The Internet of Things (IoT) has become so ubiquitous, that the development of its security has been struggling to keep up. Too often, security has been sacrificed for time to market, and instead of being built in from the ground up, has been tacked on as an afterthought.
As some background, let’s look at what “things” make up the IoT. Its scope is broad to the point of being almost limitless, which adds to the security challenge. For a device to be considered part of the IoT, it must be Internet-enabled, and have the ability to interact with other connected devices, people and things, as well as collect information and exchange data.
There are thousands IoT devices
And because there are thousands of different types of IoT devices, they tend to have have limited computing capacity, and are designed with a specific function in mind. Some examples would be fridges, baby monitors, medical sensors, smart locks, fitness trackers, and security systems. The use cases are endless, and can be applied to almost any environment.
In our personal lives, smart homes shine the spotlight on just how accessible these devices really are. We can update our home security systems through a range of cameras, motion sensors and smart locks - all from our mobile device. Similarly, we can play music or games, watch tv, and dim the lighting, all with a single click of a button. IoT devices are extremely portable, and can be connected to most networks with ease.
Unfortunately, the agony of choice, when we are faced with numerous devices to choose from, is the main reasons behind the fragmentation of the IoT and goes hand-in-hand with the many security challenges associated with today’s connected world. Moreover, a lack of prescience and standardisation, has birthed a slew of compatibility challenges, that add another layer of complexity to the security conundrum.
The fact that devices are so portable, means they can connect to many networks, potentially infecting multiple ones, which is just one more reason why IoT security has become a critical issue. The introduction of IoT devices saw the attack surface widen in a previously unimagined way. Add to this the general day-to-day threats that plague organisations in every sector, as well as users who are careless or uneducated about basic security hygiene, and the problem grows exponentially. Similarly, many organisations do not have the in-house skills or resources to protect their IoT environments.
There’s the question of vulnerabilities.
Vulnerabilities are a constant thorn in every company’s side, and one of the major reasons IoT devices are so vulnerable is that either through neglect, or lack of capacity, they don’t have the necessary built-in security controls. Moreover, as these devices tend to be mass produced as cheaply and as quickly as possible, there is no budget for developing and testing the firmware securely. Consider how a single vulnerable component could affect hundreds of millions of devices, and could lead to systems being compromised around the world.
Finally, always remember that cyber crooks are like pickpockets, they go where the crowds are. With most estimating that the number of IoT devices is already in the double digit billions, attackers are already eyeing every opportunity and vulnerability. As always, staying safe and protected starts with knowledge, so make sure your teams understand the main threats to, and attacks on, IoT devices and services.