the application of IoT technology that is increasingly used in critical infrastructure such as airports, hospitals and power plants.
Consequently, hackers around the globe view the IoT as a challenge. In one case, hackers proved that they could remotely exploit a vehicle’s flawed connectivity software to gain control of the vehicle and bring it to a stop. In another alarming example, researchers were able to hack into networked baby monitors with ease.
Of further concern is the lack of data privacy policies related to IoT technology. A significant aspect of the IoT is the collection and analysis of user data. However, many IoT devices are launched without transparency regarding exactly what data is being collected, how it is being used and with whom it is being shared. A recent Symantec report found that 52 percent of the IoT devices studied did not include a privacy policy.
While regulations are falling far behind innovation, some industry groups and government bodies are beginning to take action. Last December, the U.S. Federal Aviation Administration began requiring theregistration of all unmanned aircraft systems (i.e., drones), which are key players in the IoT for purposes such as surveillance, delivery services and weather monitoring. In California, the Department of Motor Vehicles recently drafted rules for self-driving smart vehicles including privacy, cybersecurity and safety requirements — some of which proved disappointing to Silicon Valley tech firms.
The European Union Agency for Network and Information Security (ENISA) has also joined the effort to improve IoT security standards by launching a 2016 policy development program that will focus on smart cars, smart airports, smart hospitals, mobile healthcare and IoT security.
Securing the IoT
Because IoT technologies increase the number of potential attack vectors on their associated networks, consumers and businesses must be careful when installing new smart devices. The following suggestions can help to mitigate IoT security and privacy concerns:
- Ensure that IoT devices include a detailed data privacy policy.
- Carefully review software application permissions.
- Install updates for IoT devices and related apps when available.
- Disable cameras and microphones when not in use.
- Disable location sharing when not needed.
- Change generic factory user names (e.g., Admin, User1).
- Always use strong passwords (mix numbers, upper- and lower-case letters, and special characters).
- Segregate networks hosting IoT devices from those holding sensitive data.
- Use a wired connection instead of WiFi when possible.
On January 4, 2016, the nonprofit WiFi Alliance announced a new WiFi standard dubbed HaLow that was designed specifically for connecting the devices of the IoT. The virtues of WiFi HaLow are said to include an extended range, lower power consumption and greater interoperability that will allow the more efficient deployment of IoT technology. Perhaps with the introduction of a new wireless standard and the continuing development of security and privacy standards, users will soon be able to enjoy the convenience of IoT technology without sacrificing security.
Contact the ACFE
For more information, contact Mandy Moody, Media Manager, at (512) 478-9000 ext. 167 orAMoody@ACFE.com.