The Internet of Things (IoT) is an intersection of trends that brings motivation, innovation, money and opportunity together into one massive tool. However, in the race to build more and more IoT devices and units, security is often an oversight. While this phenomenon is often spoke of in security circles, most users just assume that the security is built-in and have no idea the vulnerabilities that they are exposing their organizations or homes to.
When people think of IoT security devices, they often think of advantages of the smart home, such as the intelligent thermostat or light bulb. But all of these devices need to be connected through a jumble of insecure protocols with little to no standards involved, which makes for a security nightmare. The pressure on vendors to supply IoT solutions pushes security to the backseat, making privacy, security, and other considerations less important.
While it is possible to provide reasonable security with IoT devices, it is also more expensive. And without market pressures or regulation, we should not expect to see any secure IoT system in the near future.
Because of this, the rate of the IoT security improvement is mitigated, or at least slowed down somewhat. That is until you consider the shift in the criminal space. Until recently, the main pushers in the 'cyber-attack' space were activists, government agencies or small scale crime operations, e.g., schemes like the "Nigerian prince". As more and more money began pouring into the criminal side of this dark domain, we started seeing a rise in the ransomware; pieces of malware designed to extort innocent people for monetary gains.
As these cyber-attacks start to take place in the IoT space, we are potentially facing nightmare scenarios. In the coming years, a person could be locked out of their car or home until they are forced to pay the attacker. Lights may not turn on without a ransom, or you might lose access to your internet or TV unless the attacker's requirements are met. Stronger security on the IoT devices in homes could curb some of these threats, but as it is not economic to do so – vendors just don't.
We are already seeing ransom attacks on large scale infrastructure such as schools, hospitals, and banks. If these kinds of attacks reach utilities such as the US power grid, the results could be catastrophic. Imagine what would happen to a city if its traffic signal control system was hijacked for ransom?
Suddenly, science fiction scenarios depicted in movies of recent years are not so farfetched, i.e., think of the latest "Die Hard" film. What is even more alarming is that regulation, which should be the main motivator in this market, is staggering far behind. Some think it is an ignored issue due to political reasons. But mainly, it is just a lack of understanding of the risks involved, and the catastrophic effects we could see as a result of a cyber-attack on U.S. infrastructure, leading to a high death toll and infrastructure devastation.
The point is, we need to move faster in our efforts to secure the IoT. Even if budget, regulation and industry focus were to shift toward finding a solution today, the criminal rings already have a formidable head start on us. But without changing direction, we have little hope of turning the tide.
About the Author
Guy Barnhart-Magen is the CTO at Nation-E. He has over 15 years of experience in the cyber-security industry. Prior to joining Nation-E, Guy spent five years at Cisco leading the Security Software and Countermeasures group. He led a team of cryptographers, security engineers and researchers focused on Cisco's video security (formerly NDS). His achievements at Cisco got awarded with the "black belt" security ninja honor – the highest cyber security advocate rank. Guy holds a B.Sc. in Electrical Engineering (cum laude) and a B.Sc. in Applied Mathematics. He has published several papers in the fields of neural networks and image processing.