IoT Security

The Emergence of IoT: Is Security a Concern?

Daniel Brecht
August 10, 2015 by
Daniel Brecht

Today, many physical objects communicate through internet-connected IT infrastructures to gather and/or disseminate data to observe and analyze. IoT, the Internet of Things, is really revolutionizing our daily lives and the way we interact with each other. Watches that read our e-mails while calculating our running speed, cars that connect to central databases for navigation and information retrieval, devices that monitor our health and send updates to our doctor, power meters, domotics and more.

Consumers are inundated with information on how much simpler their lives can be thanks to the use of these internet-connected devices. What is often not clearly specified is how important it is to make sure these devices are secure. Intuitively a consumer knows how critical it is to protect desktop computers, laptop, netbooks and mobile devices; they watch for viruses, install firewalls and spam killers. They might be a bit less on guard with apps, but they still keep a watchful eye on their systems. With IoT devices, instead, consumers are often not aware that the same risks affect these new generation of devices.

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

The proliferation of this type of devices poses a number of concerns, including their safety, possible effects on networks, the growth of the amount of data that needs to be stored and processed, legal ownership of these data. In addition, as the IT landscape changes, so does the role of IT managers.

IoT Defined

The Internet of Things, also commonly described as the "Internet of Everything" refers to the network of physical objects that can be controlled through technologies that allow them to communicate between themselves, with applications, with manufacturers or with users. IoT turns everyday objects into 'smart' devices that provide data to be collected and processed. It enables all items with embedded technology (e.g., devices, sensors/beacons, and chips) the ability to compute and communicate data via the Internet, thus, making virtually everything capable of being monitored, analyzed and acted upon by an array of computers with little or no human intervention.

IoT has been employed, for example, in healthcare with tangible solutions like the wearable devices that can monitor patients' health, detect vital signs and send an alert when a certain threshold has been reached.

Internet of Things is also used in the Energy field with smart meters (electricity, gas, water) and grids that are integrated into information networks to gather real-time data on resource consumption, malfunctions and more. Networked sensors and automated feedback mechanisms can provide environmental monitoring and be utilized in detecting problems efficiently, with real-time data gathered and sent to the cloud.

This technology also promises great advances in the logistics industry with devices able to aid in activities like managing supply chain operations or ensuring a better postal experience via real-time parcel tracking. The goal is to improve efficiency and services.

In addition, there are smart-connected home appliances (e.g., Internet-connected fridge) and thermostats in use today that can be controlled from inside or outside the house. Lights can be turned off or heating and ventilation systems adjusted.

In essence, the IoT is "giving 'smart things' the ability to sense, interpret, communicate and negotiate, and effectively have a digital 'voice'," says Steve Prentice, vice president and Gartner Fellow. Dan Hushon, CSC's chief technology officer, adds that "connected things will generate entirely new data that leading organizations can analyze for data-driven decisions, operations and insights."

Today's M2M and IoT Landscape

IoT is a technology that will open up new revenue possibilities, drive service opportunities across multiple business sectors, ranging from health, utilities, manufacturing, to automotive by the integration of connected smart devices and an intelligent platform to deliver cloud based services to anyone on-the-go, at home, while travelling, or elsewhere. IoT enhances the customer experience and allows businesses to transform operations, planning, reporting or services.

Machine-to-Machine (M2M) and the Internet of Things are not a new feat, and have been driving innovation delivering new opportunities for companies and consumers. However, because the security issue is often not brought up (or partially addressed), consumers simply concentrate on all these devices can do and how they can make their life simpler. The more these devices permeate people's lives and aid day-to-day tasks, the more relaxed consumers are with their use to the point that they trust the use of their data and info in ways they would never allow through computers and smartphones.

The problem is that many consumers don't think of connected devices as possible source of concern and, often, no emphasis is placed by vendors on this aspect. When hardware, software or cloud services are sold, companies highlight the security features offered with the product. When IoT devices, instead, are marketed, security features are often not even mentioned. This omission can give consumers a false sense of security.

IoT Security Concerns

One of the main concerns with IoT is, as mentioned, the security of smart devices. The widespread lack of awareness of consumers, the pervasiveness of IoT objects in so many different fields and the variety of connected objects, make it difficult to keep a tight hold on security. Beecham Research'sIoT Threat Map displays the full set of new threats that may occur and who might the attacker be.

It is important to consider not only privacy implications, but also, above all, the actual physical security of users. Attackers can gain access and take control of devices in the attempt to reconfigure them to be used against the consumer or society. A medical device that loses connection might hurt a patient; an alarm sensor that malfunctions or doesn't transmit will fail to warn users of problems.

A recent "60 Minute" segment experiment brought to light the possible consequences of the hacking of systems connected to a car. The video showed how the driver was powerless as somebody else remotely took control of the car. Although extremely hard to do, a connected car could potentially be hijacked and be at risk of malfunction. Also, it can easily collect a variety of information on the user, from location to driving habits, frequent routes and areas visited (malls, restaurants, gas stations, resorts, etc.)

An "item" such as a domestic appliance or vehicle, in fact, is embedded with electronics and software that enables it "to generate data about itself and its perceptions and publish that information on the Internet," explains Juan Ignacio Vázquez, a contributing writer for OpenMind in his article, The Internet of Things: Outlook and Challenges. He suggests everyday physical objects and devices connected and controlled via the Internet provide a wealth of intelligence at a distance that might be used in less than legitimate ways if intercepted.

Enabling IoT devices and machines to communicate over the Internet with minimal direct human intervention, whenever and wherever, enables the recording of a volume of personal or private information available to third parties; this could ultimately pose risks for users as well as companies that collect and use that information as intended or designed to do, if intercepted.

Other Major Concerns

Safety and security are not the only concerns. A major issue is the amount of data produced by all IoT devices. These data must be managed, protected and, in large part, stored. Storage space and safety is a concern not only for users, but also especially for service providers who are now dealing with databases that grow exponentially.

Rob Bearden, Hortonworks CEO, believes the volume of data managed by enterprises between 2015 and 2020 will grow 50 times year-over-year. It might not all be quality data, so how it's analyzed and processed is also a concern.

Don DeLoach, President and CEO of Infobright affirms there are "endless possibilities for data analytics in an Internet of Things World," but we might end up struggling with the data load and creation of infrastructure to ensure we can maintain the big data coming in from connected devices. Security professionals must contend with the implications of protecting all the new data wherever they reside.

As large quantities of data cross in cyberspace, legal issues also come to mind. How do you define legal ownership of data? Even users are hard to identify as many IoT items don't require the authentication normally used with computer-related devices.

In addition, who will be responsible for problems related to loss of connectivity or other malfunctions? In addition, who will be legally allowed to control and collect data related to users' habits and patterns of behavior? Understanding who is responsible for what aspect is an issue of primary importance. Informing users not only about safety but also that data related to their habits and whereabouts can possibly be collected by a variety of stakeholders is also essential. Legal and regulatory concerns are important to be defined.

Device Management for the IoT – The Role of IT Professionals

The Internet of Things brings many concerns, from privacy to the handling of the large amount of data transmitted, to ownership of info and legal issues. Users are beginning to wonder if IoT is as secure as they are led to believe or if their "connected" lifestyle should be cause of concern.

According to a HP Internet of Things State of the Union Study, released last year by the company's Fortify application security unit, a total of 250 security vulnerabilities has been found in the tested IoT devices that have been on the market — on average, 25 per device. "The issues are related to privacy, insufficient authorization, lack of transport encryption, inadequate software protection, and insecure Web interfaces," says Eduard Kovacs in a SecurityWeek post. As Mike Armistead, VP and general manager of HP's Fortify unit believes the fault is of the smart device manufacturers rushing to get their products on the market without securing their devices against threats or attacks. If all objects were equipped with identifiers, the tagging of things would be a major step forward, he added, when it comes to applying IoT products and solutions in everyday life.

The HP study has shown that 90% of the devices analyzed collected and passed data of the users thus giving way to concerns for the privacy; in addition, 70% of the devices did not encrypt data.

Internet-connected manufactures ought to build strong authentication into their IoT devices protecting consumers from having their data compromised.

Robin Duke-Woolley, founder and CEO at Beecham Research, believes Security in the Internet of Things "lies at the architectural level for both devices and systems and stretches from semiconductors through to network operators and system integrators." Professor Jon Howes, the company's Technology Director, adds that the only reason we have not seen serious IoT breaches already is because the IoT has not yet been deployed in large-scale consumer or enterprise applications that make them attractive to attackers." IT managers need to place emphasis on providing better security controls when connected in the IoT ecosystem," says Howes, "this starts at device level with sensors and microcontrollers and continues through the networks, platforms and into the cloud."

The hope is, as connected devices proliferate, that many of the manufacturers of these machines will consider the secure-by-design approach. As Earl Perkins, research vice president of Gartner, mentioned at a Security & Risk Management Summit in Maryland, IoT is bringing "an important new 'physical' element to security concerns. This is especially true as billions of things begin transporting data somewhere […] security professionals must contend with the implications of protecting all the new data." IoT devices have the power to modify the environment and conditions around them, so problems are no longer just confined to the digital sphere, but also reach out to the physical one.

IT professionals are no longer just protecting data, circuits, and transmissions, but need to focus, as Perkins highlights, on the relationships between "things", "service to things" and "things to people." Safety must be ensured along with availability, confidentiality and integrity.

The Internet of Things, therefore, is not only revolutionizing the way we live and in many ways changing society, but is also changing the role of IT security professionals and the cybersecurity discipline. In other words, as the IT landscape changes, so is the role of IT managers. Not long ago, server computers were often physically secured behind locked doors. Mobile devices obliged IT experts to begin thinking of hardware and software encryption to be applied to machines that were often used out in the open and while travelling. Today, BYOD forces systems administrator to find ways to protect companies' networks by applying measures able to secure multiple devices of different brands, supporting different operating systems and installed software. IoT challenges them once again. IT experts' focus must now shift from the security of the systems to the actual security of a variety of objects that now interact with networks and can potentially be entry points for intrusions. In particular, attention needs to be given to a strategy to protect not only the data at rest but in transit as well as the "thing" itself that can be compromised.

Conclusion

The connected device market is apparently going strong across many different sectors, ranging from intelligent living, environment and enterprise, according to GSM Association (GSMA) in a recent 'Connected Living' report entitled "Understanding the Internet of Things."

Gartner estimates 26 billion IoT units by 2020 with connectivity being a standard feature on most objects thanks to plunging technology costs. Risk management, more and more, becomes important with managers now having to involve more resources in the fight against breaches. The approach must be holistic and synergic. Product developers along with IT security managers, data analysts and consumer education experts are asked to pitch in to ensure the security of a highly connected world.

As the IoT prospers and expands, challenges remain, "including a lack of standards, the ability to scale globally, security concerns, and an immature ecosystem," as mentions EMC Digital Universe with Research & Analysis by IDC. IDC confirms IoT will continue to grow from 2013 to 2020, as it is creating new opportunities for businesses to capture more data about processes and products quickly. Fabrizio Biscotti, research director at Gartner notes however that processing large quantities of IoT data is leaving providers facing new security, capacity and analytics challenges in the data center.

Gadgets might become a vulnerability and an easy way into networks and databases of personal data. Will this lack of concern for security pose a risk to IoT use growth? Some consumers feel already that IoT vendors should pay closer attention to end-to-end security, and the issue remains a key factor in successful implementation.

Adam Thierer, a senior research fellow with the Technology Policy Program at the Mercatus Center at George Mason University, says the multiplication of smart device connectivity and use has led to business adoption with fear. He states that some critics are worried about the privacy and security implications of the Internet of Things, and unless there is clear evidence of direct, immediate oversight "in the next great wave of Internet-enabled services and data-driven innovation," legal questions could arise, Thierer said that "would derail the many life-enriching innovations that could come from these new technologies."

Eugene Kaspersky, Chairman and CEO of Kaspersky Labs said the Internet of Things "creates myriad new entries of attack," and believes that people thinking about adopting it should beware, as hackers can take advantage of the technology. That is why Mr. Kaspersky refers IoT as
the "Internet of Threats."

It is clear that IoT security must evolve to meet real-life cyber threats. IoT represents a world of opportunities for consumers and businesses alike. Much, however, needs to be made in terms of privacy and security to ensure that a technology that can potentially improve the quality of life for many doesn't transform itself in a harmful Trojan horse.

References

Beecham Research, Ltd. (2014, August). IoT security must be fixed for the long term says Beecham Research Report. Retrieved from http://www.beechamresearch.com/news.aspx?id=83

Brams, J. (2015, May 28). #ENTechTalk: The Internet of Things Drives Security, Big Data, and Cloud. Retrieved from
http://www.extremenetworks.com/entechtalk-the-internet-of-things-drives-security-big-data-and-cloud

GSMA (2014, July). Connected Living –
Understanding the Internet of Things (IoT). Retrieved from http://www.gsma.com/connectedliving/wp-content/uploads/2014/08/cl_iot_wp_07_14.pdf

Guinard, D. (2015, June 1). Internet of things: businesses must overcome data and privacy hurdles. Retrieved from http://www.theguardian.com/media-network/2015/jun/01/internet-of-things-businesses-data-privacy

Hushon, D. (n.d.). The 6 Hottest IT Trends for 2015. Retrieved from http://www.csc.com/innovation/insights/117537-the_6_hottest_it_trends_for_2015?utm_campaign=0515-GDC-Outbrain4ThoughtLeadershipLegCampaign&utm_source=outbrain&utm_medium=ocpc

Kasinathan, P., Khaleel, H., & Pastrone, C. (2015, May 15). Security in IoT: New Dimensions and Challenges. Retrieved from
http://businessvalueexchange.com/blog/2015/05/15/security-in-iot-new-dimensions-and-challenges/

Kovacs, E. (2014, July 29). 70 Percent of IoT Devices Vulnerable to Cyberattacks: HP. Retrieved from http://www.securityweek.com/70-iot-devices-vulnerable-cyberattacks-hp

Levy, H. (2015, June 8). How the Internet of Things Is Changing Cybersecurity. Retrieved from
http://www.gartner.com/smarterwithgartner/how-the-internet-of-things-is-changing-cybersecurity/

MacVittie, L. (2015, March 9). Internet of Thing (IoT): Privacy and Security Challenges. Retrieved from http://www.informationsecuritybuzz.com/internet-of-thing-iot-privacy-and-security-challenges/#at_pco=smlwn-1.0&at_si=559a5987eab951d7&at_ab=per-2&at_pos=0&at_tot=1

Martin, M. (2015, April 20). 3 Ways Service Companies Can Use IoT to Improve Customer Satisfaction. Retrieved from http://sandhill.com/article/3-ways-service-companies-can-use-iot-to-improve-customer-satisfaction/

Navetta, D., & Jaffe, S. (2015, May 19). The Security, Privacy and Legal Implications of the Internet of Things ("IoT") Part one – The Context and Use of IoT. Retrieved from http://www.dataprotectionreport.com/2015/05/the-security-privacy-legal-implications-of-the-internet-of-things-iot-part-one-the-context-and-use-of-iot/

Rich. (2014, April 22). Preparing for the Internet of Things. Retrieved from http://blog.b-scada.com/post/preparing-for-the-internet-of-things

Learn IoT Security

Learn IoT Security

Learn how ethical hackers exploit the growing number of internet-connected devices and become a Certified IoT Security Practitioner.

Vázquez, J. (n.d.). The Internet of Things: Outlook and Challenges. Retrieved from https://www.bbvaopenmind.com/en/article/the-internet-of-things-outlook-and-challenges/?fullscreen=true

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.