The ultimate guide of security threats in the age of Internet of Things (IoT).
For some years now, the technology world has been ruminating on the rise of consumer electronics with IoT (Internet of Things) functionality.
The way it’s often spoken about, you’d think that the IoT is something to be rolled out in one fell swoop when it’s ready, but that’s certainly not the case — it’s an incremental process, and it’s already in full swing.
What does this mean?
Primarily, that the remarkable potential of the internet is being fulfilled to an unprecedented degree.
The more elements of our lives we can connect to systems of convenience and/or automation, the more we can achieve, and the less effort it takes.
But the IoT is also exceptionally dangerous, and it’s vital that we don’t take it too lightly, or else we might come to regret allowing it into our lives so freely.
Let’s took at 20 security risks posed by the IoT, and consider how we might best prepare to succeed despite them:
1) Power Failure
The more we rely on IoT devices, the more strongly we’re inconvenienced by them going down, and it’s hardly implausible that a huge range of devices — particularly on a power grid not yet optimized to handle them — could experience major power issues.
This is a security threat because power failure can lead to data corruption and/or disrupted system integrations, and because IoT systems used to secure physical premises are more easily compromised when left unable to transmit status information.
2) EMP Shutdown
A lack of power might not be the result of an overloaded network or an ill-prepared power grid.
It could also stem from a direct attack with an EMP (electromagnetic pulse) device.
Imagine an old-school vision of a future city, with every system relying on IoT devices — now imagine that city following an EMP attack, with limited (if any) mechanical fallback systems.
There’s no easy solution to this problem, though it’s fortunately a much less likely occurrence.
The most sensible thing to do is ensure that IoT devices default to locked positions (so that an office without power won’t suddenly let anyone in) and that there’s some kind of backup way to operate them on location.
3) Weakness by Proxy
Integration is the name of the IoT game, obviously.
If you’re not getting various systems to work together, you’re missing out on the main incentive of IoT tech.
However, this does mean that even the most secure system can be rendered weak — all because it’s securely integrated with a weak system, making it vulnerable by proxy.
The larger the IoT chain becomes, the more likely it is that at least one of the links in that chain will be weak, and that one weak link can allow an ambitious hacker to steadily compromise every other link.
To avoid this, there will need to be industry-wide security standards, as well as built-in restrictions to ensure that devices only integrate with other secure systems.
4) Physical Interference
IoT devices may work over the internet, but they still require physical form, whether they’re set up independently or connected to existing legacy systems.
This leaves them open to physical interference: criminals accessing the devices locally and altering them somehow.
Someone accessing a device directly in that way might be able to reprogram it, or extract data from local storage, or simply damage it to inconvenience people.
Scaling with the importance of the device, IoT tech will need to be strongly secured to avoid this problem.
5) Unrelenting Spam
Every IoT device is capable of fundamental electronic communication: that’s the entire point of the technology.
The problem with that capability is that it can co-opted for other purposes if hackers are able to take advantage of vulnerabilities in a timely fashion.
Imagine running an IoT-enabled office, only to get in one morning and discover that your system sent hundreds or even thousands of spam advertising emails to your clients and associates.
Even if the spam is ultimately harmless, the clear exposure of your system’s vulnerabilities will hugely damage your professional reputation.
Avoiding this requires a combined effort from the developer and the users to keep vulnerabilities shored up.
6) Unclear Legal Terms
When you sign up to an online service, do you carefully read everything you’re told to consider before agreeing?
I certainly don’t, even if you do.
I recognize that I probably should, but I simply assume that there’s nothing too interesting in there, and carry on without a second thought.
This might not be too bad when you’re doing something like signing up to iTunes, but when you’re allowing a device into your life (and possibly into your home), then don’t you need to know exactly what’s going on behind the scenes?
Because the industry is still new, the legal world has yet to fully grasp what’s happening with it, so unclear terms are common.
In the coming years, legal regulations will need to become a lot clearer and stricter, and device owners will need to learn when spending five minutes reading terms is absolutely justified.
7) Forced Obsolescence
Before the internet came along and changed everything, purchasing electronics could always be a long-term investment.
If you did your research and shopped around, you could find something to suit your needs indefinitely, with the robust design and part availability to keep it working excellently for many years to come.
The problem with IoT devices is that they don’t (and can’t, realistically) function as they’re designed to without the support of overarching management software — something that is almost always going to be provided as a service by manufacturers.
You can buy bleeding-edge IoT devices from a top manufacturer today, but if that company goes bust (or simply gives up on that hardware line) in a couple of years, your devices might be left non-functioning.
And when a device is thrust into obsolescence by its manufacturer, a clear sign is sent out to hackers that no security updates are pending — if they can crack it, they can gain access to a lot of legacy data.
To combat this, IoT device manufacturers will need to make long-term commitments to providing support.
8) Remote Surveillance
When you walk by a CCTV camera, do you know if it’s recording?
You might assume it is, but the truth is that you don’t know. All you can see is the camera.
And as troubling as it is to think about, the same can be said about the cameras in your home — in your smartphone, and even in your laptop.
As IoT devices become more firmly entrenched in daily life, the potential reward of hacking into a system and using it for surveillance will grow.
It will also attract attention from the types of people who simply want to spy on others (for reasons that needn’t be listed).
Having some type of hard-wired system for clearly showing when a device is listening/watching and when it’s disabled will be vitally important.
9) Home Security Intrusion
IoT smart locks are already in use throughout the world, particularly in big offices and for convenient rental systems.
Instead of needing a physical key, you can control your door using your phone — and if you want to let someone else in, you can grant them temporary access.
So far so good, but the danger is obvious.
If a smart lock system gets hacked, a criminal can easily enter a home without tripping any alarms, or even lock someone in their own home by disabling their access.
Backing-up mechanical lock overrides will be crucial.
10) Remote Vehicle Control
Self-driving cars are in widespread testing, and despite the teething problems, they’re inevitably going to become mainstream at some point in the coming years.
Of course, they won’t just be running independently — they’ll need to network to optimize traffic flow, and that poses a risk.
If a hacker could find the right level of access to such a network, they could feed vehicles the wrong data, leading them to drive dangerously or even shut down entirely.
As such, any motoring network will need to be painstakingly secured with top-level encryption and exacting limitations on which devices can gain access.
11) Medical Equipment Attack
It’s a frightening thought, but as medical technology continues to develop more sophisticated treatments and uses IoT tech to better monitor results, it raises the likelihood that attempts will be made to remotely compromise medical systems such as pacemakers.
If someone could gain access to the system for a pacemaker, they could blackmail the user with their life itself as leverage, all without having to physically approach them.
Advanced IoT-enhanced medical technology is wonderful, but it cannot be allowed to communicate with any but the most carefully-vetted devices.
12) Public Infrastructure Damage
Looking past traffic systems, it’s clear that one of the largest applications of IoT technology is going to be unifying general infrastructure systems: covering everything from waste disposal to energy distribution.
Now think of the overwhelming damage that could stem from even the tiniest disruption in those systems.
Again, there’s no magic fix for this risk.
It’s going to come down to regional and national governments to plan carefully, anticipate everything that could go wrong, and commit enough resources to ensure that everything remains safe.
13) Denial of Service
A distributed denial of service attack (more commonly known as a DDoS attack) is essentially about hammering a system with so many requests that it can’t handle them all and becomes unresponsive.
It’s most commonly used by malicious hackers to shut down websites.
Used on IoT networks through suitable exploits, a DDoS attack could leave vital devices (used for some of the purposes we’ve looked at) completely non-functional until it subsided.
Since the incentive is certainly going to be there (making money, or just causing chaos), security systems will need to be up to the task of resisting such attacks.
Given the nature of the IoT, it isn’t just a potential victim of DDoS attacks: it’s also a prospective perpetrator, even if unknowingly.
Botnets, or loose collections of varying consumer devices (tablets, laptops, smartphones) secretly co-opted to use as drones, have been around for years, and will be even more dangerous with IoT devices on the menu.
Anyone who marshals the power of hundreds of thousands of complex IoT devices will have a formidable botnet at their disposal — one less likely to be discovered by users.
IoT devices will need to be configured to shut down when any kind of tampering is detected.
15) Social Engineering
In the context of IT security, social engineering is the practice of compromising the human element to gain access to a system — for instance, finding someone with admin access to a network and tracking their social media activity to pick out clues about what their password might be, or even speaking to them directly to ask them ostensibly-innocuous questions.
This is a particular risk for IoT devices for one simple reason: given that people often choose to repeat particular passwords across several systems because they struggle to remember their login details otherwise, having ten, twenty, or even more IoT-enabled devices to secure is likely to attract a lot of simple or repeated passwords.
And if someone uses a social media login to tie them all together, it makes that one login even more valuable to hackers.
What can be done about this?
Well, multi-factor authentication will certainly help.
The more of the security process that can be passed to biometrics (fingerprints, for instance), the easier it will be to defuse the risk of social engineering.
16) Personal Data Theft
Personal data has been a big topic in the security world in the last year, particularly following the implementation of GDPR.
What the law is increasingly recognizing, but companies have long known, is that even the seemingly-unimportant types of personal data can be extremely valuable when collected and used smartly.
Now consider the data that a hacker could collect from a household of IoT devices.
They could gather it all up and sell it to retail enterprises who could anonymize it and use it to drive their marketing strategies, all without anyone knowing.
Businesses will need to commit to refusing such deals, but the onus (as ever) will be on developers to prevent them from being possible.
17) Data Blackmail
Collected data doesn’t need to be passed on and anonymized — it can simply be used as a blackmail tool.
A personal user might be embarrassed to have their details made available online, and a business might be worried about its intellectual property being passed to competitors.
Aside from having formidable security systems in place, we’ll need to have specific routes for victims of data blackmail to take, including ways to mitigate the damage of failing to prevent the data from being released.
Similar to data blackmail, but a more practical concern, ransomware is all about holding a system or device hostage and demanding payment of some kind before they’ll return control.
This has been happening through viruses for years, and has become a bigger threat with the rise of online-only businesses: if your website constitutes the entirety of your company, then losing access to it will be devastating.
But the threat is going to grow further as IoT tech gets more common.
As well as doing everything required to handle data blackmail, it will be advisable for every IoT system to be neatly modular.
That way, if one essential devices is taken over, it can simply be physically removed from the network and replaced with another device.
19) Difficulty Updating
Internet-enabled devices demand regular updates.
As hackers investigate systems for vulnerabilities, they inevitably find some (no matter how secure they might be overall), and the only way to combat this is for developers to create and release patches to cover them up.
This stands to be a big problem for IoT devices because automated updated processes don’t always go very smoothly.
Updates can fail for various reasons: an internet connection might drop out halfway through, a file might fail to validate, or a developer might simply mess up the rollout process.
And when devices go unpatched, they’re left open to attack.
Every IoT company will need a rock-solid system for ensuring that it’s simple for device owners to keep their devices upgraded.
They should offer various ways to update and validate a device, including manual options for owners in areas with weak internet access.
20) Version Inconsistency
As a corollary of the issues with updating IoT devices, version inconsistency is inevitably going to prove problematic.
Imagine that half of the devices in a particular series run the most recent firmware version, with a quarter of them running the version prior to that, and the last quarter running even older versions.
How do you securely allow those devices to network?
You might think that the solution is to bar all but the latest firmware version from connecting, but that’s likely to lead to major customer service issues.
Instead, every IoT device will need to be given access to a dedicated update channel and required to successfully update before connecting to the main network, with the process made as reliable as possible.
In conclusion, then, are we prepared for these 20 security risks of the IoT?
In a word: no.
Some of them will be fairly simple to handle, while others will require a lot of thought and preparation before high-level infrastructure systems can be more reliable.
One way or another, the mainstream IoT is coming — so there’s no time to waste.