Through our research and work with carriers, partners, and others, AdaptiveMobile has predicted up to 80 percent of devices connected on the IoT do not have appropriate security measures in place. To put it plainly, four in five of IoT devices on the market are vulnerable to malicious activity, inadvertent attacks, and data breaches.
We are now at a point at which the expected growth in IoT connections and devices makes this lack of security a liability for consumer confidence, data safety, and the ability for the IoT to function unencumbered. Gartner reports that more than 30 billion connected devices will be in use by 2020 and that the IoT will create $1.9 trillion of economic value add. We believe a new security architecture is needed at this time and that carriers are in a unique position to provide this security.
There is a lot of hype around proof of concept threats with the IoT. However, there are actual threats and attacks that have occurred, which give us a blueprint of where the initial vulnerabilities lie. For example, hackers have accessed web cameras and home routers either to cause mischief or to prove that they could. And, German researchers were able to figure out what TV shows people were watching using data sent by smart power meters.
Unsecured IoT devices are of extreme interest to pranksters, hackers, and cybercriminals, as evidenced by Shodan, a search engine that looks for IoT devices such as webcams and makes their streams available for viewing by anyone on the internet. Shodan collects data mostly on web servers (HTTP) as well as FTP, SSH, Telnet, SNMP, SIP, and Real Time Streaming Protocol (RTSP). The latter can be used to access webcams and their video stream.
What these threats point to is that most of the consumer devices that sit on the Internet under the IoT, M2M, or Embedded Device umbrella are not designed to defend against the sophisticated hacks or threats that may attempt to compromise them.
The IoT security model
The current security model represents the characteristics of the IoT: low-cost, easily accessible, and simple to run. A typical IoT device, for example, uses cheap sensors that are low-power and inexpensive and that do not run endpoint security. IoT also relies on encryption, but often times that encryption is limited to data in transit. The end results are security vulnerabilities across a number of implementations. There are devices that have limited on-device security, leaving them open to hackers, attacks, or data leaks. Other industrial IoT implementations have good security for data in transit but do not have the same level of protection at the end points.
Some worst-case scenarios in the current model of IoT security include tampering with home appliances, such as a thermostat or a fridge; turning off or impeding the function of medical devices; and shutting down connection to depend on the consumer to maintain updates or change the very basic provided passwords to ensure better security, even though relying on consumer involvement for security has proven ineffectual in the past.
The logical solution would be to add in better security at the device level. Many in the security industry see the best option as having security “baked in” from the very beginning with hardened firmware and certificate management owned by someone other than that consumer. Adding to either the device complexity or services provided would sacrifice the low cost of the IoT devices and services, and this lower cost is a key component for the IoT’s success.
There will be billions of devices connected through IoT – many unable to run traditional endpoint security. Even more concerning is that there are no clear “owners” for security, given that the IoT involves devices, services, and connections—the vendors associated with any of these could be deemed to be the proper owner of IoT security.
What is needed now is a fresh look at security that involves action at the manufacturer’s level while also designing a security plan that will include carrier involvement and would detect threats at scale.
The first step will be having manufacturers making security a priority. IoT security is complex, constantly evolving, and needs to be a critical consideration that is designed into devices. Having security measures as a forethought in IoT designs will help circumvent the security weaknesses that come from unintended sources, such as unsecured endpoints.
With that in place, carriers and other service providers can work using the strength of their networks and experience in detecting and stopping threats to combat IoT threats at scale. This would involve a combination of lightweight telemetry and anomaly detection to give early indicators of compromise – and then enforce protection at scale.
Ciaran Bradley is Chief Technical Officer at AdaptiveMobile and former Deputy Chair of the GSMA’s Messaging Security Group with over 15 years’ experience in the mobile industry. Ciaran is responsible for all aspects of AdaptiveMobile’s mobile security products and is a frequent commentator on mobile, privacy, and security issues. He has a keen interest in mobile malware and the increasingly sophisticated threats being developed by cybercriminals. He was previously CTO of Sentry Wireless – before being acquired by AdaptiveMobile in 2011.